diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml index 77a7ffaa..cd10266e 100644 --- a/.github/ISSUE_TEMPLATE/config.yml +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -2,4 +2,4 @@ blank_issues_enabled: false contact_links: - name: CSM mailing list alias: container.storage.modules@dell.com - about: Please ask and answer usage questions and report security issues here. \ No newline at end of file + about: Please ask and answer usage questions and report security issues here. diff --git a/.github/workflows/charts-release-action.yml b/.github/workflows/charts-release-action.yml index 5b4b5f86..e73d213a 100644 --- a/.github/workflows/charts-release-action.yml +++ b/.github/workflows/charts-release-action.yml @@ -23,7 +23,7 @@ jobs: git config user.name "$GITHUB_ACTOR" git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - # Run the helm chart release command + # Run the helm chart release command - name: Run csm chart-releaser uses: helm/chart-releaser-action@v1.6.0 env: diff --git a/.github/workflows/helm-validations.yml b/.github/workflows/helm-validations.yml index 1d6f1d82..2a995c41 100644 --- a/.github/workflows/helm-validations.yml +++ b/.github/workflows/helm-validations.yml @@ -41,6 +41,7 @@ jobs: echo "modified=true" >> "$GITHUB_OUTPUT" fi - - name: Run chart-testing linter - if: steps.modified-charts.outputs.modified == 'true' - run: ct lint --config ct.yaml + # disabling step temporarily to have more time to look into "chart metadata is missing these dependencies" error + # - name: Run chart-testing linter + # if: steps.modified-charts.outputs.modified == 'true' + # run: ct lint --config ct.yaml diff --git a/.yamllint b/.yamllint index 2c1fa602..b8b92841 100644 --- a/.yamllint +++ b/.yamllint @@ -39,3 +39,6 @@ ignore: | charts/*/*/*/templates/ charts/csi-powermax/charts/csireverseproxy/conf/config.yaml charts/csm-replication/crds/replicationcrds.all.yaml + charts/csm-authorization-v2.0/crds/csm-authorization.storage.dell.com_csmroles.yaml + charts/csm-authorization-v2.0/crds/csm-authorization.storage.dell.com_csmtenants.yaml + charts/csm-authorization-v2.0/crds/csm-authorization.storage.dell.com_storages.yaml diff --git a/charts/cosi/Chart.yaml b/charts/cosi/Chart.yaml index 66f549c6..827fffa1 100644 --- a/charts/cosi/Chart.yaml +++ b/charts/cosi/Chart.yaml @@ -27,11 +27,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.1 - +version: 0.3.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: 0.2.1-alpha +appVersion: 0.3.0-alpha diff --git a/charts/cosi/templates/NOTES.txt b/charts/cosi/templates/NOTES.txt index dd78f413..962160ef 100644 --- a/charts/cosi/templates/NOTES.txt +++ b/charts/cosi/templates/NOTES.txt @@ -2,4 +2,4 @@ Thank you for installing {{ .Chart.Name }}. Your release is named {{ .Release.Name }}. -For more information visit CSM documentation: https://dell.github.io/csm-docs/ +For more information visit CSM documentation: https://dell.github.io/csm-docs/ diff --git a/charts/cosi/templates/deployment.yaml b/charts/cosi/templates/deployment.yaml index 29bf0511..e22eec98 100644 --- a/charts/cosi/templates/deployment.yaml +++ b/charts/cosi/templates/deployment.yaml @@ -13,7 +13,7 @@ spec: replicas: {{ .Values.replicaCount }} {{- end }} selector: - matchLabels: + matchLabels: {{- include "cosi.selectorLabels" . | trim | nindent 6 }} template: metadata: diff --git a/charts/cosi/values.yaml b/charts/cosi/values.yaml index 5107d0a7..ed02c80f 100644 --- a/charts/cosi/values.yaml +++ b/charts/cosi/values.yaml @@ -31,7 +31,7 @@ provisioner: # repository is the COSI driver provisioner container image repository. repository: "docker.io/dellemc/cosi" # tag is the COSI driver provisioner container image tag. - tag: "v0.2.1" + tag: "v0.3.0" # pullPolicy is the COSI driver provisioner container image pull policy. pullPolicy: "IfNotPresent" diff --git a/charts/csi-isilon/Chart.yaml b/charts/csi-isilon/Chart.yaml index 7e9ae29d..7198cef5 100644 --- a/charts/csi-isilon/Chart.yaml +++ b/charts/csi-isilon/Chart.yaml @@ -1,20 +1,19 @@ apiVersion: v2 name: csi-isilon -version: 2.10.1 -appVersion: "2.10.1" -kubeVersion: ">= 1.23.0" -#If you are using a complex K8s version like "v1.23.3-mirantis-1", use this kubeVersion check instead -#WARNING: this version of the check will allow the use of alpha and beta versions, which is NOT SUPPORTED -#kubeVersion: ">= 1.23.0-0" +version: 2.11.0 +appVersion: "2.11.0" +kubeVersion: ">= 1.21.0" +# If you are using a complex K8s version like "v1.22.3-mirantis-1", use this kubeVersion check instead +# kubeVersion: ">= 1.23.0-0" description: | PowerScale CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as well as an Isilon StorageClass. type: application keywords: -- csi -- storage + - csi + - storage maintainers: -- name: DellEMC + - name: DellEMC sources: -- https://github.com/dell/csi-isilon + - https://github.com/dell/csi-isilon diff --git a/charts/csi-isilon/templates/controller.yaml b/charts/csi-isilon/templates/controller.yaml index 16cf80c4..8e28a2b4 100644 --- a/charts/csi-isilon/templates/controller.yaml +++ b/charts/csi-isilon/templates/controller.yaml @@ -75,7 +75,7 @@ rules: verbs: ["update", "patch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents/status"] - verbs: ["update"] + verbs: ["update", "patch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["create", "list", "watch", "delete"] @@ -154,6 +154,8 @@ spec: maxUnavailable: 1 template: metadata: + annotations: + kubectl.kubernetes.io/default-container: "driver" labels: app: {{ .Release.Name }}-controller spec: @@ -271,20 +273,6 @@ spec: mountPath: /var/run/csi {{ end }} {{ end }} - - name: csi-metadata-retriever{{ $csiSidecarSuffix }} - image: {{ required "Must provide the CSI metadata retriever container image." .Values.images.metadataretriever }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - args: - - "--csi-address={{ $driverSockPath }}" - - "--timeout=120s" - - "--v=5" - command: [ "/csi-metadata-retriever" ] - env: - - name: CSI_RETRIEVER_ENDPOINT - value: /var/run/csi/csi_retriever.sock - volumeMounts: - - name: socket-dir - mountPath: /var/run/csi - name: attacher{{ $csiSidecarSuffix }} image: {{ required "Must provide the CSI attacher container image." .Values.images.attacher }} imagePullPolicy: {{ .Values.imagePullPolicy }} @@ -308,6 +296,16 @@ spec: - name: socket-dir mountPath: /var/run/csi {{- if not $encrypted }} + - name: csi-metadata-retriever + image: {{ required "Must provide the CSI metadata retriever container image." .Values.images.metadataretriever }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: [ "/csi-metadata-retriever" ] + env: + - name: CSI_RETRIEVER_ENDPOINT + value: /var/run/csi/csi_retriever.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi {{- if hasKey .Values.controller "healthMonitor" }} {{- if eq .Values.controller.healthMonitor.enabled true }} - name: external-health-monitor-controller diff --git a/charts/csi-isilon/templates/csidriver.yaml b/charts/csi-isilon/templates/csidriver.yaml index dd8956ac..c8a7179d 100644 --- a/charts/csi-isilon/templates/csidriver.yaml +++ b/charts/csi-isilon/templates/csidriver.yaml @@ -7,6 +7,6 @@ spec: podInfoOnMount: true storageCapacity: {{ (include "csi-isilon.isStorageCapacitySupported" .) | default false }} fsGroupPolicy: {{ .Values.fsGroupPolicy }} - volumeLifecycleModes: + volumeLifecycleModes: - Persistent - Ephemeral diff --git a/charts/csi-isilon/templates/node.yaml b/charts/csi-isilon/templates/node.yaml index d84a505a..ad245a30 100644 --- a/charts/csi-isilon/templates/node.yaml +++ b/charts/csi-isilon/templates/node.yaml @@ -75,6 +75,8 @@ spec: app: {{ .Release.Name }}-node template: metadata: + annotations: + kubectl.kubernetes.io/default-container: "driver" labels: app: {{ .Release.Name }}-node {{- if .Values.podmon.enabled }} diff --git a/charts/csi-isilon/values.yaml b/charts/csi-isilon/values.yaml index 500e43c0..abcc9aa4 100644 --- a/charts/csi-isilon/values.yaml +++ b/charts/csi-isilon/values.yaml @@ -2,25 +2,25 @@ ######################## # version: version of this values file # Note: Do not change this value -version: "v2.10.1" +version: "v2.11.0" images: # "driver" defines the container image, used for the driver container. - driver: dellemc/csi-isilon:v2.10.1 + driver: dellemc/csi-isilon:v2.11.0 # CSI sidecars - attacher: registry.k8s.io/sig-storage/csi-attacher:v4.5.0 - provisioner: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 - snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v7.0.1 - resizer: registry.k8s.io/sig-storage/csi-resizer:v1.10.0 - registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 - healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.11.0 + attacher: registry.k8s.io/sig-storage/csi-attacher:v4.6.1 + provisioner: registry.k8s.io/sig-storage/csi-provisioner:v5.0.1 + snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1 + resizer: registry.k8s.io/sig-storage/csi-resizer:v1.11.1 + registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.1 + healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.12.1 # CSM sidecars - replication: dellemc/dell-csi-replicator:v1.8.1 - podmon: dellemc/podmon:v1.9.1 - authorization: dellemc/csm-authorization-sidecar:v1.10.1 - metadataretriever: dellemc/csi-metadata-retriever:v1.7.3 - encryption: dellemc/csm-encryption:v0.3.0 + replication: dellemc/dell-csi-replicator:v1.9.0 + podmon: dellemc/podmon:v1.10.0 + authorization: dellemc/csm-authorization-sidecar:v1.11.0 + metadataretriever: dellemc/csi-metadata-retriever:v1.8.0 + encryption: dellemc/csm-encryption:v0.6.0 # CSI driver log level # Allowed values: "error", "warn"/"warning", "info", "debug" @@ -244,7 +244,7 @@ node: # effect: "NoSchedule" # Uncomment if CSM for Resiliency and CSI Driver pods monitor are enabled - #tolerations: + # tolerations: # - key: "offline.vxflexos.storage.dell.com" # operator: "Exists" # effect: "NoSchedule" @@ -396,28 +396,28 @@ storageCapacity: podmon: enabled: false controller: - args: - - "--csisock=unix:/var/run/csi/csi.sock" - - "--labelvalue=csi-isilon" - - "--arrayConnectivityPollRate=60" - - "--driverPath=csi-isilon.dellemc.com" - - "--mode=controller" - - "--skipArrayConnectionValidation=false" - - "--driver-config-params=/csi-isilon-config-params/driver-config-params.yaml" - - "--driverPodLabelValue=dell-storage" - - "--ignoreVolumelessPods=false" + args: + - "--csisock=unix:/var/run/csi/csi.sock" + - "--labelvalue=csi-isilon" + - "--arrayConnectivityPollRate=60" + - "--driverPath=csi-isilon.dellemc.com" + - "--mode=controller" + - "--skipArrayConnectionValidation=false" + - "--driver-config-params=/csi-isilon-config-params/driver-config-params.yaml" + - "--driverPodLabelValue=dell-storage" + - "--ignoreVolumelessPods=false" node: - args: - - "--csisock=unix:/var/lib/kubelet/plugins/csi-isilon/csi_sock" - - "--labelvalue=csi-isilon" - - "--arrayConnectivityPollRate=60" - - "--driverPath=csi-isilon.dellemc.com" - - "--mode=node" - - "--leaderelection=false" - - "--driver-config-params=/csi-isilon-config-params/driver-config-params.yaml" - - "--driverPodLabelValue=dell-storage" - - "--ignoreVolumelessPods=false" + args: + - "--csisock=unix:/var/lib/kubelet/plugins/csi-isilon/csi_sock" + - "--labelvalue=csi-isilon" + - "--arrayConnectivityPollRate=60" + - "--driverPath=csi-isilon.dellemc.com" + - "--mode=node" + - "--leaderelection=false" + - "--driver-config-params=/csi-isilon-config-params/driver-config-params.yaml" + - "--driverPodLabelValue=dell-storage" + - "--ignoreVolumelessPods=false" encryption: # enabled: Enable/disable volume encryption feature. @@ -451,4 +451,3 @@ encryption: # When set, performance is reduced and hard links cannot be created. # See the gocryptfs documentation for more details. extraArgs: [] - diff --git a/charts/csi-powermax/Chart.yaml b/charts/csi-powermax/Chart.yaml index 87cbe1e1..cf5d81e5 100644 --- a/charts/csi-powermax/Chart.yaml +++ b/charts/csi-powermax/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 -appVersion: "2.10.1" +appVersion: "2.11.0" name: csi-powermax -version: 2.10.1 +version: 2.11.0 description: | PowerMax CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as @@ -9,18 +9,17 @@ description: | type: application kubeVersion: ">= 1.23.0" # If you are using a complex K8s version like "v1.23.3-mirantis-1", use this kubeVersion check instead -# WARNING: this version of the check will allow the use of alpha and beta versions, which is NOT SUPPORTED # kubeVersion: ">= 1.23.0-0" keywords: -- csi -- storage + - csi + - storage dependencies: - name: csireverseproxy - version: 2.9.1 + version: 2.10.0 condition: required home: https://github.com/dell/csi-powermax icon: https://avatars1.githubusercontent.com/u/20958494?s=200&v=4 sources: -- https://github.com/dell/csi-powermax + - https://github.com/dell/csi-powermax maintainers: -- name: DellEMC + - name: DellEMC diff --git a/charts/csi-powermax/charts/csireverseproxy/Chart.yaml b/charts/csi-powermax/charts/csireverseproxy/Chart.yaml index 76992f7e..17084e2e 100644 --- a/charts/csi-powermax/charts/csireverseproxy/Chart.yaml +++ b/charts/csi-powermax/charts/csireverseproxy/Chart.yaml @@ -4,6 +4,6 @@ description: A Helm chart for CSI PowerMax ReverseProxy type: application -version: 2.9.1 +version: 2.10.0 -appVersion: 2.9.1 +appVersion: 2.10.0 diff --git a/charts/csi-powermax/charts/csireverseproxy/templates/certificate.yaml b/charts/csi-powermax/charts/csireverseproxy/templates/certificate.yaml index e37a47ac..7ef65ac3 100644 --- a/charts/csi-powermax/charts/csireverseproxy/templates/certificate.yaml +++ b/charts/csi-powermax/charts/csireverseproxy/templates/certificate.yaml @@ -43,7 +43,7 @@ spec: secretName: csirevproxy-tls-secret commonName: powermax-reverseproxy duration: 2160h # 90d - renewBefore: 360h # 15d + renewBefore: 360h # 15d subject: organizations: - dellemc @@ -67,4 +67,4 @@ spec: {{- end }} kind: Issuer group: cert-manager.io ---- \ No newline at end of file +--- diff --git a/charts/csi-powermax/charts/csireverseproxy/templates/reverseproxy-rbac.yaml b/charts/csi-powermax/charts/csireverseproxy/templates/reverseproxy-rbac.yaml index 2cf75993..e6530cf1 100644 --- a/charts/csi-powermax/charts/csireverseproxy/templates/reverseproxy-rbac.yaml +++ b/charts/csi-powermax/charts/csireverseproxy/templates/reverseproxy-rbac.yaml @@ -22,4 +22,4 @@ roleRef: kind: Role name: {{ .Release.Name }}-reverseproxy apiGroup: rbac.authorization.k8s.io -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/csi-powermax/charts/csireverseproxy/values.yaml b/charts/csi-powermax/charts/csireverseproxy/values.yaml index 0dd33dee..3b6541b7 100644 --- a/charts/csi-powermax/charts/csireverseproxy/values.yaml +++ b/charts/csi-powermax/charts/csireverseproxy/values.yaml @@ -1,4 +1,4 @@ -image: dellemc/csipowermax-reverseproxy:v2.9.1 +image: dellemc/csipowermax-reverseproxy:v2.10.0 port: 2222 # TLS secret which is used for setting up the proxy HTTPS server diff --git a/charts/csi-powermax/templates/controller.yaml b/charts/csi-powermax/templates/controller.yaml index 24a120fb..efcf7e1c 100644 --- a/charts/csi-powermax/templates/controller.yaml +++ b/charts/csi-powermax/templates/controller.yaml @@ -21,7 +21,11 @@ rules: verbs: ["list", "watch", "create", "update", "patch"] - apiGroups: [""] resources: ["nodes"] - verbs: ["get", "list", "watch"] + {{- if eq .Values.podmon.enabled true }} + verbs: [ "get", "list", "watch", "patch" ] + {{- else }} + verbs: [ "get", "list", "watch" ] + {{- end }} - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "create", "delete", "update", "patch" ] @@ -34,9 +38,13 @@ rules: - apiGroups: [""] resources: ["persistentvolumeclaims/status"] verbs: ["update", "patch"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update", "patch" ] + - apiGroups: [ "storage.k8s.io" ] + resources: [ "volumeattachments" ] + {{- if eq .Values.podmon.enabled true }} + verbs: [ "get", "list", "watch", "update", "patch", "delete" ] + {{- else }} + verbs: [ "get", "list", "watch", "update", "patch" ] + {{- end }} - apiGroups: ["storage.k8s.io"] resources: ["csinodes"] verbs: ["get", "list", "watch", "update"] @@ -46,9 +54,15 @@ rules: - apiGroups: ["csi.storage.k8s.io"] resources: ["csinodeinfos"] verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] + - apiGroups: [ "" ] + resources: [ "pods" ] + {{- if hasKey .Values "podmon" }} + {{- if eq .Values.podmon.enabled true }} + verbs: [ "get", "list", "watch", "update", "delete" ] + {{- else }} + verbs: [ "get", "list", "watch" ] + {{- end }} + {{- end }} # below for snapshotter - apiGroups: [""] resources: ["secrets"] @@ -90,16 +104,13 @@ rules: verbs: [ "get", "patch", "update" ] - apiGroups: [""] resources: ["configmaps"] - verbs: ["create", "delete", "get", "list", "watch", "update", "patch"] - {{- end}} + verbs: ["create", "delete", "get", "list", "watch", "update", "patch"] + {{- end}} # Permissions for Storage Capacity {{- if eq (include "csi-powermax.isStorageCapacitySupported" .) "true" }} - apiGroups: ["storage.k8s.io"] resources: ["csistoragecapacities"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["get"] - apiGroups: ["apps"] resources: ["replicasets"] verbs: ["get"] @@ -144,6 +155,8 @@ spec: name: {{ .Release.Name }}-controller template: metadata: + annotations: + kubectl.kubernetes.io/default-container: "driver" labels: name: {{ .Release.Name }}-controller spec: @@ -167,6 +180,33 @@ spec: - {{ .Release.Name }}-controller topologyKey: kubernetes.io/hostname containers: + {{- if hasKey .Values "podmon" }} + {{- if eq .Values.podmon.enabled true }} + - name: podmon + image: {{ required "Must provide the podmon container image." .Values.images.podmon }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + {{- toYaml .Values.podmon.controller.args | nindent 12 }} + env: + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + - name: powermax-config-params + mountPath: /powermax-config-params + {{- end }} + {{- end }} - name: attacher image: {{ required "Must provide the CSI attacher container image." .Values.images.attacher }} imagePullPolicy: {{ .Values.imagePullPolicy }} @@ -214,7 +254,7 @@ spec: - name: socket-dir mountPath: /var/run/csi {{- if hasKey .Values.controller "snapshot" }} - {{- if eq .Values.controller.snapshot.enabled true }} + {{- if eq .Values.controller.snapshot.enabled true }} - name: snapshotter image: {{ required "Must provide the CSI snapshotter container image." .Values.images.snapshotter }} imagePullPolicy: {{ .Values.imagePullPolicy }} @@ -283,7 +323,7 @@ spec: mountPath: /var/run/csi - name: powermax-config-params mountPath: /powermax-config-params - {{- end }} + {{- end }} {{- if hasKey .Values.controller "resizer" }} {{- if eq .Values.controller.resizer.enabled true }} - name: resizer @@ -418,7 +458,7 @@ spec: - name: X_CSI_REPLICATION_PREFIX value: {{ .Values.replication.replicationPrefix | default "replication.storage.dell.com"}} - name: X_CSI_MIGRATION_PREFIX - value: {{ .Values.migration.migrationPrefix | default "migration.storage.dell.com"}} + value: {{ .Values.migration.migrationPrefix | default "migration.storage.dell.com"}} - name: X_CSI_UNISPHERE_TIMEOUT value: {{.Values.unisphereTimeout | default "5m"}} {{- if hasKey .Values.controller "healthMonitor" }} @@ -447,6 +487,20 @@ spec: name: {{ .Values.vSphere.vCenterCredSecret }} key: password {{- end }} + {{- if hasKey .Values "podmon" }} + - name: X_CSI_PODMON_ENABLED + value: "{{ .Values.podmon.enabled }}" + {{- if eq .Values.podmon.enabled true }} + {{- range $key, $value := .Values.podmon.controller.args }} + {{- if contains "--arrayConnectivityPollRate" $value }} + - name: X_CSI_PODMON_ARRAY_CONNECTIVITY_POLL_RATE + value: "{{ (split "=" $value)._1 }}" + {{- end }} + {{- end }} + {{- end }} + {{- end }} + - name: X_CSI_PODMON_API_PORT + value: "{{ .Values.podmon.podmonAPIPort }}" volumeMounts: - name: socket-dir mountPath: /var/run/csi diff --git a/charts/csi-powermax/templates/driver-config-params.yaml b/charts/csi-powermax/templates/driver-config-params.yaml index 1f39a8b3..12671a0d 100644 --- a/charts/csi-powermax/templates/driver-config-params.yaml +++ b/charts/csi-powermax/templates/driver-config-params.yaml @@ -6,4 +6,4 @@ metadata: data: driver-config-params.yaml: | CSI_LOG_LEVEL: {{ .Values.global.logLevel | default "debug" }} - CSI_LOG_FORMAT: {{ .Values.global.logFormat | default "TEXT" }} \ No newline at end of file + CSI_LOG_FORMAT: {{ .Values.global.logFormat | default "TEXT" }} diff --git a/charts/csi-powermax/templates/node.yaml b/charts/csi-powermax/templates/node.yaml index 8b05dd82..faeb348d 100644 --- a/charts/csi-powermax/templates/node.yaml +++ b/charts/csi-powermax/templates/node.yaml @@ -1,7 +1,8 @@ +--- apiVersion: v1 kind: ServiceAccount metadata: - name: {{ .Release.Name }}-node + name: {{.Release.Name}}-node namespace: {{ .Release.Namespace }} --- kind: ClusterRole @@ -16,6 +17,21 @@ rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [ "" ] + resources: [ "persistentvolumes" ] + verbs: [ "create", "delete", "get", "list", "watch", "update" ] + - apiGroups: [ "" ] + resources: [ "persistentvolumesclaims" ] + verbs: [ "get", "list", "watch", "update" ] + - apiGroups: [ "" ] + resources: [ "events" ] + verbs: [ "get", "list", "watch", "create", "update", "patch" ] + - apiGroups: [ "storage.k8s.io" ] + resources: [ "volumeattachments" ] + verbs: [ "get", "list", "watch", "update" ] + - apiGroups: [ "storage.k8s.io" ] + resources: [ "storageclasses" ] + verbs: [ "get", "list", "watch" ] {{- if eq .Values.openshift true }} - apiGroups: ["security.openshift.io"] resources: ["securitycontextconstraints"] @@ -40,6 +56,14 @@ rules: resources: [ "pods" ] verbs: [ "get", "list", "watch", "update", "patch" ] {{- end}} + #below for podmon + {{- if hasKey .Values "podmon" }} + {{- if eq .Values.podmon.enabled true }} + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: [ "get", "list", "watch", "update", "delete" ] + {{- end }} + {{- end }} --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -79,8 +103,13 @@ spec: app: {{ .Release.Name }}-node template: metadata: + annotations: + kubectl.kubernetes.io/default-container: "driver" labels: app: {{ .Release.Name }}-node + {{- if .Values.podmon.enabled }} + driver.dellemc.com: dell-storage + {{- end }} spec: serviceAccountName: {{ .Release.Name }}-node {{ if .Values.node.nodeSelector }} @@ -166,7 +195,7 @@ spec: {{- end }} - name: X_CSI_POWERMAX_PROXY_SERVICE_NAME value: {{ .Release.Name }}-reverseproxy - - name: X_CSI_ISCSI_CHROOT + - name: X_CSI_NODE_CHROOT value: {{ .Values.ISCSIChroot | default "/noderoot" }} - name: X_CSI_GRPC_MAX_THREADS value: "50" @@ -216,12 +245,29 @@ spec: name: {{ .Values.vSphere.vCenterCredSecret }} key: password {{- end }} + {{- if hasKey .Values "podmon" }} + - name: X_CSI_PODMON_ENABLED + value: "{{ .Values.podmon.enabled }}" + {{- if eq .Values.podmon.enabled true }} + {{- range $key, $value := .Values.podmon.node.args }} + {{- if contains "--arrayConnectivityPollRate" $value }} + - name: X_CSI_PODMON_ARRAY_CONNECTIVITY_POLL_RATE + value: "{{ (split "=" $value)._1 }}" + {{- end }} + {{- end }} + {{- end }} + {{- end }} + - name: X_CSI_PODMON_API_PORT + value: "{{ .Values.podmon.podmonAPIPort }}" volumeMounts: - name: driver-path mountPath: {{ .Values.kubeletConfigDir }}/plugins/powermax.emc.dell.com - name: volumedevices-path mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/volumeDevices mountPropagation: "Bidirectional" + - name: csi-path + mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi + mountPropagation: "Bidirectional" - name: pods-path mountPath: {{ .Values.kubeletConfigDir }}/pods mountPropagation: "Bidirectional" @@ -340,6 +386,58 @@ spec: mountPath: /etc/karavi-authorization {{ end }} {{ end }} + {{- if hasKey .Values "podmon" }} + {{- if eq .Values.podmon.enabled true }} + - name: podmon + securityContext: + privileged: true + capabilities: + add: [ "SYS_ADMIN" ] + allowPrivilegeEscalation: true + image: {{ required "Must provide the podmon container image." .Values.images.podmon }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + {{- toYaml .Values.podmon.node.args | nindent 12 }} + env: + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: X_CSI_PRIVATE_MOUNT_DIR + value: {{ .Values.kubeletConfigDir }} + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: kubelet-pods + mountPath: {{ .Values.kubeletConfigDir }}/pods + mountPropagation: "Bidirectional" + - name: driver-path + mountPath: {{ .Values.kubeletConfigDir }}/plugins/powermax.emc.dell.com + mountPropagation: "Bidirectional" + - name: csi-path + mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi + mountPropagation: "Bidirectional" + - name: dev + mountPath: /dev + - name: usr-bin + mountPath: /usr-bin + - name: var-run + mountPath: /var/run + - name: powermax-config-params + mountPath: /powermax-config-params + {{- end }} + {{- end }} volumes: - name: registration-dir hostPath: @@ -357,6 +455,9 @@ spec: hostPath: path: {{ .Values.kubeletConfigDir }}/pods type: Directory + - name: csi-path + hostPath: + path: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi - name: dev hostPath: path: /dev @@ -376,6 +477,10 @@ spec: - name: powermax-config-params configMap: name: {{ .Release.Name }}-config-params + - name: certs + secret: + secretName: {{ .Release.Name }}-certs + optional: true {{- if hasKey .Values.node "topologyControl" }} {{- if eq .Values.node.topologyControl.enabled true }} - name: node-topology-config @@ -383,10 +488,6 @@ spec: name: node-topology-config {{- end }} {{- end }} - - name: certs - secret: - secretName: {{ .Release.Name }}-certs - optional: true {{- if hasKey .Values "authorization" }} {{- if eq .Values.authorization.enabled true }} - name: karavi-authorization-config @@ -397,3 +498,15 @@ spec: secretName: proxy-server-root-certificate {{ end }} {{ end }} + - name: usr-bin + hostPath: + path: /usr/bin + type: Directory + - name: kubelet-pods + hostPath: + path: /var/lib/kubelet/pods + type: Directory + - name: var-run + hostPath: + path: /var/run + type: Directory diff --git a/charts/csi-powermax/values.yaml b/charts/csi-powermax/values.yaml index 695d7be0..785a8b01 100644 --- a/charts/csi-powermax/values.yaml +++ b/charts/csi-powermax/values.yaml @@ -22,9 +22,9 @@ global: - storageArrayId: "000000000001" endpoint: https://primary-1.unisphe.re:8443 backupEndpoint: https://backup-1.unisphe.re:8443 -# - storageArrayId: "000000000002" -# endpoint: https://primary-2.unisphe.re:8443 -# backupEndpoint: https://backup-2.unisphe.re:8443 + # - storageArrayId: "000000000002" + # endpoint: https://primary-2.unisphe.re:8443 + # backupEndpoint: https://backup-2.unisphe.re:8443 managementServers: - endpoint: https://primary-1.unisphe.re:8443 credentialsSecret: primary-1-secret @@ -48,28 +48,29 @@ global: # Current version of the driver # Don't modify this value as this value will be used by the install script -version: "v2.10.1" +version: "v2.11.0" # "images" defines every container images used for the driver and its sidecars. # To use your own images, or a private registry, change the values here. images: # "driver" defines the container image, used for the driver container. - driver: dellemc/csi-powermax:v2.10.1 - csireverseproxy: dellemc/csipowermax-reverseproxy:v2.9.1 + driver: dellemc/csi-powermax:v2.11.0 + csireverseproxy: dellemc/csipowermax-reverseproxy:v2.10.0 # CSI sidecars - attacher: registry.k8s.io/sig-storage/csi-attacher:v4.5.0 - provisioner: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 - snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v7.0.1 - resizer: registry.k8s.io/sig-storage/csi-resizer:v1.10.0 - registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 - healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.11.0 + attacher: registry.k8s.io/sig-storage/csi-attacher:v4.6.1 + provisioner: registry.k8s.io/sig-storage/csi-provisioner:v5.0.1 + snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1 + resizer: registry.k8s.io/sig-storage/csi-resizer:v1.11.1 + registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.1 + healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.12.1 # CSM sidecars - replication: dellemc/dell-csi-replicator:v1.8.1 - authorization: dellemc/csm-authorization-sidecar:v1.10.1 - migration: dellemc/dell-csi-migrator:v1.3.1 + replication: dellemc/dell-csi-replicator:v1.9.0 + authorization: dellemc/csm-authorization-sidecar:v1.11.0 + migration: dellemc/dell-csi-migrator:v1.5.0 + podmon: dellemc/podmon:v1.10.0 # Node rescan sidecar does a rescan on nodes for identifying new paths - # Default value: dellemc/dell-csi-node-rescanner:v1.0.1 - noderescan: dellemc/dell-csi-node-rescanner:v1.3.1 + # Default value: dellemc/dell-csi-node-rescanner:v1.4.0 + noderescan: dellemc/dell-csi-node-rescanner:v1.4.0 ## K8S/DRIVER ATTRIBUTES ######################## # customDriverName: If enabled, sets the driver name to the @@ -463,3 +464,36 @@ vSphere: vCenterHost: "00.000.000.00" # vCenterCredSecret: secret name for the vCenter credentials vCenterCredSecret: vcenter-creds + + +# Enable this feature only after contact support for additional information +podmon: + # podmonAPIPort: Defines the port to be used within the kubernetes cluster + # Allowed values: + # Any valid and free port. + # Default value: 8083 + podmonAPIPort: 8083 + enabled: false + controller: + args: + - "--csisock=unix:/var/run/csi/csi.sock" + - "--labelvalue=csi-powermax" + - "--arrayConnectivityPollRate=60" + - "--driverPath=csi-powermax.dellemc.com" + - "--mode=controller" + - "--skipArrayConnectionValidation=false" + - "--driver-config-params=/powermax-config-params/driver-config-params.yaml" + - "--driverPodLabelValue=dell-storage" + - "--ignoreVolumelessPods=false" + + node: + args: + - "--csisock=unix:/var/lib/kubelet/plugins/powermax.emc.dell.com/csi_sock" + - "--labelvalue=csi-powermax" + - "--arrayConnectivityPollRate=60" + - "--driverPath=csi-powermax.dellemc.com" + - "--mode=node" + - "--leaderelection=false" + - "--driver-config-params=/powermax-config-params/driver-config-params.yaml" + - "--driverPodLabelValue=dell-storage" + - "--ignoreVolumelessPods=false" diff --git a/charts/csi-powerstore/Chart.yaml b/charts/csi-powerstore/Chart.yaml index 3f000066..3ed84df6 100644 --- a/charts/csi-powerstore/Chart.yaml +++ b/charts/csi-powerstore/Chart.yaml @@ -1,21 +1,20 @@ apiVersion: v2 -appVersion: "2.10.1" +appVersion: "2.11.0" name: csi-powerstore -version: 2.10.1 +version: 2.11.0 description: | PowerStore CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as well as a PowerStore StorageClass. type: application -kubeVersion: ">= 1.23.0" -# If you are using a complex K8s version like "v1.23.3-mirantis-1", use this kubeVersion check instead -# WARNING: this version of the check will allow the use of alpha and beta versions, which is NOT SUPPORTED +kubeVersion: ">= 1.24.0" +# If you are using a complex K8s version like "v1.24.3-mirantis-1", use this kubeVersion check instead # kubeVersion: ">= 1.23.0-0" keywords: -- csi -- storage + - csi + - storage home: https://github.com/dell/csi-powerstore sources: -- https://github.com/dell/csi-powerstore + - https://github.com/dell/csi-powerstore maintainers: -- name: DellEMC + - name: DellEMC diff --git a/charts/csi-powerstore/templates/controller.yaml b/charts/csi-powerstore/templates/controller.yaml index 968ccf61..576977db 100644 --- a/charts/csi-powerstore/templates/controller.yaml +++ b/charts/csi-powerstore/templates/controller.yaml @@ -69,7 +69,7 @@ rules: resources: ["dellcsivolumegroupsnapshots","dellcsivolumegroupsnapshots/status"] verbs: ["create", "list", "watch", "delete", "update"] {{- end }} - {{- end }} + {{- end }} - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotclasses"] verbs: ["get", "list", "watch"] @@ -87,7 +87,7 @@ rules: {{- else }} verbs: ["get", "list", "watch", "update"] {{- end }} - {{- end }} + {{- end }} - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments/status"] verbs: ["patch"] @@ -438,7 +438,7 @@ spec: - name: GOPOWERSTORE_DEBUG value: "true" - name: CSI_AUTO_ROUND_OFF_FILESYSTEM_SIZE - value: "{{ .Values.allowAutoRoundOffFilesystemSize | default false }}" + value: "{{ .Values.allowAutoRoundOffFilesystemSize | default true }}" volumeMounts: - name: socket-dir mountPath: /var/run/csi diff --git a/charts/csi-powerstore/values.yaml b/charts/csi-powerstore/values.yaml index c40485d2..b55526a6 100644 --- a/charts/csi-powerstore/values.yaml +++ b/charts/csi-powerstore/values.yaml @@ -23,26 +23,26 @@ driverName: "csi-powerstore.dellemc.com" # "version" is used to verify the values file matches driver version # Not recommend to change -version: v2.10.1 +version: v2.11.0 # "images" defines every container images used for the driver and its sidecars. # To use your own images, or a private registry, change the values here. images: # "driver" defines the container image, used for the driver container. - driver: dellemc/csi-powerstore:v2.10.1 + driver: dellemc/csi-powerstore:v2.11.0 # CSI sidecars - attacher: registry.k8s.io/sig-storage/csi-attacher:v4.5.0 - provisioner: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 - snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v7.0.1 - resizer: registry.k8s.io/sig-storage/csi-resizer:v1.10.0 - registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 - healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.11.0 + attacher: registry.k8s.io/sig-storage/csi-attacher:v4.6.1 + provisioner: registry.k8s.io/sig-storage/csi-provisioner:v5.0.1 + snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1 + resizer: registry.k8s.io/sig-storage/csi-resizer:v1.11.1 + registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.1 + healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.12.1 # CSM sidecars - replication: dellemc/dell-csi-replicator:v1.8.1 - vgsnapshotter: dellemc/csi-volumegroup-snapshotter:v1.5.1 - podmon: dellemc/podmon:v1.9.1 - metadataretriever: dellemc/csi-metadata-retriever:v1.7.3 + replication: dellemc/dell-csi-replicator:v1.9.0 + vgsnapshotter: dellemc/csi-volumegroup-snapshotter:v1.6.0 + podmon: dellemc/podmon:v1.10.0 + metadataretriever: dellemc/csi-metadata-retriever:v1.8.0 # Specify kubelet config dir path. # Ensure that the config.yaml file is present at this path. @@ -306,7 +306,7 @@ logFormat: "JSON" fsGroupPolicy: ReadWriteOnceWithFSType # Allows the controller to round off filesystem to 3Gi which is the minimum supported value -allowAutoRoundOffFilesystemSize: false +allowAutoRoundOffFilesystemSize: true # Storage Capacity Tracking # Note: Capacity tracking is supported in kubernetes v1.24 and above, this feature will be automatically disabled in older versions. diff --git a/charts/csi-unity/Chart.yaml b/charts/csi-unity/Chart.yaml index e169cd11..5a4687bd 100644 --- a/charts/csi-unity/Chart.yaml +++ b/charts/csi-unity/Chart.yaml @@ -1,20 +1,19 @@ apiVersion: v2 -appVersion: 2.10.1 +appVersion: 2.11.0 name: csi-unity -version: 2.10.1 +version: 2.11.0 description: | Unity XT CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as well as a Unity XT StorageClass. type: application -kubeVersion: ">= 1.23.0" -# If you are using a complex K8s version like "v1.23.3-mirantis-1", use this kubeVersion check instead -# WARNING: this version of the check will allow the use of alpha and beta versions, which is NOT SUPPORTED +kubeVersion: ">= 1.24.0" +# If you are using a complex K8s version like "v1.24.3-mirantis-1", use this kubeVersion check instead # kubeVersion: ">= 1.23.0-0" keywords: -- csi -- storage + - csi + - storage sources: -- https://github.com/dell/csi-unity + - https://github.com/dell/csi-unity maintainers: -- name: DellEMC + - name: DellEMC diff --git a/charts/csi-unity/templates/controller.yaml b/charts/csi-unity/templates/controller.yaml index 84b64b05..0c3e39ed 100644 --- a/charts/csi-unity/templates/controller.yaml +++ b/charts/csi-unity/templates/controller.yaml @@ -7,7 +7,7 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ .Release.Name }}-controller + name: {{ .Release.Name }}-controller rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] @@ -126,6 +126,8 @@ spec: app: {{ .Release.Name }}-controller template: metadata: + annotations: + kubectl.kubernetes.io/default-container: "driver" labels: app: {{ .Release.Name }}-controller spec: diff --git a/charts/csi-unity/templates/csidriver.yaml b/charts/csi-unity/templates/csidriver.yaml index f9d57239..80f594e8 100644 --- a/charts/csi-unity/templates/csidriver.yaml +++ b/charts/csi-unity/templates/csidriver.yaml @@ -9,4 +9,4 @@ spec: volumeLifecycleModes: - Persistent - Ephemeral - fsGroupPolicy: {{ .Values.fsGroupPolicy }} \ No newline at end of file + fsGroupPolicy: {{ .Values.fsGroupPolicy }} diff --git a/charts/csi-unity/templates/node.yaml b/charts/csi-unity/templates/node.yaml index 9358b0cd..8788b79a 100644 --- a/charts/csi-unity/templates/node.yaml +++ b/charts/csi-unity/templates/node.yaml @@ -70,6 +70,8 @@ spec: app: {{ .Release.Name }}-node template: metadata: + annotations: + kubectl.kubernetes.io/default-container: "driver" labels: app: {{ .Release.Name }}-node {{- if .Values.podmon.enabled }} @@ -160,6 +162,8 @@ spec: value: "true" - name: X_CSI_UNITY_ALLOW_MULTI_POD_ACCESS value: {{ .Values.allowRWOMultiPodAccess | default "false" | lower | quote }} + - name: X_CSI_ALLOWED_NETWORKS + value: "{{ .Values.allowedNetworks }}" - name: X_CSI_PRIVATE_MOUNT_DIR value: "{{ .Values.kubeletConfigDir }}/plugins/unity.emc.dell.com/disks" - name: X_CSI_EPHEMERAL_STAGING_PATH diff --git a/charts/csi-unity/values.yaml b/charts/csi-unity/values.yaml index e0a39e7e..b46f1a22 100644 --- a/charts/csi-unity/values.yaml +++ b/charts/csi-unity/values.yaml @@ -4,21 +4,21 @@ # version: version of this values file # Note: Do not change this value # Examples : "v2.9.0" , "nightly" -version: "v2.10.1" +version: "v2.11.0" images: # "driver" defines the container image, used for the driver container. - driver: dellemc/csi-unity:v2.10.1 + driver: dellemc/csi-unity:v2.11.0 # CSI sidecars - attacher: registry.k8s.io/sig-storage/csi-attacher:v4.5.0 - provisioner: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 - snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v7.0.1 - resizer: registry.k8s.io/sig-storage/csi-resizer:v1.10.0 - registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 - healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.11.0 + attacher: registry.k8s.io/sig-storage/csi-attacher:v4.6.1 + provisioner: registry.k8s.io/sig-storage/csi-provisioner:v5.0.1 + snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1 + resizer: registry.k8s.io/sig-storage/csi-resizer:v1.11.1 + registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.1 + healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.12.1 # CSM sidecars - podmon: dellemc/podmon:v1.9.1 + podmon: dellemc/podmon:v1.10.0 # LogLevel is used to set the logging level of the driver. # Allowed values: "error", "warn"/"warning", "info", "debug" @@ -31,6 +31,13 @@ logLevel: "info" # Default value: None certSecretCount: 1 +# allowedNetworks: Custom networks for Unity export +# Specify list of networks which can be used for NFS I/O traffic; CIDR format should be used. +# Allowed values: list of one or more networks (comma separated) +# Default value: None +# Examples: 192.168.1.0/24, 192.168.100.0/22 +allowedNetworks: + # imagePullPolicy: Policy to determine if the image should be pulled prior to starting the container. # Allowed values: # Always: Always pull the image. @@ -48,13 +55,13 @@ kubeletConfigDir: /var/lib/kubelet # Allowed values: # ReadWriteOnceWithFSType: supports volume ownership and permissions change only if the fsType is defined # and the volume's accessModes contains ReadWriteOnce. -# File: kubernetes may use fsGroup to change permissions and ownership of the volume +# File: kubernetes may use fsGroup to change permissions and ownership of the volume # to match user requested fsGroup in the pod's security policy regardless of fstype or access mode. # None: volumes will be mounted with no modifications. # Default value: ReadWriteOnceWithFSType fsGroupPolicy: ReadWriteOnceWithFSType -#To set nodeSelectors and tolerations for controller. +# To set nodeSelectors and tolerations for controller. # controller: configure controller pod specific parameters controller: # controllerCount: defines the number of csi-unity controller pods to deploy to @@ -176,7 +183,7 @@ node: # - key: "node.kubernetes.io/network-unavailable" # operator: "Exists" # effect: "NoExecute" - # Uncomment if CSM for Resiliency and CSI Driver pods monitor are enabled + # Uncomment if CSM for Resiliency and CSI Driver pods monitor are enabled # - key: "offline.vxflexos.storage.dell.com" # operator: "Exists" # effect: "NoSchedule" diff --git a/charts/csi-vxflexos/Chart.yaml b/charts/csi-vxflexos/Chart.yaml index f0b6655b..47d8ded9 100644 --- a/charts/csi-vxflexos/Chart.yaml +++ b/charts/csi-vxflexos/Chart.yaml @@ -1,19 +1,18 @@ apiVersion: v2 -appVersion: "2.10.1" +appVersion: "2.11.0" name: csi-vxflexos -version: "2.10.2" +version: "2.11.0" description: | VxFlex OS CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as well as a VxFlex OS StorageClass. -kubeVersion: ">= 1.23.0" -# If you are using a complex K8s version like "v1.23.3-mirantis-1", use this kubeVersion check instead -# WARNING: this version of the check will allow the use of alpha and beta versions, which is NOT SUPPORTED +kubeVersion: ">= 1.21.0" +# If you are using a complex K8s version like "v1.21.3-mirantis-1", use this kubeVersion check instead # kubeVersion: ">= 1.23.0-0" keywords: -- csi -- storage + - csi + - storage maintainers: -- name: DellEMC + - name: DellEMC sources: -- https://github.com/dell/csi-vxflexos + - https://github.com/dell/csi-vxflexos diff --git a/charts/csi-vxflexos/templates/controller.yaml b/charts/csi-vxflexos/templates/controller.yaml index a456049e..e002f4f9 100644 --- a/charts/csi-vxflexos/templates/controller.yaml +++ b/charts/csi-vxflexos/templates/controller.yaml @@ -171,7 +171,6 @@ spec: kubectl.kubernetes.io/default-container: "driver" spec: affinity: - nodeSelector: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: @@ -180,14 +179,14 @@ spec: operator: In values: - {{ .Release.Name }}-controller - topologyKey: kubernetes.io/hostname + topologyKey: kubernetes.io/hostname serviceAccountName: {{ .Release.Name }}-controller {{- if .Values.controller.nodeSelector }} nodeSelector: {{- toYaml .Values.controller.nodeSelector | nindent 8 }} {{- end }} {{- if .Values.controller.tolerations }} - tolerations: + tolerations: {{- toYaml .Values.controller.tolerations | nindent 6 }} {{- end }} containers: @@ -260,7 +259,7 @@ spec: {{- end }} {{- end }} - name: provisioner - image: {{ required "Must provide the CSI provisioner container image." .Values.images.provisioner }} + image: {{ required "Must provide the CSI provisioner container image." .Values.images.provisioner }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address=$(ADDRESS)" @@ -285,7 +284,7 @@ spec: - name: POD_NAME valueFrom: fieldRef: - fieldPath: metadata.name + fieldPath: metadata.name volumeMounts: - name: socket-dir mountPath: /var/run/csi diff --git a/charts/csi-vxflexos/templates/csidriver.yaml b/charts/csi-vxflexos/templates/csidriver.yaml index 8bd88e7a..b4f68390 100644 --- a/charts/csi-vxflexos/templates/csidriver.yaml +++ b/charts/csi-vxflexos/templates/csidriver.yaml @@ -7,6 +7,6 @@ spec: fsGroupPolicy: {{ .Values.fsGroupPolicy }} attachRequired: true podInfoOnMount: true - volumeLifecycleModes: + volumeLifecycleModes: - Persistent - Ephemeral diff --git a/charts/csi-vxflexos/templates/node.yaml b/charts/csi-vxflexos/templates/node.yaml index 8083e8fd..c7a91407 100644 --- a/charts/csi-vxflexos/templates/node.yaml +++ b/charts/csi-vxflexos/templates/node.yaml @@ -99,7 +99,7 @@ spec: {{- else }} hostPID: false {{- end }} - containers: + containers: {{- if hasKey .Values "podmon" }} {{- if eq .Values.podmon.enabled true }} - name: podmon @@ -333,11 +333,11 @@ spec: - name: host-opt-emc-path mountPath: /host_opt_emc_path - name: sdc-storage - mountPath: /storage + mountPath: /storage - name: udev-d mountPath: /rules.d - name: scaleio-path-opt - mountPath: /host_drv_cfg_path + mountPath: /host_drv_cfg_path volumes: - name: registration-dir hostPath: diff --git a/charts/csi-vxflexos/values.yaml b/charts/csi-vxflexos/values.yaml index 28934c6d..e8d3a77e 100644 --- a/charts/csi-vxflexos/values.yaml +++ b/charts/csi-vxflexos/values.yaml @@ -3,28 +3,28 @@ # "version" is used to verify the values file matches driver version # Not recommend to change -version: v2.10.1 +version: v2.11.0 # "images" defines every container images used for the driver and its sidecars. # To use your own images, or a private registry, change the values here. images: # "driver" defines the container image, used for the driver container. - driver: dellemc/csi-vxflexos:v2.10.1 + driver: dellemc/csi-vxflexos:v2.11.0 # "powerflexSdc" defines the SDC image for init container. - powerflexSdc: dellemc/sdc:4.5.1 + powerflexSdc: dellemc/sdc:4.5.2.1 # CSI sidecars - attacher: registry.k8s.io/sig-storage/csi-attacher:v4.5.0 - provisioner: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 - snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v7.0.1 - resizer: registry.k8s.io/sig-storage/csi-resizer:v1.10.0 - registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 - healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.11.0 + attacher: registry.k8s.io/sig-storage/csi-attacher:v4.6.1 + provisioner: registry.k8s.io/sig-storage/csi-provisioner:v5.0.1 + snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1 + resizer: registry.k8s.io/sig-storage/csi-resizer:v1.11.1 + registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.1 + healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.12.1 # CSM sidecars - replication: dellemc/dell-csi-replicator:v1.8.1 - vgsnapshotter: dellemc/csi-volumegroup-snapshotter:v1.5.1 - podmon: dellemc/podmon:v1.9.1 - authorization: dellemc/csm-authorization-sidecar:v1.10.1 + replication: dellemc/dell-csi-replicator:v1.9.0 + vgsnapshotter: dellemc/csi-volumegroup-snapshotter:v1.6.0 + podmon: dellemc/podmon:v1.10.0 + authorization: dellemc/csm-authorization-sidecar:v1.11.0 # Represents number of certificate secrets, which user is going to create for ssl authentication. (vxflexos-cert-0..vxflexos-cert-n) # If user does not use certificate, set to 0 @@ -100,7 +100,7 @@ allowRWOMultiPodAccess: "false" # Allowed values: # ReadWriteOnceWithFSType: supports volume ownership and permissions change only if the fsType is defined # and the volume's accessModes contains ReadWriteOnce. -# File: kubernetes may use fsGroup to change permissions and ownership of the volume +# File: kubernetes may use fsGroup to change permissions and ownership of the volume # to match user requested fsGroup in the pod's security policy regardless of fstype or access mode. # None: volumes will be mounted with no modifications. fsGroupPolicy: File @@ -114,7 +114,6 @@ maxVxflexosVolumesPerNode: 0 # "controller" allows to configure controller specific parameters controller: - # replication: allows to configure replication # Replication CRDs must be installed before installing driver replication: @@ -174,8 +173,8 @@ controller: # false: disable volume snapshot feature(do not install resizer sidecar) # Default value: None enabled: true - - #"controller.nodeSelector" defines what nodes would be selected for pods of controller deployment + + # "controller.nodeSelector" defines what nodes would be selected for pods of controller deployment # Leave as blank to use all nodes # Allowed values: map of key-value pairs # Default value: None @@ -188,12 +187,12 @@ controller: # Leave as blank to install controller on worker nodes # Default value: None tolerations: - # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint - # - key: "node-role.kubernetes.io/master" + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint + # - key: "node-role.kubernetes.io/master" # operator: "Exists" # effect: "NoSchedule" - # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint - # - key: "node-role.kubernetes.io/control-plane" + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint + # - key: "node-role.kubernetes.io/control-plane" # operator: "Exists" # effect: "NoSchedule" @@ -221,14 +220,14 @@ node: # Default value: None tolerations: # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint - # - key: "node-role.kubernetes.io/master" + # - key: "node-role.kubernetes.io/master" # operator: "Exists" # effect: "NoSchedule" - # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint - # - key: "node-role.kubernetes.io/control-plane" + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint + # - key: "node-role.kubernetes.io/control-plane" # operator: "Exists" # effect: "NoSchedule" - # Uncomment if CSM for Resiliency and CSI Driver pods monitor is enabled + # Uncomment if CSM for Resiliency and CSI Driver pods monitor is enabled # - key: "offline.vxflexos.storage.dell.com" # operator: "Exists" # effect: "NoSchedule" @@ -262,12 +261,12 @@ node: # Default value: none # Examples: "rhel-sdc", "sdc-test" prefix: "sdc-test" - + # "approveSDC" defines the approve operation for SDC # Default value: None - approveSDC: + approveSDC: # enabled: Enable/Disable SDC approval - #Allowed values: + # Allowed values: # true: Driver will attempt to approve restricted SDC by GUID during setup # false: Driver will not attempt to approve restricted SDC by GUID during setup # Default value: false @@ -285,8 +284,7 @@ storageCapacity: # pollInterval : Configure how often external-provisioner polls the driver to detect changed capacity # Allowed values: 1m,2m,3m,...,10m,...,60m etc # Default value: 5m - pollInterval: 5m - + pollInterval: 5m # monitoring pod details # These options control the running of the monitoring container @@ -307,7 +305,6 @@ monitor: # Default value: "false" hostPID: true - # CSM module attributes # volume group snapshotter(vgsnapshotter) details @@ -356,6 +353,6 @@ authorization: # skipCertificateValidation: certificate validation of the csm-authorization server # Allowed Values: # "true" - TLS certificate verification will be skipped - # "false" - TLS certificate will be verified - # Default value: "true" + # "false" - TLS certificate will be verified + # Default value: "true" skipCertificateValidation: true diff --git a/charts/csm-application-mobility/Chart.yaml b/charts/csm-application-mobility/Chart.yaml deleted file mode 100644 index f1f62677..00000000 --- a/charts/csm-application-mobility/Chart.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v2 -name: csm-application-mobility -description: A Helm chart deploying Application Mobility -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.3.0 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.3.0" - -dependencies: -- name: cert-manager - version: 1.8.2 - repository: https://charts.jetstack.io - condition: cert-manager.enabled -- name: velero - version: 2.29.8 - repository: https://vmware-tanzu.github.io/helm-charts - condition: velero.enabled diff --git a/charts/csm-application-mobility/crds/cert-manager.crds.yaml b/charts/csm-application-mobility/crds/cert-manager.crds.yaml deleted file mode 100644 index a08eb7b8..00000000 --- a/charts/csm-application-mobility/crds/cert-manager.crds.yaml +++ /dev/null @@ -1,4304 +0,0 @@ -# Copyright 2021 The cert-manager Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Source: cert-manager/templates/crd-templates.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: certificaterequests.cert-manager.io - labels: - app: 'cert-manager' - app.kubernetes.io/name: 'cert-manager' - app.kubernetes.io/instance: 'cert-manager' - # Generated labels - app.kubernetes.io/version: "v1.8.0" -spec: - group: cert-manager.io - names: - kind: CertificateRequest - listKind: CertificateRequestList - plural: certificaterequests - shortNames: - - cr - - crs - singular: certificaterequest - categories: - - cert-manager - scope: Namespaced - versions: - - name: v1 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Approved")].status - name: Approved - type: string - - jsonPath: .status.conditions[?(@.type=="Denied")].status - name: Denied - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - type: string - - jsonPath: .spec.username - name: Requestor - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used." - type: object - required: - - spec - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the CertificateRequest resource. - type: object - required: - - issuerRef - - request - properties: - duration: - description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. - type: string - extra: - description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: object - additionalProperties: - type: array - items: - type: string - groups: - description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: array - items: - type: string - x-kubernetes-list-type: atomic - isCA: - description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`. - type: boolean - issuerRef: - description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty. - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - request: - description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing. - type: string - format: byte - uid: - description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: string - usages: - description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified. - type: array - items: - description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"' - type: string - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - username: - description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: string - status: - description: Status of the CertificateRequest. This is set and managed automatically. - type: object - properties: - ca: - description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available. - type: string - format: byte - certificate: - description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field. - type: string - format: byte - conditions: - description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. - type: array - items: - description: CertificateRequestCondition contains condition information for a CertificateRequest. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`). - type: string - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - failureTime: - description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off. - type: string - format: date-time - served: true - storage: true ---- -# Source: cert-manager/templates/crd-templates.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: certificates.cert-manager.io - labels: - app: 'cert-manager' - app.kubernetes.io/name: 'cert-manager' - app.kubernetes.io/instance: 'cert-manager' - # Generated labels - app.kubernetes.io/version: "v1.8.0" -spec: - group: cert-manager.io - names: - kind: Certificate - listKind: CertificateList - plural: certificates - shortNames: - - cert - - certs - singular: certificate - categories: - - cert-manager - scope: Namespaced - versions: - - name: v1 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.secretName - name: Secret - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)." - type: object - required: - - spec - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the Certificate resource. - type: object - required: - - issuerRef - - secretName - properties: - additionalOutputFormats: - description: AdditionalOutputFormats defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option on both the controller and webhook components. - type: array - items: - description: CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key. - type: object - required: - - type - properties: - type: - description: Type is the name of the format type that should be written to the Certificate's target Secret. - type: string - enum: - - DER - - CombinedPEM - commonName: - description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' - type: string - dnsNames: - description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate. - type: array - items: - type: string - duration: - description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration - type: string - emailAddresses: - description: EmailAddresses is a list of email subjectAltNames to be set on the Certificate. - type: array - items: - type: string - encodeUsagesInRequest: - description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest - type: boolean - ipAddresses: - description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate. - type: array - items: - type: string - isCA: - description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`. - type: boolean - issuerRef: - description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - keystores: - description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource. - type: object - properties: - jks: - description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource. - type: object - required: - - create - - passwordSecretRef - properties: - create: - description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority - type: boolean - passwordSecretRef: - description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - pkcs12: - description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource. - type: object - required: - - create - - passwordSecretRef - properties: - create: - description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority - type: boolean - passwordSecretRef: - description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - privateKey: - description: Options to control private keys used for the Certificate. - type: object - properties: - algorithm: - description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm. - type: string - enum: - - RSA - - ECDSA - - Ed25519 - encoding: - description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified. - type: string - enum: - - PKCS1 - - PKCS8 - rotationPolicy: - description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility. - type: string - enum: - - Never - - Always - size: - description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed. - type: integer - renewBefore: - description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration - type: string - revisionHistoryLimit: - description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`. - type: integer - format: int32 - secretName: - description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer. - type: string - secretTemplate: - description: SecretTemplate defines annotations and labels to be copied to the Certificate's Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate's Secret. - type: object - properties: - annotations: - description: Annotations is a key value map to be copied to the target Kubernetes Secret. - type: object - additionalProperties: - type: string - labels: - description: Labels is a key value map to be copied to the target Kubernetes Secret. - type: object - additionalProperties: - type: string - subject: - description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). - type: object - properties: - countries: - description: Countries to be used on the Certificate. - type: array - items: - type: string - localities: - description: Cities to be used on the Certificate. - type: array - items: - type: string - organizationalUnits: - description: Organizational Units to be used on the Certificate. - type: array - items: - type: string - organizations: - description: Organizations to be used on the Certificate. - type: array - items: - type: string - postalCodes: - description: Postal codes to be used on the Certificate. - type: array - items: - type: string - provinces: - description: State/Provinces to be used on the Certificate. - type: array - items: - type: string - serialNumber: - description: Serial number to be used on the Certificate. - type: string - streetAddresses: - description: Street addresses to be used on the Certificate. - type: array - items: - type: string - uris: - description: URIs is a list of URI subjectAltNames to be set on the Certificate. - type: array - items: - type: string - usages: - description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified. - type: array - items: - description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"' - type: string - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - status: - description: Status of the Certificate. This is set and managed automatically. - type: object - properties: - conditions: - description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`. - type: array - items: - description: CertificateCondition contains condition information for an Certificate. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - observedGeneration: - description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate. - type: integer - format: int64 - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`, `Issuing`). - type: string - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - failedIssuanceAttempts: - description: The number of continuous failed issuance attempts up till now. This field gets removed (if set) on a successful issuance and gets set to 1 if unset and an issuance has failed. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). - type: integer - lastFailureTime: - description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time. - type: string - format: date-time - nextPrivateKeySecretName: - description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False. - type: string - notAfter: - description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`. - type: string - format: date-time - notBefore: - description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid. - type: string - format: date-time - renewalTime: - description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled. - type: string - format: date-time - revision: - description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field." - type: integer - served: true - storage: true ---- -# Source: cert-manager/templates/crd-templates.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: challenges.acme.cert-manager.io - labels: - app: 'cert-manager' - app.kubernetes.io/name: 'cert-manager' - app.kubernetes.io/instance: 'cert-manager' - # Generated labels - app.kubernetes.io/version: "v1.8.0" -spec: - group: acme.cert-manager.io - names: - kind: Challenge - listKind: ChallengeList - plural: challenges - singular: challenge - categories: - - cert-manager - - cert-manager-acme - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.dnsName - name: Domain - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: Challenge is a type to represent a Challenge request with an ACME server - type: object - required: - - metadata - - spec - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - type: object - required: - - authorizationURL - - dnsName - - issuerRef - - key - - solver - - token - - type - - url - properties: - authorizationURL: - description: The URL to the ACME Authorization resource that this challenge is a part of. - type: string - dnsName: - description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. - type: string - issuerRef: - description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed. - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - key: - description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `.`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `.` text that must be set as the TXT record content.' - type: string - solver: - description: Contains the domain solving configuration that should be used to solve this challenge resource. - type: object - properties: - dns01: - description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. - type: object - properties: - acmeDNS: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. - type: object - required: - - accountSecretRef - - host - properties: - accountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - host: - type: string - akamai: - description: Use the Akamai DNS zone management API to manage DNS01 challenge records. - type: object - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - serviceConsumerDomain: - type: string - azureDNS: - description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. - type: object - required: - - resourceGroupName - - subscriptionID - properties: - clientID: - description: if both this and ClientSecret are left unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset MSI will be used - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - environment: - description: name of the Azure environment (default AzurePublicCloud) - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - hostedZoneName: - description: name of the DNS zone that should be used - type: string - managedIdentity: - description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID - type: object - properties: - clientID: - description: client ID of the managed identity, can not be used at the same time as resourceID - type: string - resourceID: - description: resource ID of the managed identity, can not be used at the same time as clientID - type: string - resourceGroupName: - description: resource group the DNS zone is located in - type: string - subscriptionID: - description: ID of the Azure subscription - type: string - tenantID: - description: when specifying ClientID and ClientSecret then this field is also needed - type: string - cloudDNS: - description: Use the Google Cloud DNS API to manage DNS01 challenge records. - type: object - required: - - project - properties: - hostedZoneName: - description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge records. - type: object - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - email: - description: Email of the account, only required when using API key based authentication. - type: string - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. - type: string - enum: - - None - - Follow - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 challenge records. - type: object - required: - - tokenSecretRef - properties: - tokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. - type: object - required: - - nameserver - properties: - nameserver: - description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - route53: - description: Use the AWS Route53 API to manage DNS01 challenge records. - type: object - required: - - region - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - webhook: - description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. - type: object - required: - - groupName - - solverName - properties: - config: - description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. - type: string - http01: - description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. - type: object - properties: - gatewayHTTPRoute: - description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. - type: object - properties: - labels: - description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. - type: object - additionalProperties: - type: string - parentRefs: - description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' - type: array - items: - description: "ParentRef identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." - type: object - required: - - name - properties: - group: - description: "Group is the group of the referent. \n Support: Core" - type: string - default: gateway.networking.k8s.io - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - kind: - description: "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)" - type: string - default: Gateway - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - name: - description: "Name is the name of the referent. \n Support: Core" - type: string - maxLength: 253 - minLength: 1 - namespace: - description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core" - type: string - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - sectionName: - description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" - type: string - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. - type: string - ingress: - description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. - type: object - properties: - class: - description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - name: - description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. - type: string - podTemplate: - description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the create ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - spec: - description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. - type: object - properties: - affinity: - description: If specified, the pod's scheduling constraints - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. - type: array - items: - description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector term, associated with the corresponding weight. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - type: array - items: - description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - nodeSelector: - description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - additionalProperties: - type: string - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - type: array - items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . - type: object - properties: - effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - type: integer - format: int64 - value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. - type: string - selector: - description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. - type: object - properties: - dnsNames: - description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - dnsZones: - description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - matchLabels: - description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. - type: object - additionalProperties: - type: string - token: - description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server. - type: string - type: - description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01". - type: string - enum: - - HTTP-01 - - DNS-01 - url: - description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge. - type: string - wildcard: - description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'. - type: boolean - status: - type: object - properties: - presented: - description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured). - type: boolean - processing: - description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action. - type: boolean - reason: - description: Contains human readable information on why the Challenge is in the current state. - type: string - state: - description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown. - type: string - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - served: true - storage: true - subresources: - status: {} ---- -# Source: cert-manager/templates/crd-templates.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clusterissuers.cert-manager.io - labels: - app: 'cert-manager' - app.kubernetes.io/name: 'cert-manager' - app.kubernetes.io/instance: 'cert-manager' - # Generated labels - app.kubernetes.io/version: "v1.8.0" -spec: - group: cert-manager.io - names: - kind: ClusterIssuer - listKind: ClusterIssuerList - plural: clusterissuers - singular: clusterissuer - categories: - - cert-manager - scope: Cluster - versions: - - name: v1 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent. - type: object - required: - - spec - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the ClusterIssuer resource. - type: object - properties: - acme: - description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. - type: object - required: - - privateKeySecretRef - - server - properties: - disableAccountKeyGeneration: - description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. - type: string - enableDurationFeature: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean - externalAccountBinding: - description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. - type: object - required: - - keyID - - keySecretRef - properties: - keyAlgorithm: - description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' - type: string - enum: - - HS256 - - HS384 - - HS512 - keyID: - description: keyID is the ID of the CA key that the External Account is bound to. - type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - preferredChain: - description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' - type: string - maxLength: 64 - privateKeySecretRef: - description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - server: - description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false. - type: boolean - solvers: - description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' - type: array - items: - description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided. - type: object - properties: - dns01: - description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. - type: object - properties: - acmeDNS: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. - type: object - required: - - accountSecretRef - - host - properties: - accountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - host: - type: string - akamai: - description: Use the Akamai DNS zone management API to manage DNS01 challenge records. - type: object - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - serviceConsumerDomain: - type: string - azureDNS: - description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. - type: object - required: - - resourceGroupName - - subscriptionID - properties: - clientID: - description: if both this and ClientSecret are left unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset MSI will be used - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - environment: - description: name of the Azure environment (default AzurePublicCloud) - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - hostedZoneName: - description: name of the DNS zone that should be used - type: string - managedIdentity: - description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID - type: object - properties: - clientID: - description: client ID of the managed identity, can not be used at the same time as resourceID - type: string - resourceID: - description: resource ID of the managed identity, can not be used at the same time as clientID - type: string - resourceGroupName: - description: resource group the DNS zone is located in - type: string - subscriptionID: - description: ID of the Azure subscription - type: string - tenantID: - description: when specifying ClientID and ClientSecret then this field is also needed - type: string - cloudDNS: - description: Use the Google Cloud DNS API to manage DNS01 challenge records. - type: object - required: - - project - properties: - hostedZoneName: - description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge records. - type: object - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - email: - description: Email of the account, only required when using API key based authentication. - type: string - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. - type: string - enum: - - None - - Follow - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 challenge records. - type: object - required: - - tokenSecretRef - properties: - tokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. - type: object - required: - - nameserver - properties: - nameserver: - description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - route53: - description: Use the AWS Route53 API to manage DNS01 challenge records. - type: object - required: - - region - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - webhook: - description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. - type: object - required: - - groupName - - solverName - properties: - config: - description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. - type: string - http01: - description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. - type: object - properties: - gatewayHTTPRoute: - description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. - type: object - properties: - labels: - description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. - type: object - additionalProperties: - type: string - parentRefs: - description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' - type: array - items: - description: "ParentRef identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." - type: object - required: - - name - properties: - group: - description: "Group is the group of the referent. \n Support: Core" - type: string - default: gateway.networking.k8s.io - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - kind: - description: "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)" - type: string - default: Gateway - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - name: - description: "Name is the name of the referent. \n Support: Core" - type: string - maxLength: 253 - minLength: 1 - namespace: - description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core" - type: string - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - sectionName: - description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" - type: string - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. - type: string - ingress: - description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. - type: object - properties: - class: - description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - name: - description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. - type: string - podTemplate: - description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the create ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - spec: - description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. - type: object - properties: - affinity: - description: If specified, the pod's scheduling constraints - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. - type: array - items: - description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector term, associated with the corresponding weight. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - type: array - items: - description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - nodeSelector: - description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - additionalProperties: - type: string - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - type: array - items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . - type: object - properties: - effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - type: integer - format: int64 - value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. - type: string - selector: - description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. - type: object - properties: - dnsNames: - description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - dnsZones: - description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - matchLabels: - description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. - type: object - additionalProperties: - type: string - ca: - description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. - type: object - required: - - secretName - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. - type: array - items: - type: string - ocspServers: - description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". - type: array - items: - type: string - secretName: - description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. - type: string - selfSigned: - description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. - type: object - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. - type: array - items: - type: string - vault: - description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. - type: object - required: - - auth - - path - - server - properties: - auth: - description: Auth configures how cert-manager authenticates with the Vault server. - type: object - properties: - appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. - type: object - required: - - path - - roleId - - secretRef - properties: - path: - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. - type: string - secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. - type: object - required: - - role - - secretRef - properties: - mountPath: - description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. - type: string - role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - caBundle: - description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. - type: string - format: byte - namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - venafi: - description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. - type: object - required: - - zone - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. - type: object - required: - - apiTokenSecretRef - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". - type: string - tpp: - description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. - type: object - required: - - credentialsRef - - url - properties: - caBundle: - description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. - type: string - format: byte - credentialsRef: - description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. - type: object - required: - - name - properties: - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. - type: string - status: - description: Status of the ClusterIssuer. This is set and managed automatically. - type: object - properties: - acme: - description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. - type: object - properties: - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer - type: string - uri: - description: URI is the unique account identifier, which can also be used to retrieve account details from the CA - type: string - conditions: - description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. - type: array - items: - description: IssuerCondition contains condition information for an Issuer. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - observedGeneration: - description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. - type: integer - format: int64 - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`). - type: string - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - served: true - storage: true ---- -# Source: cert-manager/templates/crd-templates.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: issuers.cert-manager.io - annotations: - cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' - labels: - app: 'cert-manager' - app.kubernetes.io/name: 'cert-manager' - app.kubernetes.io/instance: 'cert-manager' - # Generated labels - app.kubernetes.io/version: "v1.8.0" -spec: - group: cert-manager.io - names: - kind: Issuer - listKind: IssuerList - plural: issuers - singular: issuer - categories: - - cert-manager - scope: Namespaced - versions: - - name: v1 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace. - type: object - required: - - spec - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the Issuer resource. - type: object - properties: - acme: - description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. - type: object - required: - - privateKeySecretRef - - server - properties: - disableAccountKeyGeneration: - description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. - type: string - enableDurationFeature: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean - externalAccountBinding: - description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. - type: object - required: - - keyID - - keySecretRef - properties: - keyAlgorithm: - description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' - type: string - enum: - - HS256 - - HS384 - - HS512 - keyID: - description: keyID is the ID of the CA key that the External Account is bound to. - type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - preferredChain: - description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' - type: string - maxLength: 64 - privateKeySecretRef: - description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - server: - description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false. - type: boolean - solvers: - description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' - type: array - items: - description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided. - type: object - properties: - dns01: - description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. - type: object - properties: - acmeDNS: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. - type: object - required: - - accountSecretRef - - host - properties: - accountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - host: - type: string - akamai: - description: Use the Akamai DNS zone management API to manage DNS01 challenge records. - type: object - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - serviceConsumerDomain: - type: string - azureDNS: - description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. - type: object - required: - - resourceGroupName - - subscriptionID - properties: - clientID: - description: if both this and ClientSecret are left unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset MSI will be used - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - environment: - description: name of the Azure environment (default AzurePublicCloud) - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - hostedZoneName: - description: name of the DNS zone that should be used - type: string - managedIdentity: - description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID - type: object - properties: - clientID: - description: client ID of the managed identity, can not be used at the same time as resourceID - type: string - resourceID: - description: resource ID of the managed identity, can not be used at the same time as clientID - type: string - resourceGroupName: - description: resource group the DNS zone is located in - type: string - subscriptionID: - description: ID of the Azure subscription - type: string - tenantID: - description: when specifying ClientID and ClientSecret then this field is also needed - type: string - cloudDNS: - description: Use the Google Cloud DNS API to manage DNS01 challenge records. - type: object - required: - - project - properties: - hostedZoneName: - description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge records. - type: object - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - email: - description: Email of the account, only required when using API key based authentication. - type: string - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. - type: string - enum: - - None - - Follow - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 challenge records. - type: object - required: - - tokenSecretRef - properties: - tokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. - type: object - required: - - nameserver - properties: - nameserver: - description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - route53: - description: Use the AWS Route53 API to manage DNS01 challenge records. - type: object - required: - - region - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - webhook: - description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. - type: object - required: - - groupName - - solverName - properties: - config: - description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. - type: string - http01: - description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. - type: object - properties: - gatewayHTTPRoute: - description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. - type: object - properties: - labels: - description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. - type: object - additionalProperties: - type: string - parentRefs: - description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' - type: array - items: - description: "ParentRef identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." - type: object - required: - - name - properties: - group: - description: "Group is the group of the referent. \n Support: Core" - type: string - default: gateway.networking.k8s.io - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - kind: - description: "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)" - type: string - default: Gateway - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - name: - description: "Name is the name of the referent. \n Support: Core" - type: string - maxLength: 253 - minLength: 1 - namespace: - description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core" - type: string - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - sectionName: - description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" - type: string - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. - type: string - ingress: - description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. - type: object - properties: - class: - description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - name: - description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. - type: string - podTemplate: - description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the create ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - spec: - description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. - type: object - properties: - affinity: - description: If specified, the pod's scheduling constraints - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. - type: array - items: - description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector term, associated with the corresponding weight. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - type: array - items: - description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - nodeSelector: - description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - additionalProperties: - type: string - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - type: array - items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . - type: object - properties: - effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - type: integer - format: int64 - value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. - type: string - selector: - description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. - type: object - properties: - dnsNames: - description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - dnsZones: - description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - matchLabels: - description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. - type: object - additionalProperties: - type: string - ca: - description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. - type: object - required: - - secretName - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. - type: array - items: - type: string - ocspServers: - description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". - type: array - items: - type: string - secretName: - description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. - type: string - selfSigned: - description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. - type: object - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. - type: array - items: - type: string - vault: - description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. - type: object - required: - - auth - - path - - server - properties: - auth: - description: Auth configures how cert-manager authenticates with the Vault server. - type: object - properties: - appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. - type: object - required: - - path - - roleId - - secretRef - properties: - path: - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. - type: string - secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. - type: object - required: - - role - - secretRef - properties: - mountPath: - description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. - type: string - role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - caBundle: - description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. - type: string - format: byte - namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - venafi: - description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. - type: object - required: - - zone - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. - type: object - required: - - apiTokenSecretRef - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". - type: string - tpp: - description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. - type: object - required: - - credentialsRef - - url - properties: - caBundle: - description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. - type: string - format: byte - credentialsRef: - description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. - type: object - required: - - name - properties: - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. - type: string - status: - description: Status of the Issuer. This is set and managed automatically. - type: object - properties: - acme: - description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. - type: object - properties: - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer - type: string - uri: - description: URI is the unique account identifier, which can also be used to retrieve account details from the CA - type: string - conditions: - description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. - type: array - items: - description: IssuerCondition contains condition information for an Issuer. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - observedGeneration: - description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. - type: integer - format: int64 - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`). - type: string - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - served: true - storage: true ---- -# Source: cert-manager/templates/crd-templates.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: orders.acme.cert-manager.io - annotations: - cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' - labels: - app: 'cert-manager' - app.kubernetes.io/name: 'cert-manager' - app.kubernetes.io/instance: 'cert-manager' - # Generated labels - app.kubernetes.io/version: "v1.8.0" -spec: - group: acme.cert-manager.io - names: - kind: Order - listKind: OrderList - plural: orders - singular: order - categories: - - cert-manager - - cert-manager-acme - scope: Namespaced - versions: - - name: v1 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: Order is a type to represent an Order with an ACME server - type: object - required: - - metadata - - spec - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - type: object - required: - - issuerRef - - request - properties: - commonName: - description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR. - type: string - dnsNames: - description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. - type: array - items: - type: string - duration: - description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec. - type: string - ipAddresses: - description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. - type: array - items: - type: string - issuerRef: - description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed. - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - request: - description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order. - type: string - format: byte - status: - type: object - properties: - authorizations: - description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order. - type: array - items: - description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource. - type: object - required: - - url - properties: - challenges: - description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process. - type: array - items: - description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process. - type: object - required: - - token - - type - - url - properties: - token: - description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented. - type: string - type: - description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored. - type: string - url: - description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server. - type: string - identifier: - description: Identifier is the DNS name to be validated as part of this authorization - type: string - initialState: - description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created. - type: string - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - url: - description: URL is the URL of the Authorization that must be completed - type: string - wildcard: - description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'. - type: boolean - certificate: - description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state. - type: string - format: byte - failureTime: - description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off. - type: string - format: date-time - finalizeURL: - description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed. - type: string - reason: - description: Reason optionally provides more information about a why the order is in the current state. - type: string - state: - description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final' - type: string - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - url: - description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set. - type: string - served: true - storage: true diff --git a/charts/csm-application-mobility/templates/_helpers.tpl b/charts/csm-application-mobility/templates/_helpers.tpl deleted file mode 100644 index cc6f0e48..00000000 --- a/charts/csm-application-mobility/templates/_helpers.tpl +++ /dev/null @@ -1,133 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "csm-application-mobility.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "csm-application-mobility.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "csm-application-mobility.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "csm-application-mobility.labels" -}} -helm.sh/chart: {{ include "csm-application-mobility.chart" . }} -{{ include "csm-application-mobility.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "csm-application-mobility.selectorLabels" -}} -app.kubernetes.io/name: {{ include "csm-application-mobility.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "csm-application-mobility.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "csm-application-mobility.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} - - -{{/* -Create the name of the velero namespace. -*/}} -{{- define "velero.namespace" -}} -{{- if not .Values.velero.enabled -}} - {{- if .Values.veleroNamespace -}} - {{- .Values.veleroNamespace -}} - {{- else -}} - {{- default "velero" -}} - {{- end -}} -{{- else -}} - {{ default .Release.Namespace }} -{{- end -}} -{{- end -}} - -{{/* -Create the name of the license. -*/}} -{{- define "csm-application-mobility.licenseName" -}} -{{- if .Values.licenseName -}} - {{- .Values.licenseName -}} -{{- else -}} - {{- default "license" -}} -{{- end -}} -{{- end -}} - -{{/* -Create the name of the secret that holds credentials to object store. -*/}} -{{- define "objectstore.secretname" -}} -{{- if not .Values.velero.enabled -}} - {{- if .Values.objectstore.secretName -}} - {{- .Values.objectstore.secretName -}} - {{- else -}} - {{- default "cloud-credentials" -}} - {{- end -}} -{{- else -}} - {{- if .Values.velero.credentials.existingSecret -}} - {{ .Values.velero.credentials.existingSecret }} - {{- else -}} - {{ default (include "velero.fullname" .) .Values.velero.credentials.name }} - {{- end -}} -{{- end -}} -{{- end -}} - - -{{/* -Deriving the secret name that velero will use based on its template: -https://github.com/vmware-tanzu/helm-charts/blob/main/charts/velero/templates/_helpers.tpl#L45 -*/}} -{{- define "velero.fullname" -}} -{{- $name := default "velero" -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - - -{{/* -Namespace for all resources to be installed into -If not defined in values file then the helm release namespace is used -By default this is not set so the helm release namespace will be used -*/}} - -{{- define "custom.namespace" -}} - {{ .Values.namespace | default .Release.Namespace }} -{{- end -}} \ No newline at end of file diff --git a/charts/csm-application-mobility/templates/admissionregistration.k8s.io_v1_mutatingwebhookconfiguration_app-mobility-mutating-webhook-configuration.yaml b/charts/csm-application-mobility/templates/admissionregistration.k8s.io_v1_mutatingwebhookconfiguration_app-mobility-mutating-webhook-configuration.yaml deleted file mode 100644 index d5773ec3..00000000 --- a/charts/csm-application-mobility/templates/admissionregistration.k8s.io_v1_mutatingwebhookconfiguration_app-mobility-mutating-webhook-configuration.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: {{ include "custom.namespace" . }}/{{ .Release.Name }}-serving-cert - name: {{ .Release.Name }}-mutating-webhook-configuration -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: {{ .Release.Name }}-webhook-service - namespace: {{ include "custom.namespace" . }} - path: /mutate-mobility-storage-dell-com-v1alpha1-backup - failurePolicy: Fail - name: mbackup.mobility.storage.dell.com - rules: - - apiGroups: - - mobility.storage.dell.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - backups - sideEffects: None diff --git a/charts/csm-application-mobility/templates/admissionregistration.k8s.io_v1_validatingwebhookconfiguration_app-mobility-validating-webhook-configuration.yaml b/charts/csm-application-mobility/templates/admissionregistration.k8s.io_v1_validatingwebhookconfiguration_app-mobility-validating-webhook-configuration.yaml deleted file mode 100644 index 20b16bdc..00000000 --- a/charts/csm-application-mobility/templates/admissionregistration.k8s.io_v1_validatingwebhookconfiguration_app-mobility-validating-webhook-configuration.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: {{ include "custom.namespace" . }}/{{ .Release.Name }}-serving-cert - name: {{ .Release.Name }}-validating-webhook-configuration -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: {{ .Release.Name }}-webhook-service - namespace: {{ include "custom.namespace" . }} - path: /validate-mobility-storage-dell-com-v1alpha1-backup - failurePolicy: Fail - name: vbackup.mobility.storage.dell.com - rules: - - apiGroups: - - mobility.storage.dell.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - backups - sideEffects: None diff --git a/charts/csm-application-mobility/templates/apiextensions.k8s.io_v1_customresourcedefinition_backups.mobility.storage.dell.com.yaml b/charts/csm-application-mobility/templates/apiextensions.k8s.io_v1_customresourcedefinition_backups.mobility.storage.dell.com.yaml deleted file mode 100644 index f1d825f5..00000000 --- a/charts/csm-application-mobility/templates/apiextensions.k8s.io_v1_customresourcedefinition_backups.mobility.storage.dell.com.yaml +++ /dev/null @@ -1,198 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: {{ include "custom.namespace" . }}/{{ .Release.Name }}-serving-cert - controller-gen.kubebuilder.io/version: v0.7.0 - name: backups.mobility.storage.dell.com -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: {{ .Release.Name }}-webhook-service - namespace: {{ include "custom.namespace" . }} - path: /convert - conversionReviewVersions: - - v1 - group: mobility.storage.dell.com - names: - kind: Backup - listKind: BackupList - plural: backups - singular: backup - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Backup is the Schema for the backups API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BackupSpec defines the desired state of Backup - properties: - backupLocation: - description: Velero Storage location where k8s resources and application data will be backed up to. Default value is "default" - nullable: true - type: string - clones: - description: Clones is the list of targets where this backup will be cloned to. - items: - properties: - namespaceMapping: - additionalProperties: - type: string - description: NamespaceMapping is a map of source namespace names to target namespace names to restore into. Any source namespaces not included in the map will be restored into namespaces of the same name. - type: object - restoreOnceAvailable: - description: Optionally, specify whether the backup is to be restored to TargetCluster once available. Default value is false. Setting this to true causes the backup to be restored as soon as it is available. - nullable: true - type: boolean - targetCluster: - description: Optionally, specify the targetCluster to restore the backup to. - nullable: true - type: string - type: object - nullable: true - type: array - datamover: - description: Default datamover is Restic - nullable: true - type: string - excludedNamespaces: - description: ExcludedNamespaces contains a list of namespaces that are not included in the backup. - items: - type: string - nullable: true - type: array - excludedResources: - description: ExcludedResources is a slice of resource names that are not included in the backup. - items: - type: string - nullable: true - type: array - includeClusterResources: - description: IncludeClusterResources specifies whether cluster-scoped resources should be included for consideration in the backup. - nullable: true - type: boolean - includedNamespaces: - description: IncludedNamespaces is a slice of namespace names to include objects from. If empty, all namespaces are included. - items: - type: string - nullable: true - type: array - includedResources: - description: IncludedResources is a slice of resource names to include in the backup. If empty, all resources are included. - items: - type: string - nullable: true - type: array - labelSelector: - description: LabelSelector is a metav1.LabelSelector to filter with when adding individual objects to the backup. If empty or nil, all objects are included. Optional. - nullable: true - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - podVolumeBackups: - items: - type: string - nullable: true - type: array - ttl: - description: TTL the Dell Backup retention period - type: string - veleroBackup: - nullable: true - type: string - type: object - status: - description: BackupStatus defines the observed state of Backup - properties: - clones: - items: - properties: - clusterUID: - description: ClusterID is the identifier with which cluster was registered - should be the kube-system uid of the targetCLuster - nullable: true - type: string - phase: - description: Phase of the restore - type: string - restoreName: - description: RestoreName is the name of the restore object that will restore the backup. This may or may not be used. - nullable: true - type: string - restoreOnceAvailable: - description: RestoreOnceAvailable - nullable: true - type: boolean - targetCluster: - description: TargetCluster to which the backup will be restored - nullable: true - type: string - type: object - type: array - completionTimestamp: - description: CompletionTimestamp records the time a backup was completed. Completion time is recorded even on failed backups. Completion time is recorded before uploading the backup object. The server's time is used for CompletionTimestamps - format: date-time - nullable: true - type: string - expiration: - description: Expiration is when this Backup is eligible for garbage-collection. - format: date-time - nullable: true - type: string - phase: - description: Phase is the current state of the Backup. - type: string - startTimestamp: - description: StartTimestamp records the time a backup was started. The server's time is used for StartTimestamps - format: date-time - nullable: true - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/csm-application-mobility/templates/apiextensions.k8s.io_v1_customresourcedefinition_clusterconfigs.mobility.storage.dell.com.yaml b/charts/csm-application-mobility/templates/apiextensions.k8s.io_v1_customresourcedefinition_clusterconfigs.mobility.storage.dell.com.yaml deleted file mode 100644 index bc0f5573..00000000 --- a/charts/csm-application-mobility/templates/apiextensions.k8s.io_v1_customresourcedefinition_clusterconfigs.mobility.storage.dell.com.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.7.0 - creationTimestamp: null - name: clusterconfigs.mobility.storage.dell.com -spec: - group: mobility.storage.dell.com - names: - kind: ClusterConfig - listKind: ClusterConfigList - plural: clusterconfigs - singular: clusterconfig - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterConfig is the Schema for the clusterconfigs API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterConfigSpec defines the desired state of ClusterConfig - properties: - clusterName: - description: ClusterName is the name with which the cluster is being registered. - type: string - kubeConfig: - description: KubeConfig contains the kubeConfig that can be used to connect to the cluster being registered.Either this or SecretRef should be specified. - nullable: true - type: string - secretRef: - description: SecretRef is the name of the secret containing kubeConfig to connect to the cluster. Either this or KubeConfig should be specified. - nullable: true - type: string - required: - - clusterName - type: object - status: - description: ClusterConfigStatus defines the observed state of ClusterConfig - properties: - phase: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/csm-application-mobility/templates/apiextensions.k8s.io_v1_customresourcedefinition_podvolumebackups.mobility.storage.dell.com.yaml b/charts/csm-application-mobility/templates/apiextensions.k8s.io_v1_customresourcedefinition_podvolumebackups.mobility.storage.dell.com.yaml deleted file mode 100644 index ecc830ae..00000000 --- a/charts/csm-application-mobility/templates/apiextensions.k8s.io_v1_customresourcedefinition_podvolumebackups.mobility.storage.dell.com.yaml +++ /dev/null @@ -1,92 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.7.0 - creationTimestamp: null - name: podvolumebackups.mobility.storage.dell.com -spec: - group: mobility.storage.dell.com - names: - kind: PodVolumeBackup - listKind: PodVolumeBackupList - plural: podvolumebackups - singular: podvolumebackup - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: PodVolumeBackup is the Schema for the podvolumebackups API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: PodVolumeBackupSpec defines the desired state of PodVolumeBackup - properties: - backupFromSourceVolume: - description: BackupFromSourceVolume is the bool that indicates whether to backup from source volume instead of its snapshot - type: boolean - backupStorageLocation: - description: BackupStorage location to backup to - nullable: true - type: string - namespace: - description: Namespace the original pvc and snapshot reside in - nullable: true - type: string - pod: - description: Pod is the name of the pod using the volume to be backed up. - type: string - repoIdentifier: - description: Identifier of the restic repository where this snapshot will be backed up to - type: string - snapshotName: - description: SnapshotName is the name of the snapshot from which to backup - type: string - sourcePVCName: - description: SourcePVCName is the name of the pvc used to provision the volume which is to be backed up - type: string - veleroPodVolumeBackup: - description: Corresponding velero PodVolumeBackup for this dell PodVolumeBackup - nullable: true - type: string - volume: - description: Volume is the name of the volume within the Pod to be backed up. - type: string - required: - - backupFromSourceVolume - - pod - - snapshotName - - sourcePVCName - - volume - type: object - status: - description: PodVolumeBackupStatus defines the observed state of PodVolumeBackup - properties: - phase: - description: Phase is the current state of the Dell PodVolumeBackup. - enum: - - New - - InProgress - - Completed - - Failed - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/csm-application-mobility/templates/apiextensions.k8s.io_v1_customresourcedefinition_podvolumerestores.mobility.storage.dell.com.yaml b/charts/csm-application-mobility/templates/apiextensions.k8s.io_v1_customresourcedefinition_podvolumerestores.mobility.storage.dell.com.yaml deleted file mode 100644 index 496145b2..00000000 --- a/charts/csm-application-mobility/templates/apiextensions.k8s.io_v1_customresourcedefinition_podvolumerestores.mobility.storage.dell.com.yaml +++ /dev/null @@ -1,81 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.7.0 - creationTimestamp: null - name: podvolumerestores.mobility.storage.dell.com -spec: - group: mobility.storage.dell.com - names: - kind: PodVolumeRestore - listKind: PodVolumeRestoreList - plural: podvolumerestores - singular: podvolumerestore - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: PodVolumeRestore is the Schema for the podvolumerestores API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: PodVolumeRestoreSpec defines the desired state of PodVolumeRestore - properties: - backupStorageLocation: - description: BackupStorageLocation is the name of the backup storage location where the restic repository is stored. - type: string - namespace: - description: Should this come from PodVolumeRestore's namespace? Namespace is the namespace the pvc. - type: string - newNamespace: - description: NewNamespace is the namespace that the pod and pvc are being restored to; used only for init-container approach - type: string - podName: - description: PodName is the name of the pod that uses the volume to which data is to be restored; used only for init-container approach - type: string - pvcName: - description: PVCName is the name of the pvc to which data is to be restored - type: string - repoIdentifier: - description: RepoIdentifier is the restic repository identifier. - type: string - resticSnapshotId: - description: ResticSnapshotID is the snapshotID from which data is to be restored - type: string - veleroRestore: - description: Velero restore associated with this pod volume restore; used only for init-container approach - type: string - volumeName: - description: VolumeName is the name of the volume to which data is to be restored; used only for init-container approach - type: string - required: - - backupStorageLocation - - repoIdentifier - type: object - status: - description: PodVolumeRestoreStatus defines the observed state of PodVolumeRestore - properties: - phase: - description: Phase is the current state of the PodVolumeRestore. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/csm-application-mobility/templates/apiextensions.k8s.io_v1_customresourcedefinition_restores.mobility.storage.dell.com.yaml b/charts/csm-application-mobility/templates/apiextensions.k8s.io_v1_customresourcedefinition_restores.mobility.storage.dell.com.yaml deleted file mode 100644 index 834eb0b8..00000000 --- a/charts/csm-application-mobility/templates/apiextensions.k8s.io_v1_customresourcedefinition_restores.mobility.storage.dell.com.yaml +++ /dev/null @@ -1,101 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.7.0 - creationTimestamp: null - name: restores.mobility.storage.dell.com -spec: - group: mobility.storage.dell.com - names: - kind: Restore - listKind: RestoreList - plural: restores - singular: restore - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Restore is the Schema for the restores API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: RestoreSpec defines the desired state of Restore - properties: - backupName: - description: BackupName is the name of the backup to restore from - type: string - excludedNamespaces: - description: ExcludedNamespaces contains a list of namespaces in the backup from which resources should not be restored - items: - type: string - nullable: true - type: array - excludedResources: - description: ExcludedResources is a slice of resource names that are not included in the restore. - items: - type: string - nullable: true - type: array - includeClusterResources: - description: IncludeClusterResources specifies whether cluster-scoped resources should be included for consideration in the restore. If null, defaults to true. - nullable: true - type: boolean - includedNamespaces: - description: IncludedNamespaces is a slice of namespace names in the backup to retore objects from If empty, all namespaces are included. - items: - type: string - nullable: true - type: array - includedResources: - description: IncludedResources is a slice of resource names to include in the restore. If empty, all resources in the backup are included. - items: - type: string - nullable: true - type: array - namespaceMapping: - additionalProperties: - type: string - description: NamespaceMapping is a map of source namespace names to target namespace names to restore into. Any source namespaces not included in the map will be restored into namespaces of the same name. - type: object - restorePVs: - description: RestorePVs specifies whether to restore all included PVs - nullable: true - type: boolean - type: object - status: - description: RestoreStatus defines the observed state of Restore - properties: - phase: - description: Phase is the current state of the Restore - type: string - podVolumeRestores: - description: PodVolumeRestores is the slice of podVolumeRestore names created for this Dell restore - items: - type: string - nullable: true - type: array - veleroRestore: - description: VeleroRestore is the name of the velero restore created for this Dell restore - nullable: true - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/csm-application-mobility/templates/apiextensions.k8s.io_v1_customresourcedefinition_schedules.mobility.storage.dell.com.yaml b/charts/csm-application-mobility/templates/apiextensions.k8s.io_v1_customresourcedefinition_schedules.mobility.storage.dell.com.yaml deleted file mode 100644 index 284846a6..00000000 --- a/charts/csm-application-mobility/templates/apiextensions.k8s.io_v1_customresourcedefinition_schedules.mobility.storage.dell.com.yaml +++ /dev/null @@ -1,233 +0,0 @@ - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.7.0 - creationTimestamp: null - name: schedules.mobility.storage.dell.com -spec: - group: mobility.storage.dell.com - names: - kind: Schedule - listKind: ScheduleList - plural: schedules - singular: schedule - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.phase - name: Status - type: string - - jsonPath: .spec.paused - name: Paused - type: boolean - - jsonPath: .spec.schedule - name: Schedule - type: string - - jsonPath: .status.lastBackupTime - name: lastBackupTime - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: Schedule is the Schema for the schedules API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ScheduleSpec defines the desired state of Schedule - properties: - backupSpec: - description: BackupSpec is the spec of the Backup to be created on - the specified Schedule. - properties: - backupLocation: - description: Velero Storage location where k8s resources and application - data will be backed up to. Default value is "default" - nullable: true - type: string - clones: - description: Clones is the list of targets where this backup will - be cloned to. - items: - properties: - namespaceMapping: - additionalProperties: - type: string - description: NamespaceMapping is a map of source namespace - names to target namespace names to restore into. Any source - namespaces not included in the map will be restored into - namespaces of the same name. - type: object - restoreOnceAvailable: - description: Optionally, specify whether the backup is to - be restored to TargetCluster once available. Default value - is false. Setting this to true causes the backup to be - restored as soon as it is available. - nullable: true - type: boolean - targetCluster: - description: Optionally, specify the targetCluster to restore - the backup to. - nullable: true - type: string - type: object - nullable: true - type: array - datamover: - description: Default datamover is Restic - nullable: true - type: string - excludedNamespaces: - description: ExcludedNamespaces contains a list of namespaces - that are not included in the backup. - items: - type: string - nullable: true - type: array - excludedResources: - description: ExcludedResources is a slice of resource names that - are not included in the backup. - items: - type: string - nullable: true - type: array - includeClusterResources: - description: IncludeClusterResources specifies whether cluster-scoped - resources should be included for consideration in the backup. - nullable: true - type: boolean - includedNamespaces: - description: IncludedNamespaces is a slice of namespace names - to include objects from. If empty, all namespaces are included. - items: - type: string - nullable: true - type: array - includedResources: - description: IncludedResources is a slice of resource names to - include in the backup. If empty, all resources are included. - items: - type: string - nullable: true - type: array - labelSelector: - description: LabelSelector is a metav1.LabelSelector to filter - with when adding individual objects to the backup. If empty - or nil, all objects are included. Optional. - nullable: true - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - podVolumeBackups: - items: - type: string - nullable: true - type: array - ttl: - description: TTL the Dell Backup retention period - type: string - veleroBackup: - nullable: true - type: string - type: object - paused: - description: Paused specifies whether the schedule is paused or not - type: boolean - schedule: - description: Schedule is the cron expression representing when to - create the Backup. - type: string - setOwnerReferencesInBackup: - description: SetOwnerReferencesInBackup specifies whether to set OwnerReferences - on Backups created by this Schedule. - nullable: true - type: boolean - required: - - backupSpec - - schedule - type: object - status: - description: ScheduleStatus defines the observed state of Schedule - properties: - lastBackupTime: - description: LastBackupTime is the last time when a backup was created - successfully from this schedule. - format: date-time - nullable: true - type: string - phase: - description: Phase is the current phase of the schdule. - enum: - - New - - Enabled - - FailedValidation - type: string - validationErrors: - description: ValidationErrors is a list of validation errors, if any - items: - type: string - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/csm-application-mobility/templates/apps_v1_deployment_app-mobility-controller-manager.yaml b/charts/csm-application-mobility/templates/apps_v1_deployment_app-mobility-controller-manager.yaml deleted file mode 100644 index ec4f9ddc..00000000 --- a/charts/csm-application-mobility/templates/apps_v1_deployment_app-mobility-controller-manager.yaml +++ /dev/null @@ -1,81 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - control-plane: controller-manager - name: {{ .Release.Name }}-controller-manager - namespace: {{ include "custom.namespace" . }} -spec: - replicas: 1 - selector: - matchLabels: - control-plane: controller-manager - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: manager - labels: - control-plane: controller-manager - spec: - containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --app-mobility-namespace={{ include "custom.namespace" . }} - - --velero-namespace={{ include "velero.namespace" . }} - - --secret-name={{ include "objectstore.secretname" . }} - - --license-name={{ .Values.licenseName }} - command: - - /manager - image: {{ .Values.controller.image }} - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - securityContext: - runAsNonRoot: true - serviceAccountName: {{ .Release.Name }}-controller-manager - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert diff --git a/charts/csm-application-mobility/templates/cert-manager.io_v1_certificate_app-mobility-serving-cert.yaml b/charts/csm-application-mobility/templates/cert-manager.io_v1_certificate_app-mobility-serving-cert.yaml deleted file mode 100644 index 28c0387d..00000000 --- a/charts/csm-application-mobility/templates/cert-manager.io_v1_certificate_app-mobility-serving-cert.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ .Release.Name }}-serving-cert - namespace: {{ include "custom.namespace" . }} -spec: - dnsNames: - - {{ .Release.Name }}-webhook-service.{{ include "custom.namespace" . }}.svc - - {{ .Release.Name }}-webhook-service.{{ include "custom.namespace" . }}.svc.cluster.local - issuerRef: - kind: Issuer - name: {{ .Release.Name }}-selfsigned-issuer - secretName: webhook-server-cert diff --git a/charts/csm-application-mobility/templates/cert-manager.io_v1_issuer_app-mobility-selfsigned-issuer.yaml b/charts/csm-application-mobility/templates/cert-manager.io_v1_issuer_app-mobility-selfsigned-issuer.yaml deleted file mode 100644 index 95422408..00000000 --- a/charts/csm-application-mobility/templates/cert-manager.io_v1_issuer_app-mobility-selfsigned-issuer.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: {{ .Release.Name }}-selfsigned-issuer - namespace: {{ include "custom.namespace" . }} -spec: - selfSigned: {} diff --git a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_clusterrole_app-mobility-manager-role.yaml b/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_clusterrole_app-mobility-manager-role.yaml deleted file mode 100644 index 4a0d7370..00000000 --- a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_clusterrole_app-mobility-manager-role.yaml +++ /dev/null @@ -1,382 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: {{ .Release.Name }}-manager-role -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - pods - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list -- apiGroups: - - mobility.storage.dell.com - resources: - - backups - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - mobility.storage.dell.com - resources: - - backups/finalizers - verbs: - - update -- apiGroups: - - mobility.storage.dell.com - resources: - - backups/status - verbs: - - get - - patch - - update -- apiGroups: - - mobility.storage.dell.com - resources: - - podvolumebackups - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - mobility.storage.dell.com - resources: - - podvolumebackups/finalizers - verbs: - - update -- apiGroups: - - mobility.storage.dell.com - resources: - - podvolumebackups/status - verbs: - - get - - patch - - update -- apiGroups: - - mobility.storage.dell.com - resources: - - podvolumerestores - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - mobility.storage.dell.com - resources: - - podvolumerestores/finalizers - verbs: - - update -- apiGroups: - - mobility.storage.dell.com - resources: - - podvolumerestores/status - verbs: - - get - - patch - - update -- apiGroups: - - mobility.storage.dell.com - resources: - - restores - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - mobility.storage.dell.com - resources: - - restores/finalizers - verbs: - - update -- apiGroups: - - mobility.storage.dell.com - resources: - - restores/status - verbs: - - get - - patch - - update -- apiGroups: - - mobility.storage.dell.com - resources: - - clusterconfigs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - mobility.storage.dell.com - resources: - - clusterconfigs/finalizers - verbs: - - update -- apiGroups: - - mobility.storage.dell.com - resources: - - clusterconfigs/status - verbs: - - get - - patch - - update -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshotclasses - verbs: - - get - - list -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshots - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - storage.k8s.io - resources: - - csidrivers - verbs: - - get - - list -- apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list -- apiGroups: - - velero.io - resources: - - backups - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - velero.io - resources: - - backups/status - verbs: - - get - - list - - patch - - update -- apiGroups: - - velero.io - resources: - - backups/finalizers - verbs: - - update -- apiGroups: - - velero.io - resources: - - backupstoragelocations - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - velero.io - resources: - - deletebackuprequests - verbs: - - create - - delete - - get - - list - - watch -- apiGroups: - - velero.io - resources: - - podvolumebackups - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - velero.io - resources: - - podvolumebackups/finalizers - verbs: - - update -- apiGroups: - - velero.io - resources: - - podvolumebackups/status - verbs: - - create - - get - - list - - patch - - update -- apiGroups: - - velero.io - resources: - - podvolumerestores - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - velero.io - resources: - - resticrepositories - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - velero.io - resources: - - restores - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - volumegroup.storage.dell.com - resources: - - dellcsivolumegroupsnapshots - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - mobility.storage.dell.com - resources: - - schedules - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - mobility.storage.dell.com - resources: - - schedules/status - verbs: - - get - - patch - - update diff --git a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_clusterrole_app-mobility-metrics-reader.yaml b/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_clusterrole_app-mobility-metrics-reader.yaml deleted file mode 100644 index c63141d7..00000000 --- a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_clusterrole_app-mobility-metrics-reader.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ .Release.Name }}-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get diff --git a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_clusterrole_app-mobility-proxy-role.yaml b/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_clusterrole_app-mobility-proxy-role.yaml deleted file mode 100644 index 363512b5..00000000 --- a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_clusterrole_app-mobility-proxy-role.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ .Release.Name }}-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create diff --git a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_clusterrolebinding_app-mobility-manager-rolebinding.yaml b/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_clusterrolebinding_app-mobility-manager-rolebinding.yaml deleted file mode 100644 index d9016c4e..00000000 --- a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_clusterrolebinding_app-mobility-manager-rolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ .Release.Name }}-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Release.Name }}-manager-role -subjects: -- kind: ServiceAccount - name: {{ .Release.Name }}-controller-manager - namespace: {{ include "custom.namespace" . }} diff --git a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_clusterrolebinding_app-mobility-proxy-rolebinding.yaml b/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_clusterrolebinding_app-mobility-proxy-rolebinding.yaml deleted file mode 100644 index 75a3b458..00000000 --- a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_clusterrolebinding_app-mobility-proxy-rolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ .Release.Name }}-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Release.Name }}-proxy-role -subjects: -- kind: ServiceAccount - name: {{ .Release.Name }}-controller-manager - namespace: {{ include "custom.namespace" . }} diff --git a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_role_app-mobility-leader-election-role.yaml b/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_role_app-mobility-leader-election-role.yaml deleted file mode 100644 index e833ca8a..00000000 --- a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_role_app-mobility-leader-election-role.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ .Release.Name }}-leader-election-role - namespace: {{ include "custom.namespace" . }} -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch diff --git a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_role_app-mobility-manager-role.yaml b/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_role_app-mobility-manager-role.yaml deleted file mode 100644 index b476ae28..00000000 --- a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_role_app-mobility-manager-role.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - name: {{ .Release.Name }}-manager-role - namespace: {{ include "custom.namespace" . }} -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - get - - list - - update -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - list - - update - - watch diff --git a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_rolebinding_app-mobility-leader-election-rolebinding.yaml b/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_rolebinding_app-mobility-leader-election-rolebinding.yaml deleted file mode 100644 index 3f7e1e75..00000000 --- a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_rolebinding_app-mobility-leader-election-rolebinding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ .Release.Name }}-leader-election-rolebinding - namespace: {{ include "custom.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ .Release.Name }}-leader-election-role -subjects: -- kind: ServiceAccount - name: {{ .Release.Name }}-controller-manager - namespace: {{ include "custom.namespace" . }} diff --git a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_rolebinding_app-mobility-manager-rolebinding.yaml b/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_rolebinding_app-mobility-manager-rolebinding.yaml deleted file mode 100644 index 35e377e4..00000000 --- a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_rolebinding_app-mobility-manager-rolebinding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ .Release.Name }}-manager-rolebinding - namespace: {{ include "custom.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ .Release.Name }}-manager-role -subjects: -- kind: ServiceAccount - name: {{ .Release.Name }}-controller-manager - namespace: {{ include "custom.namespace" . }} diff --git a/charts/csm-application-mobility/templates/v1_configmap_app-mobility-manager-config.yaml b/charts/csm-application-mobility/templates/v1_configmap_app-mobility-manager-config.yaml deleted file mode 100644 index 98ab504b..00000000 --- a/charts/csm-application-mobility/templates/v1_configmap_app-mobility-manager-config.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -data: - controller_manager_config.yaml: "apiVersion: controller-runtime.sigs.k8s.io/v1alpha1\r\nkind: ControllerManagerConfig\r\nhealth:\r\n healthProbeBindAddress: :8081\r\nmetrics:\r\n bindAddress: 127.0.0.1:8080\r\nwebhook:\r\n port: 9443\r\nleaderElection:\r\n leaderElect: true\r\n resourceName: 50a66265.storage.dell.com\r\n" -kind: ConfigMap -metadata: - name: {{ .Release.Name }}-manager-config - namespace: {{ include "custom.namespace" . }} diff --git a/charts/csm-application-mobility/templates/v1_service_app-mobility-controller-manager-metrics-service.yaml b/charts/csm-application-mobility/templates/v1_service_app-mobility-controller-manager-metrics-service.yaml deleted file mode 100644 index e52d5ce1..00000000 --- a/charts/csm-application-mobility/templates/v1_service_app-mobility-controller-manager-metrics-service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - name: {{ .Release.Name }}-controller-manager-metrics-service - namespace: {{ include "custom.namespace" . }} -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https - selector: - control-plane: controller-manager diff --git a/charts/csm-application-mobility/templates/v1_service_app-mobility-webhook-service.yaml b/charts/csm-application-mobility/templates/v1_service_app-mobility-webhook-service.yaml deleted file mode 100644 index d2ee221f..00000000 --- a/charts/csm-application-mobility/templates/v1_service_app-mobility-webhook-service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ .Release.Name }}-webhook-service - namespace: {{ include "custom.namespace" . }} -spec: - ports: - - port: 443 - protocol: TCP - targetPort: 9443 - selector: - control-plane: controller-manager diff --git a/charts/csm-application-mobility/templates/v1_serviceaccount_app-mobility-controller-manager.yaml b/charts/csm-application-mobility/templates/v1_serviceaccount_app-mobility-controller-manager.yaml deleted file mode 100644 index a9c52060..00000000 --- a/charts/csm-application-mobility/templates/v1_serviceaccount_app-mobility-controller-manager.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ .Release.Name }}-controller-manager - namespace: {{ include "custom.namespace" . }} diff --git a/charts/csm-application-mobility/values.yaml b/charts/csm-application-mobility/values.yaml deleted file mode 100644 index 456c5853..00000000 --- a/charts/csm-application-mobility/values.yaml +++ /dev/null @@ -1,81 +0,0 @@ -# Default values for csm-application-mobility. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 1 - -image: - pullPolicy: IfNotPresent - -controller: - image: dellemc/csm-application-mobility-controller:v0.3.0 - -# csm-application-mobility requires cert-manager. If cert-manager is not already present in cluster, set enabled to true to install it too. -cert-manager: - enabled: false - -# csm-application-mobility requires velero. If velero is already installed on the cluster, specify the namespace in which velero is deployed. Default value is "velero" -veleroNamespace: velero - -# name of the license Secret used by csm-application-mobility. -licenseName: license - -# csm-application-mobility requires velero. If velero is already installed on the cluster, specify the name of the secret in velero namespace that has credentials to access object store. -# Default value is "cloud-credentials". -objectstore: - secretName: - -# csm-application-mobility requires velero. If velero is not already present in cluster, set enabled to true to install it too. -velero: - enabled: true - use-volume-snapshots: false - deployRestic: true - cleanUpCRDs: true - restic: - # Set to true if installing on OpenShift - privileged: false - - credentials: -# Optionally, specify the name of the pre-created secret in the release namespace that holds the object store credentials. Either this or secretContents should be specified. -# existingSecret: cloud-credentials -# Optionally, specify the name to be used for secret that will be created to hold object store credentials. Used in conjunction with secretContents. - name: cloud-creds -# Optionally, specify the object store access credentials to be stored in a secret with key "cloud". Either this or existingSecret should be provided. - secretContents: - cloud: | - [default] - aws_access_key_id=access_key - aws_secret_access_key=secret_access_key - -# Based on the objectstore being used , the velero plugin and its configuration may need to change! Below is the sample configuration for using aws object store. -# GCP and Azure plugins configuration are different. See more details at: https://github.com/vmware-tanzu/helm-charts/blob/main/charts/velero/README.md - configuration: - provider: aws - backupStorageLocation: - name: default - bucket: velero-bucket - config: {} - # region: - # s3ForcePathStyle: - # s3Url: - # kmsKeyId: - # resourceGroup: - # The ID of the subscription containing the storage account, if different from the cluster’s subscription. (Azure only) - # subscriptionId: - # storageAccount: - # publicUrl: - # Name of the GCP service account to use for this backup storage location. Specify the - # service account here if you want to use workload identity instead of providing the key file.(GCP only) - # serviceAccount: - - initContainers: - - name: dell-custom-velero-plugin - image: dellemc/csm-application-mobility-velero-plugin:v0.3.0 - volumeMounts: - - mountPath: /target - name: plugins - # - name: velero-plugin-for-aws - # image: velero/velero-plugin-for-aws:v1.5.0 - # volumeMounts: - # - mountPath: /target - # name: plugins diff --git a/charts/csm-authorization-v2.0/.gitignore b/charts/csm-authorization-v2.0/.gitignore new file mode 100644 index 00000000..a4d58c62 --- /dev/null +++ b/charts/csm-authorization-v2.0/.gitignore @@ -0,0 +1,2 @@ +Chart.lock +charts/*tgz diff --git a/charts/csm-authorization-v2.0/.helmignore b/charts/csm-authorization-v2.0/.helmignore new file mode 100644 index 00000000..9d56613f --- /dev/null +++ b/charts/csm-authorization-v2.0/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +installer/ diff --git a/charts/csm-authorization-v2.0/Chart.yaml b/charts/csm-authorization-v2.0/Chart.yaml new file mode 100644 index 00000000..6a63fe79 --- /dev/null +++ b/charts/csm-authorization-v2.0/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +name: csm-authorization +version: v2.0.0-alpha +appVersion: v2.0.0-alpha +type: application +description: | + CSM for Authorization is part of the [Container Storage Modules](https://github.com/dell/csm) open source suite of Kubernetes + storage enablers for Dell EMC storage products. CSM for Authorization provides storage and Kubernetes administrators the ability + to apply RBAC for Dell CSI Drivers. +dependencies: + - name: cert-manager + version: 1.10.0 + repository: https://charts.jetstack.io + condition: cert-manager.enabled + - name: ingress-nginx + version: 4.0.19 + repository: https://kubernetes.github.io/ingress-nginx + condition: nginx.enabled diff --git a/charts/csm-application-mobility/README.md b/charts/csm-authorization-v2.0/README.md similarity index 56% rename from charts/csm-application-mobility/README.md rename to charts/csm-authorization-v2.0/README.md index 95e4a114..ced64c89 100644 --- a/charts/csm-application-mobility/README.md +++ b/charts/csm-authorization-v2.0/README.md @@ -8,12 +8,12 @@ You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 --> -# Container Storage Modules (CSM) for Application Mobility Dell Community Helm Chart +# Container Storage Modules (CSM) for Authorization Dell Community Helm Chart -CSM for Application Mobility can be deployed using Helm. +CSM for Authorization V2 can be deployed using Helm. -For complete deployment instructions, refer to the [Container Storage Modules documentation](https://dell.github.io/csm-docs/docs/applicationmobility/deployment). +For complete deployment instructions, refer to the [Container Storage Modules documentation](https://dell.github.io/csm-docs/docs/authorization/deployment/helm). ## Helm Chart Versioning -For an explanation and examples on versioning/releasing the helm chart, please see the [contributing guide](../../docs/CONTRIBUTING.md#helm-chart-release-strategy). +For an explanation and examples on versioning/releasing the CSM for Authorization Helm chart, please see the [contributing guide](../../docs/CONTRIBUTING.md#helm-chart-release-strategy). diff --git a/charts/csm-authorization-v2.0/charts/redis/.helmignore b/charts/csm-authorization-v2.0/charts/redis/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/csm-authorization-v2.0/charts/redis/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/csm-authorization-v2.0/charts/redis/Chart.yaml b/charts/csm-authorization-v2.0/charts/redis/Chart.yaml new file mode 100644 index 00000000..c9994417 --- /dev/null +++ b/charts/csm-authorization-v2.0/charts/redis/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: redis-csm +description: Helm Chart for Redis with Sentinels +type: application +version: 0.1.0 +appVersion: 0.1.0 diff --git a/charts/csm-authorization-v2.0/charts/redis/templates/_helpers.tpl b/charts/csm-authorization-v2.0/charts/redis/templates/_helpers.tpl new file mode 100644 index 00000000..629c0b30 --- /dev/null +++ b/charts/csm-authorization-v2.0/charts/redis/templates/_helpers.tpl @@ -0,0 +1,9 @@ +{{/* +Namespace for all resources to be installed into +If not defined in values file then the helm release namespace is used +By default this is not set so the helm release namespace will be used +*/}} + +{{- define "custom.namespace" -}} + {{ .Values.namespace | default .Release.Namespace }} +{{- end -}} \ No newline at end of file diff --git a/charts/csm-authorization-v2.0/charts/redis/templates/redis-cm.yaml b/charts/csm-authorization-v2.0/charts/redis/templates/redis-cm.yaml new file mode 100644 index 00000000..f5849562 --- /dev/null +++ b/charts/csm-authorization-v2.0/charts/redis/templates/redis-cm.yaml @@ -0,0 +1,2292 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: redis-csm-cm + namespace: {{ include "custom.namespace" . }} + +data: + redis.conf: | + # Redis configuration file example. + # + # Note that in order to read the configuration file, Redis must be + # started with the file path as first argument: + # + # ./redis-server /path/to/redis.conf + + # This will be set by our Init Container + # replicaof redis-master-0.redis-master.redis.svc.cluster.local 6379 + + # masterauth <> + # requirepass <> + + # Note on units: when memory size is needed, it is possible to specify + # it in the usual form of 1k 5GB 4M and so forth: + # + # 1k => 1000 bytes + # 1kb => 1024 bytes + # 1m => 1000000 bytes + # 1mb => 1024*1024 bytes + # 1g => 1000000000 bytes + # 1gb => 1024*1024*1024 bytes + # + # units are case insensitive so 1GB 1Gb 1gB are all the same. + + ################################## INCLUDES ################################### + + # Include one or more other config files here. This is useful if you + # have a standard template that goes to all Redis servers but also need + # to customize a few per-server settings. Include files can include + # other files, so use this wisely. + # + # Note that option "include" won't be rewritten by command "CONFIG REWRITE" + # from admin or Redis Sentinel. Since Redis always uses the last processed + # line as value of a configuration directive, you'd better put includes + # at the beginning of this file to avoid overwriting config change at runtime. + # + # If instead you are interested in using includes to override configuration + # options, it is better to use include as the last line. + # + # Included paths may contain wildcards. All files matching the wildcards will + # be included in alphabetical order. + # Note that if an include path contains a wildcards but no files match it when + # the server is started, the include statement will be ignored and no error will + # be emitted. It is safe, therefore, to include wildcard files from empty + # directories. + # + # include /path/to/local.conf + # include /path/to/other.conf + # include /path/to/fragments/*.conf + # + + ################################## MODULES ##################################### + + # Load modules at startup. If the server is not able to load modules + # it will abort. It is possible to use multiple loadmodule directives. + # + # loadmodule /path/to/my_module.so + # loadmodule /path/to/other_module.so + + ################################## NETWORK ##################################### + + # By default, if no "bind" configuration directive is specified, Redis listens + # for connections from all available network interfaces on the host machine. + # It is possible to listen to just one or multiple selected interfaces using + # the "bind" configuration directive, followed by one or more IP addresses. + # Each address can be prefixed by "-", which means that redis will not fail to + # start if the address is not available. Being not available only refers to + # addresses that does not correspond to any network interface. Addresses that + # are already in use will always fail, and unsupported protocols will always BE + # silently skipped. + # + # Examples: + # + # bind 192.168.1.100 10.0.0.1 # listens on two specific IPv4 addresses + # bind 127.0.0.1 ::1 # listens on loopback IPv4 and IPv6 + # bind * -::* # like the default, all available interfaces + # + # ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the + # internet, binding to all the interfaces is dangerous and will expose the + # instance to everybody on the internet. So by default we uncomment the + # following bind directive, that will force Redis to listen only on the + # IPv4 and IPv6 (if available) loopback interface addresses (this means Redis + # will only be able to accept client connections from the same host that it is + # running on). + # + # IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES + # COMMENT OUT THE FOLLOWING LINE. + # + # You will also need to set a password unless you explicitly disable protected + # mode. + # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + bind 0.0.0.0 + + # By default, outgoing connections (from replica to master, from Sentinel to + # instances, cluster bus, etc.) are not bound to a specific local address. In + # most cases, this means the operating system will handle that based on routing + # and the interface through which the connection goes out. + # + # Using bind-source-addr it is possible to configure a specific address to bind + # to, which may also affect how the connection gets routed. + # + # Example: + # + # bind-source-addr 10.0.0.1 + + # Protected mode is a layer of security protection, in order to avoid that + # Redis instances left open on the internet are accessed and exploited. + # + # When protected mode is on and the default user has no password, the server + # only accepts local connections from the IPv4 address (127.0.0.1), IPv6 address + # (::1) or Unix domain sockets. + # + # By default protected mode is enabled. You should disable it only if + # you are sure you want clients from other hosts to connect to Redis + # even if no authentication is configured. + protected-mode no + + # Redis uses default hardened security configuration directives to reduce the + # attack surface on innocent users. Therefore, several sensitive configuration + # directives are immutable, and some potentially-dangerous commands are blocked. + # + # Configuration directives that control files that Redis writes to (e.g., 'dir' + # and 'dbfilename') and that aren't usually modified during runtime + # are protected by making them immutable. + # + # Commands that can increase the attack surface of Redis and that aren't usually + # called by users are blocked by default. + # + # These can be exposed to either all connections or just local ones by setting + # each of the configs listed below to either of these values: + # + # no - Block for any connection (remain immutable) + # yes - Allow for any connection (no protection) + # local - Allow only for local connections. Ones originating from the + # IPv4 address (127.0.0.1), IPv6 address (::1) or Unix domain sockets. + # + # enable-protected-configs no + # enable-debug-command no + # enable-module-command no + + # Accept connections on the specified port, default is 6379 (IANA #815344). + # If port 0 is specified Redis will not listen on a TCP socket. + port 6379 + + # TCP listen() backlog. + # + # In high requests-per-second environments you need a high backlog in order + # to avoid slow clients connection issues. Note that the Linux kernel + # will silently truncate it to the value of /proc/sys/net/core/somaxconn so + # make sure to raise both the value of somaxconn and tcp_max_syn_backlog + # in order to get the desired effect. + tcp-backlog 511 + + # Unix socket. + # + # Specify the path for the Unix socket that will be used to listen for + # incoming connections. There is no default, so Redis will not listen + # on a unix socket when not specified. + # + # unixsocket /run/redis.sock + # unixsocketperm 700 + + # Close the connection after a client is idle for N seconds (0 to disable) + timeout 0 + + # TCP keepalive. + # + # If non-zero, use SO_KEEPALIVE to send TCP ACKs to clients in absence + # of communication. This is useful for two reasons: + # + # 1) Detect dead peers. + # 2) Force network equipment in the middle to consider the connection to be + # alive. + # + # On Linux, the specified value (in seconds) is the period used to send ACKs. + # Note that to close the connection the double of the time is needed. + # On other kernels the period depends on the kernel configuration. + # + # A reasonable value for this option is 300 seconds, which is the new + # Redis default starting with Redis 3.2.1. + tcp-keepalive 300 + + # Apply OS-specific mechanism to mark the listening socket with the specified + # ID, to support advanced routing and filtering capabilities. + # + # On Linux, the ID represents a connection mark. + # On FreeBSD, the ID represents a socket cookie ID. + # On OpenBSD, the ID represents a route table ID. + # + # The default value is 0, which implies no marking is required. + # socket-mark-id 0 + + ################################# TLS/SSL ##################################### + + # By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration + # directive can be used to define TLS-listening ports. To enable TLS on the + # default port, use: + # + # port 0 + # tls-port 6379 + + # Configure a X.509 certificate and private key to use for authenticating the + # server to connected clients, masters or cluster peers. These files should be + # PEM formatted. + # + # tls-cert-file redis.crt + # tls-key-file redis.key + # + # If the key file is encrypted using a passphrase, it can be included here + # as well. + # + # tls-key-file-pass secret + + # Normally Redis uses the same certificate for both server functions (accepting + # connections) and client functions (replicating from a master, establishing + # cluster bus connections, etc.). + # + # Sometimes certificates are issued with attributes that designate them as + # client-only or server-only certificates. In that case it may be desired to use + # different certificates for incoming (server) and outgoing (client) + # connections. To do that, use the following directives: + # + # tls-client-cert-file client.crt + # tls-client-key-file client.key + # + # If the key file is encrypted using a passphrase, it can be included here + # as well. + # + # tls-client-key-file-pass secret + + # Configure a DH parameters file to enable Diffie-Hellman (DH) key exchange, + # required by older versions of OpenSSL (<3.0). Newer versions do not require + # this configuration and recommend against it. + # + # tls-dh-params-file redis.dh + + # Configure a CA certificate(s) bundle or directory to authenticate TLS/SSL + # clients and peers. Redis requires an explicit configuration of at least one + # of these, and will not implicitly use the system wide configuration. + # + # tls-ca-cert-file ca.crt + # tls-ca-cert-dir /etc/ssl/certs + + # By default, clients (including replica servers) on a TLS port are required + # to authenticate using valid client side certificates. + # + # If "no" is specified, client certificates are not required and not accepted. + # If "optional" is specified, client certificates are accepted and must be + # valid if provided, but are not required. + # + # tls-auth-clients no + # tls-auth-clients optional + + # By default, a Redis replica does not attempt to establish a TLS connection + # with its master. + # + # Use the following directive to enable TLS on replication links. + # + # tls-replication yes + + # By default, the Redis Cluster bus uses a plain TCP connection. To enable + # TLS for the bus protocol, use the following directive: + # + # tls-cluster yes + + # By default, only TLSv1.2 and TLSv1.3 are enabled and it is highly recommended + # that older formally deprecated versions are kept disabled to reduce the attack surface. + # You can explicitly specify TLS versions to support. + # Allowed values are case insensitive and include "TLSv1", "TLSv1.1", "TLSv1.2", + # "TLSv1.3" (OpenSSL >= 1.1.1) or any combination. + # To enable only TLSv1.2 and TLSv1.3, use: + # + # tls-protocols "TLSv1.2 TLSv1.3" + + # Configure allowed ciphers. See the ciphers(1ssl) manpage for more information + # about the syntax of this string. + # + # Note: this configuration applies only to <= TLSv1.2. + # + # tls-ciphers DEFAULT:!MEDIUM + + # Configure allowed TLSv1.3 ciphersuites. See the ciphers(1ssl) manpage for more + # information about the syntax of this string, and specifically for TLSv1.3 + # ciphersuites. + # + # tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256 + + # When choosing a cipher, use the server's preference instead of the client + # preference. By default, the server follows the client's preference. + # + # tls-prefer-server-ciphers yes + + # By default, TLS session caching is enabled to allow faster and less expensive + # reconnections by clients that support it. Use the following directive to disable + # caching. + # + # tls-session-caching no + + # Change the default number of TLS sessions cached. A zero value sets the cache + # to unlimited size. The default size is 20480. + # + # tls-session-cache-size 5000 + + # Change the default timeout of cached TLS sessions. The default timeout is 300 + # seconds. + # + # tls-session-cache-timeout 60 + + ################################# GENERAL ##################################### + + # By default Redis does not run as a daemon. Use 'yes' if you need it. + # Note that Redis will write a pid file in /var/run/redis.pid when daemonized. + # When Redis is supervised by upstart or systemd, this parameter has no impact. + daemonize no + + # If you run Redis from upstart or systemd, Redis can interact with your + # supervision tree. Options: + # supervised no - no supervision interaction + # supervised upstart - signal upstart by putting Redis into SIGSTOP mode + # requires "expect stop" in your upstart job config + # supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET + # on startup, and updating Redis status on a regular + # basis. + # supervised auto - detect upstart or systemd method based on + # UPSTART_JOB or NOTIFY_SOCKET environment variables + # Note: these supervision methods only signal "process is ready." + # They do not enable continuous pings back to your supervisor. + # + # The default is "no". To run under upstart/systemd, you can simply uncomment + # the line below: + # + # supervised auto + + # If a pid file is specified, Redis writes it where specified at startup + # and removes it at exit. + # + # When the server runs non daemonized, no pid file is created if none is + # specified in the configuration. When the server is daemonized, the pid file + # is used even if not specified, defaulting to "/var/run/redis.pid". + # + # Creating a pid file is best effort: if Redis is not able to create it + # nothing bad happens, the server will start and run normally. + # + # Note that on modern Linux systems "/run/redis.pid" is more conforming + # and should be used instead. + pidfile /var/run/redis_6379.pid + + # Specify the server verbosity level. + # This can be one of: + # debug (a lot of information, useful for development/testing) + # verbose (many rarely useful info, but not a mess like the debug level) + # notice (moderately verbose, what you want in production probably) + # warning (only very important / critical messages are logged) + loglevel notice + + # Specify the log file name. Also the empty string can be used to force + # Redis to log on the standard output. Note that if you use standard + # output for logging but daemonize, logs will be sent to /dev/null + logfile "" + + # To enable logging to the system logger, just set 'syslog-enabled' to yes, + # and optionally update the other syslog parameters to suit your needs. + # syslog-enabled no + + # Specify the syslog identity. + # syslog-ident redis + + # Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7. + # syslog-facility local0 + + # To disable the built in crash log, which will possibly produce cleaner core + # dumps when they are needed, uncomment the following: + # + # crash-log-enabled no + + # To disable the fast memory check that's run as part of the crash log, which + # will possibly let redis terminate sooner, uncomment the following: + # + # crash-memcheck-enabled no + + # Set the number of databases. The default database is DB 0, you can select + # a different one on a per-connection basis using SELECT where + # dbid is a number between 0 and 'databases'-1 + databases 16 + + # By default Redis shows an ASCII art logo only when started to log to the + # standard output and if the standard output is a TTY and syslog logging is + # disabled. Basically this means that normally a logo is displayed only in + # interactive sessions. + # + # However it is possible to force the pre-4.0 behavior and always show a + # ASCII art logo in startup logs by setting the following option to yes. + always-show-logo no + + # By default, Redis modifies the process title (as seen in 'top' and 'ps') to + # provide some runtime information. It is possible to disable this and leave + # the process name as executed by setting the following to no. + set-proc-title yes + + # When changing the process title, Redis uses the following template to construct + # the modified title. + # + # Template variables are specified in curly brackets. The following variables are + # supported: + # + # {title} Name of process as executed if parent, or type of child process. + # {listen-addr} Bind address or '*' followed by TCP or TLS port listening on, or + # Unix socket if only that's available. + # {server-mode} Special mode, i.e. "[sentinel]" or "[cluster]". + # {port} TCP port listening on, or 0. + # {tls-port} TLS port listening on, or 0. + # {unixsocket} Unix domain socket listening on, or "". + # {config-file} Name of configuration file used. + # + proc-title-template "{title} {listen-addr} {server-mode}" + + ################################ SNAPSHOTTING ################################ + + # Save the DB to disk. + # + # save [ ...] + # + # Redis will save the DB if the given number of seconds elapsed and it + # surpassed the given number of write operations against the DB. + # + # Snapshotting can be completely disabled with a single empty string argument + # as in following example: + # + # save "" + # + # Unless specified otherwise, by default Redis will save the DB: + # * After 3600 seconds (an hour) if at least 1 change was performed + # * After 300 seconds (5 minutes) if at least 100 changes were performed + # * After 60 seconds if at least 10000 changes were performed + # + # You can set these explicitly by uncommenting the following line. + # + # save 3600 1 300 100 60 10000 + + save 900 1 300 10 60 10000 + + # By default Redis will stop accepting writes if RDB snapshots are enabled + # (at least one save point) and the latest background save failed. + # This will make the user aware (in a hard way) that data is not persisting + # on disk properly, otherwise chances are that no one will notice and some + # disaster will happen. + # + # If the background saving process will start working again Redis will + # automatically allow writes again. + # + # However if you have setup your proper monitoring of the Redis server + # and persistence, you may want to disable this feature so that Redis will + # continue to work as usual even if there are problems with disk, + # permissions, and so forth. + stop-writes-on-bgsave-error yes + + # Compress string objects using LZF when dump .rdb databases? + # By default compression is enabled as it's almost always a win. + # If you want to save some CPU in the saving child set it to 'no' but + # the dataset will likely be bigger if you have compressible values or keys. + rdbcompression yes + + # Since version 5 of RDB a CRC64 checksum is placed at the end of the file. + # This makes the format more resistant to corruption but there is a performance + # hit to pay (around 10%) when saving and loading RDB files, so you can disable it + # for maximum performances. + # + # RDB files created with checksum disabled have a checksum of zero that will + # tell the loading code to skip the check. + rdbchecksum yes + + # Enables or disables full sanitization checks for ziplist and listpack etc when + # loading an RDB or RESTORE payload. This reduces the chances of a assertion or + # crash later on while processing commands. + # Options: + # no - Never perform full sanitization + # yes - Always perform full sanitization + # clients - Perform full sanitization only for user connections. + # Excludes: RDB files, RESTORE commands received from the master + # connection, and client connections which have the + # skip-sanitize-payload ACL flag. + # The default should be 'clients' but since it currently affects cluster + # resharding via MIGRATE, it is temporarily set to 'no' by default. + # + # sanitize-dump-payload no + + # The filename where to dump the DB + dbfilename dump.rdb + + # Remove RDB files used by replication in instances without persistence + # enabled. By default this option is disabled, however there are environments + # where for regulations or other security concerns, RDB files persisted on + # disk by masters in order to feed replicas, or stored on disk by replicas + # in order to load them for the initial synchronization, should be deleted + # ASAP. Note that this option ONLY WORKS in instances that have both AOF + # and RDB persistence disabled, otherwise is completely ignored. + # + # An alternative (and sometimes better) way to obtain the same effect is + # to use diskless replication on both master and replicas instances. However + # in the case of replicas, diskless is not always an option. + rdb-del-sync-files no + + # The working directory. + # + # The DB will be written inside this directory, with the filename specified + # above using the 'dbfilename' configuration directive. + # + # The Append Only File will also be created inside this directory. + # + # Note that you must specify a directory here, not a file name. + dir /data + + ################################# REPLICATION ################################# + + # Master-Replica replication. Use replicaof to make a Redis instance a copy of + # another Redis server. A few things to understand ASAP about Redis replication. + # + # +------------------+ +---------------+ + # | Master | ---> | Replica | + # | (receive writes) | | (exact copy) | + # +------------------+ +---------------+ + # + # 1) Redis replication is asynchronous, but you can configure a master to + # stop accepting writes if it appears to be not connected with at least + # a given number of replicas. + # 2) Redis replicas are able to perform a partial resynchronization with the + # master if the replication link is lost for a relatively small amount of + # time. You may want to configure the replication backlog size (see the next + # sections of this file) with a sensible value depending on your needs. + # 3) Replication is automatic and does not need user intervention. After a + # network partition replicas automatically try to reconnect to masters + # and resynchronize with them. + # + # replicaof + + # If the master is password protected (using the "requirepass" configuration + # directive below) it is possible to tell the replica to authenticate before + # starting the replication synchronization process, otherwise the master will + # refuse the replica request. + # + # masterauth + # + # However this is not enough if you are using Redis ACLs (for Redis version + # 6 or greater), and the default user is not capable of running the PSYNC + # command and/or other commands needed for replication. In this case it's + # better to configure a special user to use with replication, and specify the + # masteruser configuration as such: + # + # masteruser + # + # When masteruser is specified, the replica will authenticate against its + # master using the new AUTH form: AUTH . + + # When a replica loses its connection with the master, or when the replication + # is still in progress, the replica can act in two different ways: + # + # 1) if replica-serve-stale-data is set to 'yes' (the default) the replica will + # still reply to client requests, possibly with out of date data, or the + # data set may just be empty if this is the first synchronization. + # + # 2) If replica-serve-stale-data is set to 'no' the replica will reply with error + # "MASTERDOWN Link with MASTER is down and replica-serve-stale-data is set to 'no'" + # to all data access commands, excluding commands such as: + # INFO, REPLICAOF, AUTH, SHUTDOWN, REPLCONF, ROLE, CONFIG, SUBSCRIBE, + # UNSUBSCRIBE, PSUBSCRIBE, PUNSUBSCRIBE, PUBLISH, PUBSUB, COMMAND, POST, + # HOST and LATENCY. + # + replica-serve-stale-data yes + + # You can configure a replica instance to accept writes or not. Writing against + # a replica instance may be useful to store some ephemeral data (because data + # written on a replica will be easily deleted after resync with the master) but + # may also cause problems if clients are writing to it because of a + # misconfiguration. + # + # Since Redis 2.6 by default replicas are read-only. + # + # Note: read only replicas are not designed to be exposed to untrusted clients + # on the internet. It's just a protection layer against misuse of the instance. + # Still a read only replica exports by default all the administrative commands + # such as CONFIG, DEBUG, and so forth. To a limited extent you can improve + # security of read only replicas using 'rename-command' to shadow all the + # administrative / dangerous commands. + replica-read-only yes + + # Replication SYNC strategy: disk or socket. + # + # New replicas and reconnecting replicas that are not able to continue the + # replication process just receiving differences, need to do what is called a + # "full synchronization". An RDB file is transmitted from the master to the + # replicas. + # + # The transmission can happen in two different ways: + # + # 1) Disk-backed: The Redis master creates a new process that writes the RDB + # file on disk. Later the file is transferred by the parent + # process to the replicas incrementally. + # 2) Diskless: The Redis master creates a new process that directly writes the + # RDB file to replica sockets, without touching the disk at all. + # + # With disk-backed replication, while the RDB file is generated, more replicas + # can be queued and served with the RDB file as soon as the current child + # producing the RDB file finishes its work. With diskless replication instead + # once the transfer starts, new replicas arriving will be queued and a new + # transfer will start when the current one terminates. + # + # When diskless replication is used, the master waits a configurable amount of + # time (in seconds) before starting the transfer in the hope that multiple + # replicas will arrive and the transfer can be parallelized. + # + # With slow disks and fast (large bandwidth) networks, diskless replication + # works better. + repl-diskless-sync yes + + # When diskless replication is enabled, it is possible to configure the delay + # the server waits in order to spawn the child that transfers the RDB via socket + # to the replicas. + # + # This is important since once the transfer starts, it is not possible to serve + # new replicas arriving, that will be queued for the next RDB transfer, so the + # server waits a delay in order to let more replicas arrive. + # + # The delay is specified in seconds, and by default is 5 seconds. To disable + # it entirely just set it to 0 seconds and the transfer will start ASAP. + repl-diskless-sync-delay 5 + + # When diskless replication is enabled with a delay, it is possible to let + # the replication start before the maximum delay is reached if the maximum + # number of replicas expected have connected. Default of 0 means that the + # maximum is not defined and Redis will wait the full delay. + repl-diskless-sync-max-replicas 0 + + # ----------------------------------------------------------------------------- + # WARNING: RDB diskless load is experimental. Since in this setup the replica + # does not immediately store an RDB on disk, it may cause data loss during + # failovers. RDB diskless load + Redis modules not handling I/O reads may also + # cause Redis to abort in case of I/O errors during the initial synchronization + # stage with the master. Use only if you know what you are doing. + # ----------------------------------------------------------------------------- + # + # Replica can load the RDB it reads from the replication link directly from the + # socket, or store the RDB to a file and read that file after it was completely + # received from the master. + # + # In many cases the disk is slower than the network, and storing and loading + # the RDB file may increase replication time (and even increase the master's + # Copy on Write memory and replica buffers). + # However, parsing the RDB file directly from the socket may mean that we have + # to flush the contents of the current database before the full rdb was + # received. For this reason we have the following options: + # + # "disabled" - Don't use diskless load (store the rdb file to the disk first) + # "on-empty-db" - Use diskless load only when it is completely safe. + # "swapdb" - Keep current db contents in RAM while parsing the data directly + # from the socket. Replicas in this mode can keep serving current + # data set while replication is in progress, except for cases where + # they can't recognize master as having a data set from same + # replication history. + # Note that this requires sufficient memory, if you don't have it, + # you risk an OOM kill. + repl-diskless-load disabled + + # Master send PINGs to its replicas in a predefined interval. It's possible to + # change this interval with the repl_ping_replica_period option. The default + # value is 10 seconds. + # + # repl-ping-replica-period 10 + + # The following option sets the replication timeout for: + # + # 1) Bulk transfer I/O during SYNC, from the point of view of replica. + # 2) Master timeout from the point of view of replicas (data, pings). + # 3) Replica timeout from the point of view of masters (REPLCONF ACK pings). + # + # It is important to make sure that this value is greater than the value + # specified for repl-ping-replica-period otherwise a timeout will be detected + # every time there is low traffic between the master and the replica. The default + # value is 60 seconds. + # + # repl-timeout 60 + + # Disable TCP_NODELAY on the replica socket after SYNC? + # + # If you select "yes" Redis will use a smaller number of TCP packets and + # less bandwidth to send data to replicas. But this can add a delay for + # the data to appear on the replica side, up to 40 milliseconds with + # Linux kernels using a default configuration. + # + # If you select "no" the delay for data to appear on the replica side will + # be reduced but more bandwidth will be used for replication. + # + # By default we optimize for low latency, but in very high traffic conditions + # or when the master and replicas are many hops away, turning this to "yes" may + # be a good idea. + repl-disable-tcp-nodelay no + + # Set the replication backlog size. The backlog is a buffer that accumulates + # replica data when replicas are disconnected for some time, so that when a + # replica wants to reconnect again, often a full resync is not needed, but a + # partial resync is enough, just passing the portion of data the replica + # missed while disconnected. + # + # The bigger the replication backlog, the longer the replica can endure the + # disconnect and later be able to perform a partial resynchronization. + # + # The backlog is only allocated if there is at least one replica connected. + # + # repl-backlog-size 1mb + + # After a master has no connected replicas for some time, the backlog will be + # freed. The following option configures the amount of seconds that need to + # elapse, starting from the time the last replica disconnected, for the backlog + # buffer to be freed. + # + # Note that replicas never free the backlog for timeout, since they may be + # promoted to masters later, and should be able to correctly "partially + # resynchronize" with other replicas: hence they should always accumulate backlog. + # + # A value of 0 means to never release the backlog. + # + # repl-backlog-ttl 3600 + + # The replica priority is an integer number published by Redis in the INFO + # output. It is used by Redis Sentinel in order to select a replica to promote + # into a master if the master is no longer working correctly. + # + # A replica with a low priority number is considered better for promotion, so + # for instance if there are three replicas with priority 10, 100, 25 Sentinel + # will pick the one with priority 10, that is the lowest. + # + # However a special priority of 0 marks the replica as not able to perform the + # role of master, so a replica with priority of 0 will never be selected by + # Redis Sentinel for promotion. + # + # By default the priority is 100. + replica-priority 100 + + # The propagation error behavior controls how Redis will behave when it is + # unable to handle a command being processed in the replication stream from a master + # or processed while reading from an AOF file. Errors that occur during propagation + # are unexpected, and can cause data inconsistency. However, there are edge cases + # in earlier versions of Redis where it was possible for the server to replicate or persist + # commands that would fail on future versions. For this reason the default behavior + # is to ignore such errors and continue processing commands. + # + # If an application wants to ensure there is no data divergence, this configuration + # should be set to 'panic' instead. The value can also be set to 'panic-on-replicas' + # to only panic when a replica encounters an error on the replication stream. One of + # these two panic values will become the default value in the future once there are + # sufficient safety mechanisms in place to prevent false positive crashes. + # + # propagation-error-behavior ignore + + # Replica ignore disk write errors controls the behavior of a replica when it is + # unable to persist a write command received from its master to disk. By default, + # this configuration is set to 'no' and will crash the replica in this condition. + # It is not recommended to change this default, however in order to be compatible + # with older versions of Redis this config can be toggled to 'yes' which will just + # log a warning and execute the write command it got from the master. + # + # replica-ignore-disk-write-errors no + + # ----------------------------------------------------------------------------- + # By default, Redis Sentinel includes all replicas in its reports. A replica + # can be excluded from Redis Sentinel's announcements. An unannounced replica + # will be ignored by the 'sentinel replicas ' command and won't be + # exposed to Redis Sentinel's clients. + # + # This option does not change the behavior of replica-priority. Even with + # replica-announced set to 'no', the replica can be promoted to master. To + # prevent this behavior, set replica-priority to 0. + # + # replica-announced yes + + # It is possible for a master to stop accepting writes if there are less than + # N replicas connected, having a lag less or equal than M seconds. + # + # The N replicas need to be in "online" state. + # + # The lag in seconds, that must be <= the specified value, is calculated from + # the last ping received from the replica, that is usually sent every second. + # + # This option does not GUARANTEE that N replicas will accept the write, but + # will limit the window of exposure for lost writes in case not enough replicas + # are available, to the specified number of seconds. + # + # For example to require at least 3 replicas with a lag <= 10 seconds use: + # + # min-replicas-to-write 3 + # min-replicas-max-lag 10 + # + # Setting one or the other to 0 disables the feature. + # + # By default min-replicas-to-write is set to 0 (feature disabled) and + # min-replicas-max-lag is set to 10. + + # A Redis master is able to list the address and port of the attached + # replicas in different ways. For example the "INFO replication" section + # offers this information, which is used, among other tools, by + # Redis Sentinel in order to discover replica instances. + # Another place where this info is available is in the output of the + # "ROLE" command of a master. + # + # The listed IP address and port normally reported by a replica is + # obtained in the following way: + # + # IP: The address is auto detected by checking the peer address + # of the socket used by the replica to connect with the master. + # + # Port: The port is communicated by the replica during the replication + # handshake, and is normally the port that the replica is using to + # listen for connections. + # + # However when port forwarding or Network Address Translation (NAT) is + # used, the replica may actually be reachable via different IP and port + # pairs. The following two options can be used by a replica in order to + # report to its master a specific set of IP and port, so that both INFO + # and ROLE will report those values. + # + # There is no need to use both the options if you need to override just + # the port or the IP address. + # + # replica-announce-ip 5.5.5.5 + # replica-announce-port 1234 + + ############################### KEYS TRACKING ################################# + + # Redis implements server assisted support for client side caching of values. + # This is implemented using an invalidation table that remembers, using + # a radix key indexed by key name, what clients have which keys. In turn + # this is used in order to send invalidation messages to clients. Please + # check this page to understand more about the feature: + # + # https://redis.io/topics/client-side-caching + # + # When tracking is enabled for a client, all the read only queries are assumed + # to be cached: this will force Redis to store information in the invalidation + # table. When keys are modified, such information is flushed away, and + # invalidation messages are sent to the clients. However if the workload is + # heavily dominated by reads, Redis could use more and more memory in order + # to track the keys fetched by many clients. + # + # For this reason it is possible to configure a maximum fill value for the + # invalidation table. By default it is set to 1M of keys, and once this limit + # is reached, Redis will start to evict keys in the invalidation table + # even if they were not modified, just to reclaim memory: this will in turn + # force the clients to invalidate the cached values. Basically the table + # maximum size is a trade off between the memory you want to spend server + # side to track information about who cached what, and the ability of clients + # to retain cached objects in memory. + # + # If you set the value to 0, it means there are no limits, and Redis will + # retain as many keys as needed in the invalidation table. + # In the "stats" INFO section, you can find information about the number of + # keys in the invalidation table at every given moment. + # + # Note: when key tracking is used in broadcasting mode, no memory is used + # in the server side so this setting is useless. + # + # tracking-table-max-keys 1000000 + + ################################## SECURITY ################################### + + # Warning: since Redis is pretty fast, an outside user can try up to + # 1 million passwords per second against a modern box. This means that you + # should use very strong passwords, otherwise they will be very easy to break. + # Note that because the password is really a shared secret between the client + # and the server, and should not be memorized by any human, the password + # can be easily a long string from /dev/urandom or whatever, so by using a + # long and unguessable password no brute force attack will be possible. + + # Redis ACL users are defined in the following format: + # + # user ... acl rules ... + # + # For example: + # + # user worker +@list +@connection ~jobs:* on >ffa9203c493aa99 + # + # The special username "default" is used for new connections. If this user + # has the "nopass" rule, then new connections will be immediately authenticated + # as the "default" user without the need of any password provided via the + # AUTH command. Otherwise if the "default" user is not flagged with "nopass" + # the connections will start in not authenticated state, and will require + # AUTH (or the HELLO command AUTH option) in order to be authenticated and + # start to work. + # + # The ACL rules that describe what a user can do are the following: + # + # on Enable the user: it is possible to authenticate as this user. + # off Disable the user: it's no longer possible to authenticate + # with this user, however the already authenticated connections + # will still work. + # skip-sanitize-payload RESTORE dump-payload sanitization is skipped. + # sanitize-payload RESTORE dump-payload is sanitized (default). + # + Allow the execution of that command. + # May be used with `|` for allowing subcommands (e.g "+config|get") + # - Disallow the execution of that command. + # May be used with `|` for blocking subcommands (e.g "-config|set") + # +@ Allow the execution of all the commands in such category + # with valid categories are like @admin, @set, @sortedset, ... + # and so forth, see the full list in the server.c file where + # the Redis command table is described and defined. + # The special category @all means all the commands, but currently + # present in the server, and that will be loaded in the future + # via modules. + # +|first-arg Allow a specific first argument of an otherwise + # disabled command. It is only supported on commands with + # no sub-commands, and is not allowed as negative form + # like -SELECT|1, only additive starting with "+". This + # feature is deprecated and may be removed in the future. + # allcommands Alias for +@all. Note that it implies the ability to execute + # all the future commands loaded via the modules system. + # nocommands Alias for -@all. + # ~ Add a pattern of keys that can be mentioned as part of + # commands. For instance ~* allows all the keys. The pattern + # is a glob-style pattern like the one of KEYS. + # It is possible to specify multiple patterns. + # %R~ Add key read pattern that specifies which keys can be read + # from. + # %W~ Add key write pattern that specifies which keys can be + # written to. + # allkeys Alias for ~* + # resetkeys Flush the list of allowed keys patterns. + # & Add a glob-style pattern of Pub/Sub channels that can be + # accessed by the user. It is possible to specify multiple channel + # patterns. + # allchannels Alias for &* + # resetchannels Flush the list of allowed channel patterns. + # > Add this password to the list of valid password for the user. + # For example >mypass will add "mypass" to the list. + # This directive clears the "nopass" flag (see later). + # < Remove this password from the list of valid passwords. + # nopass All the set passwords of the user are removed, and the user + # is flagged as requiring no password: it means that every + # password will work against this user. If this directive is + # used for the default user, every new connection will be + # immediately authenticated with the default user without + # any explicit AUTH command required. Note that the "resetpass" + # directive will clear this condition. + # resetpass Flush the list of allowed passwords. Moreover removes the + # "nopass" status. After "resetpass" the user has no associated + # passwords and there is no way to authenticate without adding + # some password (or setting it as "nopass" later). + # reset Performs the following actions: resetpass, resetkeys, off, + # -@all. The user returns to the same state it has immediately + # after its creation. + # () Create a new selector with the options specified within the + # parentheses and attach it to the user. Each option should be + # space separated. The first character must be ( and the last + # character must be ). + # clearselectors Remove all of the currently attached selectors. + # Note this does not change the "root" user permissions, + # which are the permissions directly applied onto the + # user (outside the parentheses). + # + # ACL rules can be specified in any order: for instance you can start with + # passwords, then flags, or key patterns. However note that the additive + # and subtractive rules will CHANGE MEANING depending on the ordering. + # For instance see the following example: + # + # user alice on +@all -DEBUG ~* >somepassword + # + # This will allow "alice" to use all the commands with the exception of the + # DEBUG command, since +@all added all the commands to the set of the commands + # alice can use, and later DEBUG was removed. However if we invert the order + # of two ACL rules the result will be different: + # + # user alice on -DEBUG +@all ~* >somepassword + # + # Now DEBUG was removed when alice had yet no commands in the set of allowed + # commands, later all the commands are added, so the user will be able to + # execute everything. + # + # Basically ACL rules are processed left-to-right. + # + # The following is a list of command categories and their meanings: + # * keyspace - Writing or reading from keys, databases, or their metadata + # in a type agnostic way. Includes DEL, RESTORE, DUMP, RENAME, EXISTS, DBSIZE, + # KEYS, EXPIRE, TTL, FLUSHALL, etc. Commands that may modify the keyspace, + # key or metadata will also have `write` category. Commands that only read + # the keyspace, key or metadata will have the `read` category. + # * read - Reading from keys (values or metadata). Note that commands that don't + # interact with keys, will not have either `read` or `write`. + # * write - Writing to keys (values or metadata) + # * admin - Administrative commands. Normal applications will never need to use + # these. Includes REPLICAOF, CONFIG, DEBUG, SAVE, MONITOR, ACL, SHUTDOWN, etc. + # * dangerous - Potentially dangerous (each should be considered with care for + # various reasons). This includes FLUSHALL, MIGRATE, RESTORE, SORT, KEYS, + # CLIENT, DEBUG, INFO, CONFIG, SAVE, REPLICAOF, etc. + # * connection - Commands affecting the connection or other connections. + # This includes AUTH, SELECT, COMMAND, CLIENT, ECHO, PING, etc. + # * blocking - Potentially blocking the connection until released by another + # command. + # * fast - Fast O(1) commands. May loop on the number of arguments, but not the + # number of elements in the key. + # * slow - All commands that are not Fast. + # * pubsub - PUBLISH / SUBSCRIBE related + # * transaction - WATCH / MULTI / EXEC related commands. + # * scripting - Scripting related. + # * set - Data type: sets related. + # * sortedset - Data type: zsets related. + # * list - Data type: lists related. + # * hash - Data type: hashes related. + # * string - Data type: strings related. + # * bitmap - Data type: bitmaps related. + # * hyperloglog - Data type: hyperloglog related. + # * geo - Data type: geo related. + # * stream - Data type: streams related. + # + # For more information about ACL configuration please refer to + # the Redis web site at https://redis.io/topics/acl + + # ACL LOG + # + # The ACL Log tracks failed commands and authentication events associated + # with ACLs. The ACL Log is useful to troubleshoot failed commands blocked + # by ACLs. The ACL Log is stored in memory. You can reclaim memory with + # ACL LOG RESET. Define the maximum entry length of the ACL Log below. + acllog-max-len 128 + + # Using an external ACL file + # + # Instead of configuring users here in this file, it is possible to use + # a stand-alone file just listing users. The two methods cannot be mixed: + # if you configure users here and at the same time you activate the external + # ACL file, the server will refuse to start. + # + # The format of the external ACL user file is exactly the same as the + # format that is used inside redis.conf to describe users. + # + # aclfile /etc/redis/users.acl + + # IMPORTANT NOTE: starting with Redis 6 "requirepass" is just a compatibility + # layer on top of the new ACL system. The option effect will be just setting + # the password for the default user. Clients will still authenticate using + # AUTH as usually, or more explicitly with AUTH default + # if they follow the new protocol: both will work. + # + # The requirepass is not compatible with aclfile option and the ACL LOAD + # command, these will cause requirepass to be ignored. + # + # requirepass foobared + + # New users are initialized with restrictive permissions by default, via the + # equivalent of this ACL rule 'off resetkeys -@all'. Starting with Redis 6.2, it + # is possible to manage access to Pub/Sub channels with ACL rules as well. The + # default Pub/Sub channels permission if new users is controlled by the + # acl-pubsub-default configuration directive, which accepts one of these values: + # + # allchannels: grants access to all Pub/Sub channels + # resetchannels: revokes access to all Pub/Sub channels + # + # From Redis 7.0, acl-pubsub-default defaults to 'resetchannels' permission. + # + # acl-pubsub-default resetchannels + + # Command renaming (DEPRECATED). + # + # ------------------------------------------------------------------------ + # WARNING: avoid using this option if possible. Instead use ACLs to remove + # commands from the default user, and put them only in some admin user you + # create for administrative purposes. + # ------------------------------------------------------------------------ + # + # It is possible to change the name of dangerous commands in a shared + # environment. For instance the CONFIG command may be renamed into something + # hard to guess so that it will still be available for internal-use tools + # but not available for general clients. + # + # Example: + # + # rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52 + # + # It is also possible to completely kill a command by renaming it into + # an empty string: + # + # rename-command CONFIG "" + # + # Please note that changing the name of commands that are logged into the + # AOF file or transmitted to replicas may cause problems. + + ################################### CLIENTS #################################### + + # Set the max number of connected clients at the same time. By default + # this limit is set to 10000 clients, however if the Redis server is not + # able to configure the process file limit to allow for the specified limit + # the max number of allowed clients is set to the current file limit + # minus 32 (as Redis reserves a few file descriptors for internal uses). + # + # Once the limit is reached Redis will close all the new connections sending + # an error 'max number of clients reached'. + # + # IMPORTANT: When Redis Cluster is used, the max number of connections is also + # shared with the cluster bus: every node in the cluster will use two + # connections, one incoming and another outgoing. It is important to size the + # limit accordingly in case of very large clusters. + # + # maxclients 10000 + + ############################## MEMORY MANAGEMENT ################################ + + # Set a memory usage limit to the specified amount of bytes. + # When the memory limit is reached Redis will try to remove keys + # according to the eviction policy selected (see maxmemory-policy). + # + # If Redis can't remove keys according to the policy, or if the policy is + # set to 'noeviction', Redis will start to reply with errors to commands + # that would use more memory, like SET, LPUSH, and so on, and will continue + # to reply to read-only commands like GET. + # + # This option is usually useful when using Redis as an LRU or LFU cache, or to + # set a hard memory limit for an instance (using the 'noeviction' policy). + # + # WARNING: If you have replicas attached to an instance with maxmemory on, + # the size of the output buffers needed to feed the replicas are subtracted + # from the used memory count, so that network problems / resyncs will + # not trigger a loop where keys are evicted, and in turn the output + # buffer of replicas is full with DELs of keys evicted triggering the deletion + # of more keys, and so forth until the database is completely emptied. + # + # In short... if you have replicas attached it is suggested that you set a lower + # limit for maxmemory so that there is some free RAM on the system for replica + # output buffers (but this is not needed if the policy is 'noeviction'). + # + # maxmemory + + # MAXMEMORY POLICY: how Redis will select what to remove when maxmemory + # is reached. You can select one from the following behaviors: + # + # volatile-lru -> Evict using approximated LRU, only keys with an expire set. + # allkeys-lru -> Evict any key using approximated LRU. + # volatile-lfu -> Evict using approximated LFU, only keys with an expire set. + # allkeys-lfu -> Evict any key using approximated LFU. + # volatile-random -> Remove a random key having an expire set. + # allkeys-random -> Remove a random key, any key. + # volatile-ttl -> Remove the key with the nearest expire time (minor TTL) + # noeviction -> Don't evict anything, just return an error on write operations. + # + # LRU means Least Recently Used + # LFU means Least Frequently Used + # + # Both LRU, LFU and volatile-ttl are implemented using approximated + # randomized algorithms. + # + # Note: with any of the above policies, when there are no suitable keys for + # eviction, Redis will return an error on write operations that require + # more memory. These are usually commands that create new keys, add data or + # modify existing keys. A few examples are: SET, INCR, HSET, LPUSH, SUNIONSTORE, + # SORT (due to the STORE argument), and EXEC (if the transaction includes any + # command that requires memory). + # + # The default is: + # + # maxmemory-policy noeviction + + # LRU, LFU and minimal TTL algorithms are not precise algorithms but approximated + # algorithms (in order to save memory), so you can tune it for speed or + # accuracy. By default Redis will check five keys and pick the one that was + # used least recently, you can change the sample size using the following + # configuration directive. + # + # The default of 5 produces good enough results. 10 Approximates very closely + # true LRU but costs more CPU. 3 is faster but not very accurate. + # + # maxmemory-samples 5 + + # Eviction processing is designed to function well with the default setting. + # If there is an unusually large amount of write traffic, this value may need to + # be increased. Decreasing this value may reduce latency at the risk of + # eviction processing effectiveness + # 0 = minimum latency, 10 = default, 100 = process without regard to latency + # + # maxmemory-eviction-tenacity 10 + + # Starting from Redis 5, by default a replica will ignore its maxmemory setting + # (unless it is promoted to master after a failover or manually). It means + # that the eviction of keys will be just handled by the master, sending the + # DEL commands to the replica as keys evict in the master side. + # + # This behavior ensures that masters and replicas stay consistent, and is usually + # what you want, however if your replica is writable, or you want the replica + # to have a different memory setting, and you are sure all the writes performed + # to the replica are idempotent, then you may change this default (but be sure + # to understand what you are doing). + # + # Note that since the replica by default does not evict, it may end using more + # memory than the one set via maxmemory (there are certain buffers that may + # be larger on the replica, or data structures may sometimes take more memory + # and so forth). So make sure you monitor your replicas and make sure they + # have enough memory to never hit a real out-of-memory condition before the + # master hits the configured maxmemory setting. + # + # replica-ignore-maxmemory yes + + # Redis reclaims expired keys in two ways: upon access when those keys are + # found to be expired, and also in background, in what is called the + # "active expire key". The key space is slowly and interactively scanned + # looking for expired keys to reclaim, so that it is possible to free memory + # of keys that are expired and will never be accessed again in a short time. + # + # The default effort of the expire cycle will try to avoid having more than + # ten percent of expired keys still in memory, and will try to avoid consuming + # more than 25% of total memory and to add latency to the system. However + # it is possible to increase the expire "effort" that is normally set to + # "1", to a greater value, up to the value "10". At its maximum value the + # system will use more CPU, longer cycles (and technically may introduce + # more latency), and will tolerate less already expired keys still present + # in the system. It's a tradeoff between memory, CPU and latency. + # + # active-expire-effort 1 + + ############################# LAZY FREEING #################################### + + # Redis has two primitives to delete keys. One is called DEL and is a blocking + # deletion of the object. It means that the server stops processing new commands + # in order to reclaim all the memory associated with an object in a synchronous + # way. If the key deleted is associated with a small object, the time needed + # in order to execute the DEL command is very small and comparable to most other + # O(1) or O(log_N) commands in Redis. However if the key is associated with an + # aggregated value containing millions of elements, the server can block for + # a long time (even seconds) in order to complete the operation. + # + # For the above reasons Redis also offers non blocking deletion primitives + # such as UNLINK (non blocking DEL) and the ASYNC option of FLUSHALL and + # FLUSHDB commands, in order to reclaim memory in background. Those commands + # are executed in constant time. Another thread will incrementally free the + # object in the background as fast as possible. + # + # DEL, UNLINK and ASYNC option of FLUSHALL and FLUSHDB are user-controlled. + # It's up to the design of the application to understand when it is a good + # idea to use one or the other. However the Redis server sometimes has to + # delete keys or flush the whole database as a side effect of other operations. + # Specifically Redis deletes objects independently of a user call in the + # following scenarios: + # + # 1) On eviction, because of the maxmemory and maxmemory policy configurations, + # in order to make room for new data, without going over the specified + # memory limit. + # 2) Because of expire: when a key with an associated time to live (see the + # EXPIRE command) must be deleted from memory. + # 3) Because of a side effect of a command that stores data on a key that may + # already exist. For example the RENAME command may delete the old key + # content when it is replaced with another one. Similarly SUNIONSTORE + # or SORT with STORE option may delete existing keys. The SET command + # itself removes any old content of the specified key in order to replace + # it with the specified string. + # 4) During replication, when a replica performs a full resynchronization with + # its master, the content of the whole database is removed in order to + # load the RDB file just transferred. + # + # In all the above cases the default is to delete objects in a blocking way, + # like if DEL was called. However you can configure each case specifically + # in order to instead release memory in a non-blocking way like if UNLINK + # was called, using the following configuration directives. + + lazyfree-lazy-eviction no + lazyfree-lazy-expire no + lazyfree-lazy-server-del no + replica-lazy-flush no + + # It is also possible, for the case when to replace the user code DEL calls + # with UNLINK calls is not easy, to modify the default behavior of the DEL + # command to act exactly like UNLINK, using the following configuration + # directive: + + lazyfree-lazy-user-del no + + # FLUSHDB, FLUSHALL, SCRIPT FLUSH and FUNCTION FLUSH support both asynchronous and synchronous + # deletion, which can be controlled by passing the [SYNC|ASYNC] flags into the + # commands. When neither flag is passed, this directive will be used to determine + # if the data should be deleted asynchronously. + + lazyfree-lazy-user-flush no + + ################################ THREADED I/O ################################# + + # Redis is mostly single threaded, however there are certain threaded + # operations such as UNLINK, slow I/O accesses and other things that are + # performed on side threads. + # + # Now it is also possible to handle Redis clients socket reads and writes + # in different I/O threads. Since especially writing is so slow, normally + # Redis users use pipelining in order to speed up the Redis performances per + # core, and spawn multiple instances in order to scale more. Using I/O + # threads it is possible to easily speedup two times Redis without resorting + # to pipelining nor sharding of the instance. + # + # By default threading is disabled, we suggest enabling it only in machines + # that have at least 4 or more cores, leaving at least one spare core. + # Using more than 8 threads is unlikely to help much. We also recommend using + # threaded I/O only if you actually have performance problems, with Redis + # instances being able to use a quite big percentage of CPU time, otherwise + # there is no point in using this feature. + # + # So for instance if you have a four cores boxes, try to use 2 or 3 I/O + # threads, if you have a 8 cores, try to use 6 threads. In order to + # enable I/O threads use the following configuration directive: + # + # io-threads 4 + # + # Setting io-threads to 1 will just use the main thread as usual. + # When I/O threads are enabled, we only use threads for writes, that is + # to thread the write(2) syscall and transfer the client buffers to the + # socket. However it is also possible to enable threading of reads and + # protocol parsing using the following configuration directive, by setting + # it to yes: + # + # io-threads-do-reads no + # + # Usually threading reads doesn't help much. + # + # NOTE 1: This configuration directive cannot be changed at runtime via + # CONFIG SET. Also, this feature currently does not work when SSL is + # enabled. + # + # NOTE 2: If you want to test the Redis speedup using redis-benchmark, make + # sure you also run the benchmark itself in threaded mode, using the + # --threads option to match the number of Redis threads, otherwise you'll not + # be able to notice the improvements. + + ############################ KERNEL OOM CONTROL ############################## + + # On Linux, it is possible to hint the kernel OOM killer on what processes + # should be killed first when out of memory. + # + # Enabling this feature makes Redis actively control the oom_score_adj value + # for all its processes, depending on their role. The default scores will + # attempt to have background child processes killed before all others, and + # replicas killed before masters. + # + # Redis supports these options: + # + # no: Don't make changes to oom-score-adj (default). + # yes: Alias to "relative" see below. + # absolute: Values in oom-score-adj-values are written as is to the kernel. + # relative: Values are used relative to the initial value of oom_score_adj when + # the server starts and are then clamped to a range of -1000 to 1000. + # Because typically the initial value is 0, they will often match the + # absolute values. + oom-score-adj no + + # When oom-score-adj is used, this directive controls the specific values used + # for master, replica and background child processes. Values range -2000 to + # 2000 (higher means more likely to be killed). + # + # Unprivileged processes (not root, and without CAP_SYS_RESOURCE capabilities) + # can freely increase their value, but not decrease it below its initial + # settings. This means that setting oom-score-adj to "relative" and setting the + # oom-score-adj-values to positive values will always succeed. + oom-score-adj-values 0 200 800 + + + #################### KERNEL transparent hugepage CONTROL ###################### + + # Usually the kernel Transparent Huge Pages control is set to "madvise" or + # or "never" by default (/sys/kernel/mm/transparent_hugepage/enabled), in which + # case this config has no effect. On systems in which it is set to "always", + # redis will attempt to disable it specifically for the redis process in order + # to avoid latency problems specifically with fork(2) and CoW. + # If for some reason you prefer to keep it enabled, you can set this config to + # "no" and the kernel global to "always". + + disable-thp yes + + ############################## APPEND ONLY MODE ############################### + + # By default Redis asynchronously dumps the dataset on disk. This mode is + # good enough in many applications, but an issue with the Redis process or + # a power outage may result into a few minutes of writes lost (depending on + # the configured save points). + # + # The Append Only File is an alternative persistence mode that provides + # much better durability. For instance using the default data fsync policy + # (see later in the config file) Redis can lose just one second of writes in a + # dramatic event like a server power outage, or a single write if something + # wrong with the Redis process itself happens, but the operating system is + # still running correctly. + # + # AOF and RDB persistence can be enabled at the same time without problems. + # If the AOF is enabled on startup Redis will load the AOF, that is the file + # with the better durability guarantees. + # + # Please check https://redis.io/topics/persistence for more information. + + appendonly yes + + # The base name of the append only file. + # + # Redis 7 and newer use a set of append-only files to persist the dataset + # and changes applied to it. There are two basic types of files in use: + # + # - Base files, which are a snapshot representing the complete state of the + # dataset at the time the file was created. Base files can be either in + # the form of RDB (binary serialized) or AOF (textual commands). + # - Incremental files, which contain additional commands that were applied + # to the dataset following the previous file. + # + # In addition, manifest files are used to track the files and the order in + # which they were created and should be applied. + # + # Append-only file names are created by Redis following a specific pattern. + # The file name's prefix is based on the 'appendfilename' configuration + # parameter, followed by additional information about the sequence and type. + # + # For example, if appendfilename is set to appendonly.aof, the following file + # names could be derived: + # + # - appendonly.aof.1.base.rdb as a base file. + # - appendonly.aof.1.incr.aof, appendonly.aof.2.incr.aof as incremental files. + # - appendonly.aof.manifest as a manifest file. + + appendfilename "appendonly.aof" + + # For convenience, Redis stores all persistent append-only files in a dedicated + # directory. The name of the directory is determined by the appenddirname + # configuration parameter. + + appenddirname "appendonlydir" + + # The fsync() call tells the Operating System to actually write data on disk + # instead of waiting for more data in the output buffer. Some OS will really flush + # data on disk, some other OS will just try to do it ASAP. + # + # Redis supports three different modes: + # + # no: don't fsync, just let the OS flush the data when it wants. Faster. + # always: fsync after every write to the append only log. Slow, Safest. + # everysec: fsync only one time every second. Compromise. + # + # The default is "everysec", as that's usually the right compromise between + # speed and data safety. It's up to you to understand if you can relax this to + # "no" that will let the operating system flush the output buffer when + # it wants, for better performances (but if you can live with the idea of + # some data loss consider the default persistence mode that's snapshotting), + # or on the contrary, use "always" that's very slow but a bit safer than + # everysec. + # + # More details please check the following article: + # http://antirez.com/post/redis-persistence-demystified.html + # + # If unsure, use "everysec". + + # appendfsync always + appendfsync everysec + # appendfsync no + + # When the AOF fsync policy is set to always or everysec, and a background + # saving process (a background save or AOF log background rewriting) is + # performing a lot of I/O against the disk, in some Linux configurations + # Redis may block too long on the fsync() call. Note that there is no fix for + # this currently, as even performing fsync in a different thread will block + # our synchronous write(2) call. + # + # In order to mitigate this problem it's possible to use the following option + # that will prevent fsync() from being called in the main process while a + # BGSAVE or BGREWRITEAOF is in progress. + # + # This means that while another child is saving, the durability of Redis is + # the same as "appendfsync no". In practical terms, this means that it is + # possible to lose up to 30 seconds of log in the worst scenario (with the + # default Linux settings). + # + # If you have latency problems turn this to "yes". Otherwise leave it as + # "no" that is the safest pick from the point of view of durability. + + no-appendfsync-on-rewrite no + + # Automatic rewrite of the append only file. + # Redis is able to automatically rewrite the log file implicitly calling + # BGREWRITEAOF when the AOF log size grows by the specified percentage. + # + # This is how it works: Redis remembers the size of the AOF file after the + # latest rewrite (if no rewrite has happened since the restart, the size of + # the AOF at startup is used). + # + # This base size is compared to the current size. If the current size is + # bigger than the specified percentage, the rewrite is triggered. Also + # you need to specify a minimal size for the AOF file to be rewritten, this + # is useful to avoid rewriting the AOF file even if the percentage increase + # is reached but it is still pretty small. + # + # Specify a percentage of zero in order to disable the automatic AOF + # rewrite feature. + + auto-aof-rewrite-percentage 100 + auto-aof-rewrite-min-size 64mb + + # An AOF file may be found to be truncated at the end during the Redis + # startup process, when the AOF data gets loaded back into memory. + # This may happen when the system where Redis is running + # crashes, especially when an ext4 filesystem is mounted without the + # data=ordered option (however this can't happen when Redis itself + # crashes or aborts but the operating system still works correctly). + # + # Redis can either exit with an error when this happens, or load as much + # data as possible (the default now) and start if the AOF file is found + # to be truncated at the end. The following option controls this behavior. + # + # If aof-load-truncated is set to yes, a truncated AOF file is loaded and + # the Redis server starts emitting a log to inform the user of the event. + # Otherwise if the option is set to no, the server aborts with an error + # and refuses to start. When the option is set to no, the user requires + # to fix the AOF file using the "redis-check-aof" utility before to restart + # the server. + # + # Note that if the AOF file will be found to be corrupted in the middle + # the server will still exit with an error. This option only applies when + # Redis will try to read more data from the AOF file but not enough bytes + # will be found. + aof-load-truncated yes + + # Redis can create append-only base files in either RDB or AOF formats. Using + # the RDB format is always faster and more efficient, and disabling it is only + # supported for backward compatibility purposes. + aof-use-rdb-preamble yes + + # Redis supports recording timestamp annotations in the AOF to support restoring + # the data from a specific point-in-time. However, using this capability changes + # the AOF format in a way that may not be compatible with existing AOF parsers. + aof-timestamp-enabled no + + ################################ SHUTDOWN ##################################### + + # Maximum time to wait for replicas when shutting down, in seconds. + # + # During shut down, a grace period allows any lagging replicas to catch up with + # the latest replication offset before the master exists. This period can + # prevent data loss, especially for deployments without configured disk backups. + # + # The 'shutdown-timeout' value is the grace period's duration in seconds. It is + # only applicable when the instance has replicas. To disable the feature, set + # the value to 0. + # + # shutdown-timeout 10 + + # When Redis receives a SIGINT or SIGTERM, shutdown is initiated and by default + # an RDB snapshot is written to disk in a blocking operation if save points are configured. + # The options used on signaled shutdown can include the following values: + # default: Saves RDB snapshot only if save points are configured. + # Waits for lagging replicas to catch up. + # save: Forces a DB saving operation even if no save points are configured. + # nosave: Prevents DB saving operation even if one or more save points are configured. + # now: Skips waiting for lagging replicas. + # force: Ignores any errors that would normally prevent the server from exiting. + # + # Any combination of values is allowed as long as "save" and "nosave" are not set simultaneously. + # Example: "nosave force now" + # + # shutdown-on-sigint default + # shutdown-on-sigterm default + + ################ NON-DETERMINISTIC LONG BLOCKING COMMANDS ##################### + + # Maximum time in milliseconds for EVAL scripts, functions and in some cases + # modules' commands before Redis can start processing or rejecting other clients. + # + # If the maximum execution time is reached Redis will start to reply to most + # commands with a BUSY error. + # + # In this state Redis will only allow a handful of commands to be executed. + # For instance, SCRIPT KILL, FUNCTION KILL, SHUTDOWN NOSAVE and possibly some + # module specific 'allow-busy' commands. + # + # SCRIPT KILL and FUNCTION KILL will only be able to stop a script that did not + # yet call any write commands, so SHUTDOWN NOSAVE may be the only way to stop + # the server in the case a write command was already issued by the script when + # the user doesn't want to wait for the natural termination of the script. + # + # The default is 5 seconds. It is possible to set it to 0 or a negative value + # to disable this mechanism (uninterrupted execution). Note that in the past + # this config had a different name, which is now an alias, so both of these do + # the same: + # lua-time-limit 5000 + # busy-reply-threshold 5000 + + ################################ REDIS CLUSTER ############################### + + # Normal Redis instances can't be part of a Redis Cluster; only nodes that are + # started as cluster nodes can. In order to start a Redis instance as a + # cluster node enable the cluster support uncommenting the following: + # + # cluster-enabled yes + + # Every cluster node has a cluster configuration file. This file is not + # intended to be edited by hand. It is created and updated by Redis nodes. + # Every Redis Cluster node requires a different cluster configuration file. + # Make sure that instances running in the same system do not have + # overlapping cluster configuration file names. + # + # cluster-config-file nodes-6379.conf + + # Cluster node timeout is the amount of milliseconds a node must be unreachable + # for it to be considered in failure state. + # Most other internal time limits are a multiple of the node timeout. + # + # cluster-node-timeout 15000 + + # The cluster port is the port that the cluster bus will listen for inbound connections on. When set + # to the default value, 0, it will be bound to the command port + 10000. Setting this value requires + # you to specify the cluster bus port when executing cluster meet. + # cluster-port 0 + + # A replica of a failing master will avoid to start a failover if its data + # looks too old. + # + # There is no simple way for a replica to actually have an exact measure of + # its "data age", so the following two checks are performed: + # + # 1) If there are multiple replicas able to failover, they exchange messages + # in order to try to give an advantage to the replica with the best + # replication offset (more data from the master processed). + # Replicas will try to get their rank by offset, and apply to the start + # of the failover a delay proportional to their rank. + # + # 2) Every single replica computes the time of the last interaction with + # its master. This can be the last ping or command received (if the master + # is still in the "connected" state), or the time that elapsed since the + # disconnection with the master (if the replication link is currently down). + # If the last interaction is too old, the replica will not try to failover + # at all. + # + # The point "2" can be tuned by user. Specifically a replica will not perform + # the failover if, since the last interaction with the master, the time + # elapsed is greater than: + # + # (node-timeout * cluster-replica-validity-factor) + repl-ping-replica-period + # + # So for example if node-timeout is 30 seconds, and the cluster-replica-validity-factor + # is 10, and assuming a default repl-ping-replica-period of 10 seconds, the + # replica will not try to failover if it was not able to talk with the master + # for longer than 310 seconds. + # + # A large cluster-replica-validity-factor may allow replicas with too old data to failover + # a master, while a too small value may prevent the cluster from being able to + # elect a replica at all. + # + # For maximum availability, it is possible to set the cluster-replica-validity-factor + # to a value of 0, which means, that replicas will always try to failover the + # master regardless of the last time they interacted with the master. + # (However they'll always try to apply a delay proportional to their + # offset rank). + # + # Zero is the only value able to guarantee that when all the partitions heal + # the cluster will always be able to continue. + # + # cluster-replica-validity-factor 10 + + # Cluster replicas are able to migrate to orphaned masters, that are masters + # that are left without working replicas. This improves the cluster ability + # to resist to failures as otherwise an orphaned master can't be failed over + # in case of failure if it has no working replicas. + # + # Replicas migrate to orphaned masters only if there are still at least a + # given number of other working replicas for their old master. This number + # is the "migration barrier". A migration barrier of 1 means that a replica + # will migrate only if there is at least 1 other working replica for its master + # and so forth. It usually reflects the number of replicas you want for every + # master in your cluster. + # + # Default is 1 (replicas migrate only if their masters remain with at least + # one replica). To disable migration just set it to a very large value or + # set cluster-allow-replica-migration to 'no'. + # A value of 0 can be set but is useful only for debugging and dangerous + # in production. + # + # cluster-migration-barrier 1 + + # Turning off this option allows to use less automatic cluster configuration. + # It both disables migration to orphaned masters and migration from masters + # that became empty. + # + # Default is 'yes' (allow automatic migrations). + # + # cluster-allow-replica-migration yes + + # By default Redis Cluster nodes stop accepting queries if they detect there + # is at least a hash slot uncovered (no available node is serving it). + # This way if the cluster is partially down (for example a range of hash slots + # are no longer covered) all the cluster becomes, eventually, unavailable. + # It automatically returns available as soon as all the slots are covered again. + # + # However sometimes you want the subset of the cluster which is working, + # to continue to accept queries for the part of the key space that is still + # covered. In order to do so, just set the cluster-require-full-coverage + # option to no. + # + # cluster-require-full-coverage yes + + # This option, when set to yes, prevents replicas from trying to failover its + # master during master failures. However the replica can still perform a + # manual failover, if forced to do so. + # + # This is useful in different scenarios, especially in the case of multiple + # data center operations, where we want one side to never be promoted if not + # in the case of a total DC failure. + # + # cluster-replica-no-failover no + + # This option, when set to yes, allows nodes to serve read traffic while the + # cluster is in a down state, as long as it believes it owns the slots. + # + # This is useful for two cases. The first case is for when an application + # doesn't require consistency of data during node failures or network partitions. + # One example of this is a cache, where as long as the node has the data it + # should be able to serve it. + # + # The second use case is for configurations that don't meet the recommended + # three shards but want to enable cluster mode and scale later. A + # master outage in a 1 or 2 shard configuration causes a read/write outage to the + # entire cluster without this option set, with it set there is only a write outage. + # Without a quorum of masters, slot ownership will not change automatically. + # + # cluster-allow-reads-when-down no + + # This option, when set to yes, allows nodes to serve pubsub shard traffic while + # the cluster is in a down state, as long as it believes it owns the slots. + # + # This is useful if the application would like to use the pubsub feature even when + # the cluster global stable state is not OK. If the application wants to make sure only + # one shard is serving a given channel, this feature should be kept as yes. + # + # cluster-allow-pubsubshard-when-down yes + + # Cluster link send buffer limit is the limit on the memory usage of an individual + # cluster bus link's send buffer in bytes. Cluster links would be freed if they exceed + # this limit. This is to primarily prevent send buffers from growing unbounded on links + # toward slow peers (E.g. PubSub messages being piled up). + # This limit is disabled by default. Enable this limit when 'mem_cluster_links' INFO field + # and/or 'send-buffer-allocated' entries in the 'CLUSTER LINKS` command output continuously increase. + # Minimum limit of 1gb is recommended so that cluster link buffer can fit in at least a single + # PubSub message by default. (client-query-buffer-limit default value is 1gb) + # + # cluster-link-sendbuf-limit 0 + + # Clusters can configure their announced hostname using this config. This is a common use case for + # applications that need to use TLS Server Name Indication (SNI) or dealing with DNS based + # routing. By default this value is only shown as additional metadata in the CLUSTER SLOTS + # command, but can be changed using 'cluster-preferred-endpoint-type' config. This value is + # communicated along the clusterbus to all nodes, setting it to an empty string will remove + # the hostname and also propagate the removal. + # + # cluster-announce-hostname "" + + # Clusters can advertise how clients should connect to them using either their IP address, + # a user defined hostname, or by declaring they have no endpoint. Which endpoint is + # shown as the preferred endpoint is set by using the cluster-preferred-endpoint-type + # config with values 'ip', 'hostname', or 'unknown-endpoint'. This value controls how + # the endpoint returned for MOVED/ASKING requests as well as the first field of CLUSTER SLOTS. + # If the preferred endpoint type is set to hostname, but no announced hostname is set, a '?' + # will be returned instead. + # + # When a cluster advertises itself as having an unknown endpoint, it's indicating that + # the server doesn't know how clients can reach the cluster. This can happen in certain + # networking situations where there are multiple possible routes to the node, and the + # server doesn't know which one the client took. In this case, the server is expecting + # the client to reach out on the same endpoint it used for making the last request, but use + # the port provided in the response. + # + # cluster-preferred-endpoint-type ip + + # In order to setup your cluster make sure to read the documentation + # available at https://redis.io web site. + + ########################## CLUSTER DOCKER/NAT support ######################## + + # In certain deployments, Redis Cluster nodes address discovery fails, because + # addresses are NAT-ted or because ports are forwarded (the typical case is + # Docker and other containers). + # + # In order to make Redis Cluster working in such environments, a static + # configuration where each node knows its public address is needed. The + # following four options are used for this scope, and are: + # + # * cluster-announce-ip + # * cluster-announce-port + # * cluster-announce-tls-port + # * cluster-announce-bus-port + # + # Each instructs the node about its address, client ports (for connections + # without and with TLS) and cluster message bus port. The information is then + # published in the header of the bus packets so that other nodes will be able to + # correctly map the address of the node publishing the information. + # + # If cluster-tls is set to yes and cluster-announce-tls-port is omitted or set + # to zero, then cluster-announce-port refers to the TLS port. Note also that + # cluster-announce-tls-port has no effect if cluster-tls is set to no. + # + # If the above options are not used, the normal Redis Cluster auto-detection + # will be used instead. + # + # Note that when remapped, the bus port may not be at the fixed offset of + # clients port + 10000, so you can specify any port and bus-port depending + # on how they get remapped. If the bus-port is not set, a fixed offset of + # 10000 will be used as usual. + # + # Example: + # + # cluster-announce-ip 10.1.1.5 + # cluster-announce-tls-port 6379 + # cluster-announce-port 0 + # cluster-announce-bus-port 6380 + + ################################## SLOW LOG ################################### + + # The Redis Slow Log is a system to log queries that exceeded a specified + # execution time. The execution time does not include the I/O operations + # like talking with the client, sending the reply and so forth, + # but just the time needed to actually execute the command (this is the only + # stage of command execution where the thread is blocked and can not serve + # other requests in the meantime). + # + # You can configure the slow log with two parameters: one tells Redis + # what is the execution time, in microseconds, to exceed in order for the + # command to get logged, and the other parameter is the length of the + # slow log. When a new command is logged the oldest one is removed from the + # queue of logged commands. + + # The following time is expressed in microseconds, so 1000000 is equivalent + # to one second. Note that a negative number disables the slow log, while + # a value of zero forces the logging of every command. + slowlog-log-slower-than 10000 + + # There is no limit to this length. Just be aware that it will consume memory. + # You can reclaim memory used by the slow log with SLOWLOG RESET. + slowlog-max-len 128 + + ################################ LATENCY MONITOR ############################## + + # The Redis latency monitoring subsystem samples different operations + # at runtime in order to collect data related to possible sources of + # latency of a Redis instance. + # + # Via the LATENCY command this information is available to the user that can + # print graphs and obtain reports. + # + # The system only logs operations that were performed in a time equal or + # greater than the amount of milliseconds specified via the + # latency-monitor-threshold configuration directive. When its value is set + # to zero, the latency monitor is turned off. + # + # By default latency monitoring is disabled since it is mostly not needed + # if you don't have latency issues, and collecting data has a performance + # impact, that while very small, can be measured under big load. Latency + # monitoring can easily be enabled at runtime using the command + # "CONFIG SET latency-monitor-threshold " if needed. + latency-monitor-threshold 0 + + ################################ LATENCY TRACKING ############################## + + # The Redis extended latency monitoring tracks the per command latencies and enables + # exporting the percentile distribution via the INFO latencystats command, + # and cumulative latency distributions (histograms) via the LATENCY command. + # + # By default, the extended latency monitoring is enabled since the overhead + # of keeping track of the command latency is very small. + # latency-tracking yes + + # By default the exported latency percentiles via the INFO latencystats command + # are the p50, p99, and p999. + # latency-tracking-info-percentiles 50 99 99.9 + + ############################# EVENT NOTIFICATION ############################## + + # Redis can notify Pub/Sub clients about events happening in the key space. + # This feature is documented at https://redis.io/topics/notifications + # + # For instance if keyspace events notification is enabled, and a client + # performs a DEL operation on key "foo" stored in the Database 0, two + # messages will be published via Pub/Sub: + # + # PUBLISH __keyspace@0__:foo del + # PUBLISH __keyevent@0__:del foo + # + # It is possible to select the events that Redis will notify among a set + # of classes. Every class is identified by a single character: + # + # K Keyspace events, published with __keyspace@__ prefix. + # E Keyevent events, published with __keyevent@__ prefix. + # g Generic commands (non-type specific) like DEL, EXPIRE, RENAME, ... + # $ String commands + # l List commands + # s Set commands + # h Hash commands + # z Sorted set commands + # x Expired events (events generated every time a key expires) + # e Evicted events (events generated when a key is evicted for maxmemory) + # n New key events (Note: not included in the 'A' class) + # t Stream commands + # d Module key type events + # m Key-miss events (Note: It is not included in the 'A' class) + # A Alias for g$lshzxetd, so that the "AKE" string means all the events + # (Except key-miss events which are excluded from 'A' due to their + # unique nature). + # + # The "notify-keyspace-events" takes as argument a string that is composed + # of zero or multiple characters. The empty string means that notifications + # are disabled. + # + # Example: to enable list and generic events, from the point of view of the + # event name, use: + # + # notify-keyspace-events Elg + # + # Example 2: to get the stream of the expired keys subscribing to channel + # name __keyevent@0__:expired use: + # + # notify-keyspace-events Ex + # + # By default all notifications are disabled because most users don't need + # this feature and the feature has some overhead. Note that if you don't + # specify at least one of K or E, no events will be delivered. + notify-keyspace-events "" + + ############################### ADVANCED CONFIG ############################### + + # Hashes are encoded using a memory efficient data structure when they have a + # small number of entries, and the biggest entry does not exceed a given + # threshold. These thresholds can be configured using the following directives. + hash-max-listpack-entries 512 + hash-max-listpack-value 64 + + # Lists are also encoded in a special way to save a lot of space. + # The number of entries allowed per internal list node can be specified + # as a fixed maximum size or a maximum number of elements. + # For a fixed maximum size, use -5 through -1, meaning: + # -5: max size: 64 Kb <-- not recommended for normal workloads + # -4: max size: 32 Kb <-- not recommended + # -3: max size: 16 Kb <-- probably not recommended + # -2: max size: 8 Kb <-- good + # -1: max size: 4 Kb <-- good + # Positive numbers mean store up to _exactly_ that number of elements + # per list node. + # The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size), + # but if your use case is unique, adjust the settings as necessary. + list-max-listpack-size -2 + + # Lists may also be compressed. + # Compress depth is the number of quicklist ziplist nodes from *each* side of + # the list to *exclude* from compression. The head and tail of the list + # are always uncompressed for fast push/pop operations. Settings are: + # 0: disable all list compression + # 1: depth 1 means "don't start compressing until after 1 node into the list, + # going from either the head or tail" + # So: [head]->node->node->...->node->[tail] + # [head], [tail] will always be uncompressed; inner nodes will compress. + # 2: [head]->[next]->node->node->...->node->[prev]->[tail] + # 2 here means: don't compress head or head->next or tail->prev or tail, + # but compress all nodes between them. + # 3: [head]->[next]->[next]->node->node->...->node->[prev]->[prev]->[tail] + # etc. + list-compress-depth 0 + + # Sets have a special encoding in just one case: when a set is composed + # of just strings that happen to be integers in radix 10 in the range + # of 64 bit signed integers. + # The following configuration setting sets the limit in the size of the + # set in order to use this special memory saving encoding. + set-max-intset-entries 512 + + # Similarly to hashes and lists, sorted sets are also specially encoded in + # order to save a lot of space. This encoding is only used when the length and + # elements of a sorted set are below the following limits: + zset-max-listpack-entries 128 + zset-max-listpack-value 64 + + # HyperLogLog sparse representation bytes limit. The limit includes the + # 16 bytes header. When an HyperLogLog using the sparse representation crosses + # this limit, it is converted into the dense representation. + # + # A value greater than 16000 is totally useless, since at that point the + # dense representation is more memory efficient. + # + # The suggested value is ~ 3000 in order to have the benefits of + # the space efficient encoding without slowing down too much PFADD, + # which is O(N) with the sparse encoding. The value can be raised to + # ~ 10000 when CPU is not a concern, but space is, and the data set is + # composed of many HyperLogLogs with cardinality in the 0 - 15000 range. + hll-sparse-max-bytes 3000 + + # Streams macro node max size / items. The stream data structure is a radix + # tree of big nodes that encode multiple items inside. Using this configuration + # it is possible to configure how big a single node can be in bytes, and the + # maximum number of items it may contain before switching to a new node when + # appending new stream entries. If any of the following settings are set to + # zero, the limit is ignored, so for instance it is possible to set just a + # max entries limit by setting max-bytes to 0 and max-entries to the desired + # value. + stream-node-max-bytes 4096 + stream-node-max-entries 100 + + # Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in + # order to help rehashing the main Redis hash table (the one mapping top-level + # keys to values). The hash table implementation Redis uses (see dict.c) + # performs a lazy rehashing: the more operation you run into a hash table + # that is rehashing, the more rehashing "steps" are performed, so if the + # server is idle the rehashing is never complete and some more memory is used + # by the hash table. + # + # The default is to use this millisecond 10 times every second in order to + # actively rehash the main dictionaries, freeing memory when possible. + # + # If unsure: + # use "activerehashing no" if you have hard latency requirements and it is + # not a good thing in your environment that Redis can reply from time to time + # to queries with 2 milliseconds delay. + # + # use "activerehashing yes" if you don't have such hard requirements but + # want to free memory asap when possible. + activerehashing yes + + # The client output buffer limits can be used to force disconnection of clients + # that are not reading data from the server fast enough for some reason (a + # common reason is that a Pub/Sub client can't consume messages as fast as the + # publisher can produce them). + # + # The limit can be set differently for the three different classes of clients: + # + # normal -> normal clients including MONITOR clients + # replica -> replica clients + # pubsub -> clients subscribed to at least one pubsub channel or pattern + # + # The syntax of every client-output-buffer-limit directive is the following: + # + # client-output-buffer-limit + # + # A client is immediately disconnected once the hard limit is reached, or if + # the soft limit is reached and remains reached for the specified number of + # seconds (continuously). + # So for instance if the hard limit is 32 megabytes and the soft limit is + # 16 megabytes / 10 seconds, the client will get disconnected immediately + # if the size of the output buffers reach 32 megabytes, but will also get + # disconnected if the client reaches 16 megabytes and continuously overcomes + # the limit for 10 seconds. + # + # By default normal clients are not limited because they don't receive data + # without asking (in a push way), but just after a request, so only + # asynchronous clients may create a scenario where data is requested faster + # than it can read. + # + # Instead there is a default limit for pubsub and replica clients, since + # subscribers and replicas receive data in a push fashion. + # + # Note that it doesn't make sense to set the replica clients output buffer + # limit lower than the repl-backlog-size config (partial sync will succeed + # and then replica will get disconnected). + # Such a configuration is ignored (the size of repl-backlog-size will be used). + # This doesn't have memory consumption implications since the replica client + # will share the backlog buffers memory. + # + # Both the hard or the soft limit can be disabled by setting them to zero. + client-output-buffer-limit normal 0 0 0 + client-output-buffer-limit replica 256mb 64mb 60 + client-output-buffer-limit pubsub 32mb 8mb 60 + + # Client query buffers accumulate new commands. They are limited to a fixed + # amount by default in order to avoid that a protocol desynchronization (for + # instance due to a bug in the client) will lead to unbound memory usage in + # the query buffer. However you can configure it here if you have very special + # needs, such us huge multi/exec requests or alike. + # + # client-query-buffer-limit 1gb + + # In some scenarios client connections can hog up memory leading to OOM + # errors or data eviction. To avoid this we can cap the accumulated memory + # used by all client connections (all pubsub and normal clients). Once we + # reach that limit connections will be dropped by the server freeing up + # memory. The server will attempt to drop the connections using the most + # memory first. We call this mechanism "client eviction". + # + # Client eviction is configured using the maxmemory-clients setting as follows: + # 0 - client eviction is disabled (default) + # + # A memory value can be used for the client eviction threshold, + # for example: + # maxmemory-clients 1g + # + # A percentage value (between 1% and 100%) means the client eviction threshold + # is based on a percentage of the maxmemory setting. For example to set client + # eviction at 5% of maxmemory: + # maxmemory-clients 5% + + # In the Redis protocol, bulk requests, that are, elements representing single + # strings, are normally limited to 512 mb. However you can change this limit + # here, but must be 1mb or greater + # + # proto-max-bulk-len 512mb + + # Redis calls an internal function to perform many background tasks, like + # closing connections of clients in timeout, purging expired keys that are + # never requested, and so forth. + # + # Not all tasks are performed with the same frequency, but Redis checks for + # tasks to perform according to the specified "hz" value. + # + # By default "hz" is set to 10. Raising the value will use more CPU when + # Redis is idle, but at the same time will make Redis more responsive when + # there are many keys expiring at the same time, and timeouts may be + # handled with more precision. + # + # The range is between 1 and 500, however a value over 100 is usually not + # a good idea. Most users should use the default of 10 and raise this up to + # 100 only in environments where very low latency is required. + hz 10 + + # Normally it is useful to have an HZ value which is proportional to the + # number of clients connected. This is useful in order, for instance, to + # avoid too many clients are processed for each background task invocation + # in order to avoid latency spikes. + # + # Since the default HZ value by default is conservatively set to 10, Redis + # offers, and enables by default, the ability to use an adaptive HZ value + # which will temporarily raise when there are many connected clients. + # + # When dynamic HZ is enabled, the actual configured HZ will be used + # as a baseline, but multiples of the configured HZ value will be actually + # used as needed once more clients are connected. In this way an idle + # instance will use very little CPU time while a busy instance will be + # more responsive. + dynamic-hz yes + + # When a child rewrites the AOF file, if the following option is enabled + # the file will be fsync-ed every 4 MB of data generated. This is useful + # in order to commit the file to the disk more incrementally and avoid + # big latency spikes. + aof-rewrite-incremental-fsync yes + + # When redis saves RDB file, if the following option is enabled + # the file will be fsync-ed every 4 MB of data generated. This is useful + # in order to commit the file to the disk more incrementally and avoid + # big latency spikes. + rdb-save-incremental-fsync yes + + # Redis LFU eviction (see maxmemory setting) can be tuned. However it is a good + # idea to start with the default settings and only change them after investigating + # how to improve the performances and how the keys LFU change over time, which + # is possible to inspect via the OBJECT FREQ command. + # + # There are two tunable parameters in the Redis LFU implementation: the + # counter logarithm factor and the counter decay time. It is important to + # understand what the two parameters mean before changing them. + # + # The LFU counter is just 8 bits per key, it's maximum value is 255, so Redis + # uses a probabilistic increment with logarithmic behavior. Given the value + # of the old counter, when a key is accessed, the counter is incremented in + # this way: + # + # 1. A random number R between 0 and 1 is extracted. + # 2. A probability P is calculated as 1/(old_value*lfu_log_factor+1). + # 3. The counter is incremented only if R < P. + # + # The default lfu-log-factor is 10. This is a table of how the frequency + # counter changes with a different number of accesses with different + # logarithmic factors: + # + # +--------+------------+------------+------------+------------+------------+ + # | factor | 100 hits | 1000 hits | 100K hits | 1M hits | 10M hits | + # +--------+------------+------------+------------+------------+------------+ + # | 0 | 104 | 255 | 255 | 255 | 255 | + # +--------+------------+------------+------------+------------+------------+ + # | 1 | 18 | 49 | 255 | 255 | 255 | + # +--------+------------+------------+------------+------------+------------+ + # | 10 | 10 | 18 | 142 | 255 | 255 | + # +--------+------------+------------+------------+------------+------------+ + # | 100 | 8 | 11 | 49 | 143 | 255 | + # +--------+------------+------------+------------+------------+------------+ + # + # NOTE: The above table was obtained by running the following commands: + # + # redis-benchmark -n 1000000 incr foo + # redis-cli object freq foo + # + # NOTE 2: The counter initial value is 5 in order to give new objects a chance + # to accumulate hits. + # + # The counter decay time is the time, in minutes, that must elapse in order + # for the key counter to be divided by two (or decremented if it has a value + # less <= 10). + # + # The default value for the lfu-decay-time is 1. A special value of 0 means to + # decay the counter every time it happens to be scanned. + # + # lfu-log-factor 10 + # lfu-decay-time 1 + + ########################### ACTIVE DEFRAGMENTATION ####################### + # + # What is active defragmentation? + # ------------------------------- + # + # Active (online) defragmentation allows a Redis server to compact the + # spaces left between small allocations and deallocations of data in memory, + # thus allowing to reclaim back memory. + # + # Fragmentation is a natural process that happens with every allocator (but + # less so with Jemalloc, fortunately) and certain workloads. Normally a server + # restart is needed in order to lower the fragmentation, or at least to flush + # away all the data and create it again. However thanks to this feature + # implemented by Oran Agra for Redis 4.0 this process can happen at runtime + # in a "hot" way, while the server is running. + # + # Basically when the fragmentation is over a certain level (see the + # configuration options below) Redis will start to create new copies of the + # values in contiguous memory regions by exploiting certain specific Jemalloc + # features (in order to understand if an allocation is causing fragmentation + # and to allocate it in a better place), and at the same time, will release the + # old copies of the data. This process, repeated incrementally for all the keys + # will cause the fragmentation to drop back to normal values. + # + # Important things to understand: + # + # 1. This feature is disabled by default, and only works if you compiled Redis + # to use the copy of Jemalloc we ship with the source code of Redis. + # This is the default with Linux builds. + # + # 2. You never need to enable this feature if you don't have fragmentation + # issues. + # + # 3. Once you experience fragmentation, you can enable this feature when + # needed with the command "CONFIG SET activedefrag yes". + # + # The configuration parameters are able to fine tune the behavior of the + # defragmentation process. If you are not sure about what they mean it is + # a good idea to leave the defaults untouched. + + # Active defragmentation is disabled by default + # activedefrag no + + # Minimum amount of fragmentation waste to start active defrag + # active-defrag-ignore-bytes 100mb + + # Minimum percentage of fragmentation to start active defrag + # active-defrag-threshold-lower 10 + + # Maximum percentage of fragmentation at which we use maximum effort + # active-defrag-threshold-upper 100 + + # Minimal effort for defrag in CPU percentage, to be used when the lower + # threshold is reached + # active-defrag-cycle-min 1 + + # Maximal effort for defrag in CPU percentage, to be used when the upper + # threshold is reached + # active-defrag-cycle-max 25 + + # Maximum number of set/hash/zset/list fields that will be processed from + # the main dictionary scan + # active-defrag-max-scan-fields 1000 + + # Jemalloc background thread for purging will be enabled by default + jemalloc-bg-thread yes + + # It is possible to pin different threads and processes of Redis to specific + # CPUs in your system, in order to maximize the performances of the server. + # This is useful both in order to pin different Redis threads in different + # CPUs, but also in order to make sure that multiple Redis instances running + # in the same host will be pinned to different CPUs. + # + # Normally you can do this using the "taskset" command, however it is also + # possible to this via Redis configuration directly, both in Linux and FreeBSD. + # + # You can pin the server/IO threads, bio threads, aof rewrite child process, and + # the bgsave child process. The syntax to specify the cpu list is the same as + # the taskset command: + # + # Set redis server/io threads to cpu affinity 0,2,4,6: + # server_cpulist 0-7:2 + # + # Set bio threads to cpu affinity 1,3: + # bio_cpulist 1,3 + # + # Set aof rewrite child process to cpu affinity 8,9,10,11: + # aof_rewrite_cpulist 8-11 + # + # Set bgsave child process to cpu affinity 1,10,11 + # bgsave_cpulist 1,10-11 + + # In some cases redis will emit warnings and even refuse to start if it detects + # that the system is in bad state, it is possible to suppress these warnings + # by setting the following config which takes a space delimited list of warnings + # to suppress + # + # ignore-warnings ARM64-COW-BUG diff --git a/charts/csm-authorization-v2.0/charts/redis/templates/redis-secret.yaml b/charts/csm-authorization-v2.0/charts/redis/templates/redis-secret.yaml new file mode 100644 index 00000000..cbe2d769 --- /dev/null +++ b/charts/csm-authorization-v2.0/charts/redis/templates/redis-secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: redis-csm-secret + namespace: {{ include "custom.namespace" . }} +type: kubernetes.io/basic-auth +stringData: + password: K@ravi123! + commander_user: dev diff --git a/charts/csm-authorization-v2.0/charts/redis/templates/redis.yaml b/charts/csm-authorization-v2.0/charts/redis/templates/redis.yaml new file mode 100644 index 00000000..e3685570 --- /dev/null +++ b/charts/csm-authorization-v2.0/charts/redis/templates/redis.yaml @@ -0,0 +1,188 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.redis.name }} + namespace: {{ include "custom.namespace" . }} +spec: + type: + clusterIP: None + selector: + app: {{ .Values.redis.name }} + ports: + - protocol: TCP + port: 6379 + targetPort: 6379 + name: {{ .Values.redis.name }} +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ .Values.redis.name }} + namespace: {{ include "custom.namespace" . }} +spec: + serviceName: {{ .Values.redis.name }} + replicas: {{ .Values.redis.replicas }} + selector: + matchLabels: + app: {{ .Values.redis.name }} + template: + metadata: + labels: + app: {{ .Values.redis.name }} + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }} + spec: + initContainers: + - name: config + image: {{ .Values.redis.images.redis }} + env: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + + command: [ "sh", "-c" ] + args: + - | + cp /csm-auth-redis-cm/redis.conf /etc/redis/redis.conf + echo "masterauth $REDIS_PASSWORD" >> /etc/redis/redis.conf + echo "requirepass $REDIS_PASSWORD" >> /etc/redis/redis.conf + + echo "Finding master..." + MASTER_FDQN=`hostname -f | sed -e 's/{{ .Values.redis.name }}-[0-9]\./{{ .Values.redis.name }}-0./'` + echo "Master at " $MASTER_FQDN + if [ "$(redis-cli -h sentinel -p 5000 ping)" != "PONG" ]; then + echo "No sentinel found..." + if [ "$(hostname)" = "{{ .Values.redis.name }}-0" ]; then + echo "This is Redis master, not updating redis.conf..." + else + echo "This is Redis replica, updating redis.conf..." + echo "replicaof $MASTER_FDQN 6379" >> /etc/redis/redis.conf + fi + else + echo "Sentinel found, finding master..." + MASTER="$(redis-cli -h sentinel -p 5000 sentinel get-master-addr-by-name mymaster | grep -E '(^redis-csm-\d{1,})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})')" + echo "replicaof $MASTER_FDQN 6379" >> /etc/redis/redis.conf + fi + volumeMounts: + - name: redis-primary-volume + mountPath: /data + - name: configmap + mountPath: /csm-auth-redis-cm/ + - name: config + mountPath: /etc/redis/ + containers: + - name: {{ .Values.redis.name }} + image: {{ .Values.redis.images.redis }} + command: ["redis-server"] + args: ["/etc/redis/redis.conf"] + ports: + - containerPort: 6379 + name: {{ .Values.redis.name }} + volumeMounts: + - name: redis-primary-volume + mountPath: /data + - name: configmap + mountPath: /csm-auth-redis-cm/ + - name: config + mountPath: /etc/redis/ + volumes: + - name: redis-primary-volume + emptyDir: {} + - name: config + emptyDir: {} + - name: configmap + configMap: + name: redis-csm-cm +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.redis.rediscommander }} + namespace: {{ include "custom.namespace" . }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ .Values.redis.rediscommander }} + template: + metadata: + labels: + app: {{ .Values.redis.rediscommander }} + tier: backend + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }} + spec: + containers: + - name: {{ .Values.redis.rediscommander }} + image: {{ .Values.redis.images.commander }} + imagePullPolicy: IfNotPresent + env: + {{- $str := "" -}} + {{- $ns := include "custom.namespace" . -}} + {{- $replicas := .Values.redis.replicas | int }} + {{- $sentinel := .Values.redis.sentinel }} + {{- range $i, $e := until $replicas }} + {{- if $i }} + {{- $str = print $str "," -}} + {{- end }} + {{- $str = printf "%s%s-%d.%s.%s.svc.cluster.local:5000" $str $sentinel $i $sentinel $ns -}} + {{- end }} + - name: SENTINELS + value: {{ $str | quote }} + - name: K8S_SIGTERM + value: "1" + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + - name: SENTINEL_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + - name: HTTP_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + - name: HTTP_USER + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: commander_user + ports: + - name: {{ .Values.redis.rediscommander }} + containerPort: 8081 + livenessProbe: + httpGet: + path: /favicon.png + port: 8081 + initialDelaySeconds: 10 + timeoutSeconds: 5 + resources: + limits: + cpu: "500m" + memory: "512M" + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.redis.rediscommander }} + namespace: {{ include "custom.namespace" . }} +spec: + selector: + app: {{ .Values.redis.rediscommander }} + ports: + - protocol: TCP + port: 8081 + targetPort: 8081 diff --git a/charts/csm-authorization-v2.0/charts/redis/templates/sentinel.yaml b/charts/csm-authorization-v2.0/charts/redis/templates/sentinel.yaml new file mode 100644 index 00000000..da22d0d5 --- /dev/null +++ b/charts/csm-authorization-v2.0/charts/redis/templates/sentinel.yaml @@ -0,0 +1,111 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ .Values.redis.sentinel }} +spec: + serviceName: {{ .Values.redis.sentinel }} + replicas: {{ .Values.redis.replicas }} + selector: + matchLabels: + app: {{ .Values.redis.sentinel }} + template: + metadata: + labels: + app: {{ .Values.redis.sentinel }} + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }} + spec: + initContainers: + - name: config + image: {{ .Values.redis.images.redis }} + command: [ "sh", "-c" ] + env: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + args: + - | + replicas=$( expr {{ .Values.redis.replicas | int }} - 1) + for i in $(seq 0 $replicas) + do + node=$( echo "{{ .Values.redis.name }}-$i.{{ .Values.redis.name }}" ) + nodes=$( echo "$nodes*$node" ) + done + loop=$(echo $nodes | sed -e "s/"*"/\n/g") + + for i in $loop + do + echo "Finding master at $i" + MASTER=$(redis-cli --no-auth-warning --raw -h $i -a $REDIS_PASSWORD info replication | awk '{print $1}' | grep master_host: | cut -d ":" -f2) + if [ "$MASTER" = "" ]; then + echo "Master not found..." + echo "Sleeping 5 seconds for pods to come up..." + sleep 5 + MASTER= + else + echo "Master found at $MASTER..." + break + fi + done + + echo "sentinel monitor mymaster $MASTER 6379 2" >> /tmp/master + echo "port 5000 + sentinel resolve-hostnames yes + sentinel announce-hostnames yes + $(cat /tmp/master) + sentinel down-after-milliseconds mymaster 5000 + sentinel failover-timeout mymaster 60000 + sentinel parallel-syncs mymaster 2 + sentinel auth-pass mymaster $REDIS_PASSWORD + " > /etc/redis/sentinel.conf + cat /etc/redis/sentinel.conf + volumeMounts: + - name: redis-config + mountPath: /etc/redis/ + containers: + - name: sentinel + image: {{ .Values.redis.images.redis }} + command: ["redis-sentinel"] + args: ["/etc/redis/sentinel.conf"] + ports: + - containerPort: 5000 + name: {{ .Values.redis.sentinel }} + volumeMounts: + - name: redis-config + mountPath: /etc/redis/ + - name: data + mountPath: /data + volumes: + - name: redis-config + emptyDir: {} + - name: data + emptyDir : {} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.redis.sentinel }} +spec: + clusterIP: None + ports: + - port: 5000 + targetPort: 5000 + name: sentinel + selector: + app: sentinel +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.redis.sentinel }}-svc +spec: + type: NodePort + ports: + - port: 5000 + targetPort: 5000 + nodePort: 32003 + name: {{ .Values.redis.sentinel }}-svc + selector: + app: {{ .Values.redis.sentinel }} diff --git a/charts/csm-authorization-v2.0/charts/redis/values.yaml b/charts/csm-authorization-v2.0/charts/redis/values.yaml new file mode 100644 index 00000000..7abd23da --- /dev/null +++ b/charts/csm-authorization-v2.0/charts/redis/values.yaml @@ -0,0 +1,8 @@ +redis: + name: redis-csm + sentinel: sentinel + rediscommander: rediscommander + replicas: 5 + images: + redis: amaas-eos-mw1.cec.lab.emc.com:5046/redis:7.2.4-alpine + commander: rediscommander/redis-commander:latest diff --git a/charts/csm-authorization-v2.0/crds/csm-authorization.storage.dell.com_csmroles.yaml b/charts/csm-authorization-v2.0/crds/csm-authorization.storage.dell.com_csmroles.yaml new file mode 100644 index 00000000..aa6ebe89 --- /dev/null +++ b/charts/csm-authorization-v2.0/crds/csm-authorization.storage.dell.com_csmroles.yaml @@ -0,0 +1,135 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: csmroles.csm-authorization.storage.dell.com +spec: + group: csm-authorization.storage.dell.com + names: + kind: CSMRole + listKind: CSMRoleList + plural: csmroles + singular: csmrole + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: CSMRole is the Schema for the csmroles API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: CSMRoleSpec defines the desired state of CSMRole + properties: + pool: + type: string + quota: + description: |- + INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file + type: string + systemID: + type: string + systemType: + type: string + type: object + status: + description: CSMRoleStatus defines the observed state of CSMRole + properties: + conditions: + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file + Role.status.conditions.type are: "Available", "NotAvailable", and "UnKnown" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/csm-authorization-v2.0/crds/csm-authorization.storage.dell.com_csmtenants.yaml b/charts/csm-authorization-v2.0/crds/csm-authorization.storage.dell.com_csmtenants.yaml new file mode 100644 index 00000000..edcf2c11 --- /dev/null +++ b/charts/csm-authorization-v2.0/crds/csm-authorization.storage.dell.com_csmtenants.yaml @@ -0,0 +1,139 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: csmtenants.csm-authorization.storage.dell.com +spec: + group: csm-authorization.storage.dell.com + names: + kind: CSMTenant + listKind: CSMTenantList + plural: csmtenants + singular: csmtenant + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: CSMTenant is the Schema for the csmtenants API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: CSMTenantSpec defines the desired state of CSMTenant + properties: + approveSdc: + type: boolean + revoke: + type: boolean + roles: + description: |- + INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file + type: string + volumePrefix: + maxLength: 3 + minLength: 1 + type: string + required: + - approveSdc + - revoke + type: object + status: + description: CSMTenantStatus defines the observed state of CSMTenant + properties: + conditions: + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/csm-authorization-v2.0/crds/csm-authorization.storage.dell.com_storages.yaml b/charts/csm-authorization-v2.0/crds/csm-authorization.storage.dell.com_storages.yaml new file mode 100644 index 00000000..607c4995 --- /dev/null +++ b/charts/csm-authorization-v2.0/crds/csm-authorization.storage.dell.com_storages.yaml @@ -0,0 +1,141 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: storages.csm-authorization.storage.dell.com +spec: + group: csm-authorization.storage.dell.com + names: + kind: Storage + listKind: StorageList + plural: storages + singular: storage + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Storage is the Schema for the storages API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: StorageSpec defines the desired state of Storage + properties: + credentialPath: + type: string + credentialStore: + type: string + endpoint: + type: string + pollInterval: + type: string + skipCertificateValidation: + type: boolean + systemID: + type: string + type: + description: |- + INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file + type: string + required: + - skipCertificateValidation + type: object + status: + description: StorageStatus defines the observed state of Storage + properties: + conditions: + description: 'Storage.status.conditions.type are: "Available", "NotAvailable", + and "UnKnown"' + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/csm-authorization-v2.0/policies/common.rego b/charts/csm-authorization-v2.0/policies/common.rego new file mode 100644 index 00000000..99709c9a --- /dev/null +++ b/charts/csm-authorization-v2.0/policies/common.rego @@ -0,0 +1,4 @@ +package karavi.common +default roles = {} +roles = {} + diff --git a/charts/csm-authorization-v2.0/policies/sdc-approve.rego b/charts/csm-authorization-v2.0/policies/sdc-approve.rego new file mode 100644 index 00000000..a0d2b53e --- /dev/null +++ b/charts/csm-authorization-v2.0/policies/sdc-approve.rego @@ -0,0 +1,40 @@ +# Copyright © 2023 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.sdc.approve + +import data.karavi.common + +# Allow requests by default. +default allow = true + +default response = { + "allowed": true +} +response = { + "allowed": false, + "status": { + "reason": reason, + }, +} { + reason = concat(", ", deny) + reason != "" +} + +default claims = {} +claims = input.claims +deny[msg] { + claims == {} + msg := sprintf("missing claims", []) +} diff --git a/charts/csm-authorization-v2.0/policies/snapshot-create-test.rego b/charts/csm-authorization-v2.0/policies/snapshot-create-test.rego new file mode 100644 index 00000000..920fc4e9 --- /dev/null +++ b/charts/csm-authorization-v2.0/policies/snapshot-create-test.rego @@ -0,0 +1,359 @@ +# Copyright © 2024 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.snapshot.create_test + +import data.karavi.snapshot.create + +import rego.v1 + + +test_snapshot_simple_request_allowed if { + content := { + "claims": { + "aud": "karavi", + "exp": 1615426023, + "group": "DevOpsGroup1", + "iss": "com.dell.karavi", + "roles": "us-east-1", + "sub": "karavi-tenant", + }, + "request": [{ + "name": "k8s-0fc0695994-snapshot", + "protectionDomainId": "6b2ffe6c00000000", + "storagePoolId": "ae376b0300000000", + "volumeSizeInKb": "8388608", + "volumeType": "ThinProvisioned", + "storagepool": "bronze", + }], + "storagesystemid": "2222", + "systemtype": "powerflex", + } + + role := {"us-east-1": {"system_types": {"powerflex": {"system_ids": {"2222": {"pool_quotas": {"bronze": "44000000"}}}}}}} + + create.allow with input as content with data.karavi.common.roles as role +} + +test_snapshot_multi_role_request_allowed if { + content := { + "claims": { + "aud": "karavi", + "exp": 1615426023, + "group": "DevOpsGroup1", + "iss": "com.dell.karavi", + "roles": "us-east-1,us-west-1", + "sub": "karavi-tenant", + }, + "request": [{ + "name": "k8s-0fc0695994-snapshot", + "protectionDomainId": "6b2ffe6c00000000", + "storagePoolId": "ae376b0300000000", + "volumeSizeInKb": "8388608", + "volumeType": "ThinProvisioned", + "storagepool": "bronze", + }], + "storagesystemid": "2222", + "systemtype": "powerflex", + } + + role := { + "us-east-1": {"system_types": {"powerflex": {"system_ids": {"2222": {"pool_quotas": {"bronze": "44000000"}}}}}}, + "us-west-1": {"system_types": {"powerflex": {"system_ids": {"2222": {"pool_quotas": {"bronze": 83886080}}}}}}, + } + + create.allow with input as content with data.karavi.common.roles as role +} + +test_snapshot_multi_request_allowed if { + content := { + "claims": { + "aud": "karavi", + "exp": 1615426023, + "group": "DevOpsGroup1", + "iss": "com.dell.karavi", + "roles": "us-east-1,us-west-1", + "sub": "karavi-tenant", + }, + "request": [ + { + "name": "k8s-0fc0695994-snapshot", + "protectionDomainId": "6b2ffe6c00000000", + "storagePoolId": "ae376b0300000000", + "volumeSizeInKb": "8388608", + "volumeType": "ThinProvisioned", + "storagepool": "bronze", + }, + { + "name": "k8s-0fc0695995-snapshot", + "protectionDomainId": "6b2ffe6c00000000", + "storagePoolId": "ae376b0300000000", + "volumeSizeInKb": "8388608", + "volumeType": "ThinProvisioned", + "storagepool": "bronze", + }, + ], + "storagesystemid": "2222", + "systemtype": "powerflex", + } + + role := {"us-east-1": {"system_types": {"powerflex": {"system_ids": {"2222": {"pool_quotas": {"bronze": "44000000"}}}}}}} + + create.allow with input as content with data.karavi.common.roles as role +} + +test_snapshot_multi_request_multi_role_allowed if { + content := { + "claims": { + "aud": "karavi", + "exp": 1615426023, + "group": "DevOpsGroup1", + "iss": "com.dell.karavi", + "roles": "us-east-1,us-west-1", + "sub": "karavi-tenant", + }, + "request": [ + { + "name": "k8s-0fc0695994-snapshot", + "protectionDomainId": "6b2ffe6c00000000", + "storagePoolId": "ae376b0300000000", + "volumeSizeInKb": "8388608", + "volumeType": "ThinProvisioned", + "storagepool": "bronze", + }, + { + "name": "k8s-0fc0695995-snapshot", + "protectionDomainId": "6b2ffe6c00000000", + "storagePoolId": "ae376b0300000000", + "volumeSizeInKb": "8388608", + "volumeType": "ThinProvisioned", + "storagepool": "silver", + }, + ], + "storagesystemid": "2222", + "systemtype": "powerflex", + } + + role := { + "us-east-1": {"system_types": {"powerflex": {"system_ids": {"2222": {"pool_quotas": {"bronze": "44000000", "silver": "88000000"}}}}}}, + "us-west-1": {"system_types": {"powerflex": {"system_ids": {"2222": {"pool_quotas": {"silver": 83886080}}}}}}, + } + + create.allow with input as content with data.karavi.common.roles as role +} + +test_snapshot_empty_request_allowed if { + content := { + "claims": { + "aud": "karavi", + "exp": 1615426023, + "group": "DevOpsGroup1", + "iss": "com.dell.karavi", + "roles": "us-east-1", + "sub": "karavi-tenant", + }, + "request": [], + "storagesystemid": "2222", + "systemtype": "powerflex", + } + + role := {"us-east-1": {"system_types": {"powerflex": {"system_ids": {"2222": {"pool_quotas": {"bronze": "44000000"}}}}}}} + + create.allow with input as content with data.karavi.common.roles as role +} + +test_snapshot_infinite_quota_allowed if { + content := { + "claims": { + "aud": "karavi", + "exp": 1615426023, + "group": "DevOpsGroup1", + "iss": "com.dell.karavi", + "roles": "us-east-1", + "sub": "karavi-tenant", + }, + "request": [ + { + "name": "k8s-0fc0695994-snapshot", + "protectionDomainId": "6b2ffe6c00000000", + "storagePoolId": "ae376b0300000000", + "volumeSizeInKb": "8388608", + "volumeType": "ThinProvisioned", + "storagepool": "bronze", + }, + { + "name": "k8s-0fc0695995-snapshot", + "protectionDomainId": "6b2ffe6c00000000", + "storagePoolId": "ae376b0300000000", + "volumeSizeInKb": "8388608", + "volumeType": "ThinProvisioned", + "storagepool": "bronze", + }, + ], + "storagesystemid": "2222", + "systemtype": "powerflex", + } + + role := {"us-east-1": {"system_types": {"powerflex": {"system_ids": {"2222": {"pool_quotas": {"bronze": 0}}}}}}} + + create.allow with input as content with data.karavi.common.roles as role +} + +test_snapshot_deny_role_with_insufficient_quota if { + content := { + "claims": { + "aud": "karavi", + "exp": 1615426023, + "group": "DevOpsGroup1", + "iss": "com.dell.karavi", + "roles": "us-east-1", + "sub": "karavi-tenant", + }, + "request": [ + { + "name": "k8s-0fc0695994-snapshot", + "protectionDomainId": "6b2ffe6c00000000", + "storagePoolId": "ae376b0300000000", + "volumeSizeInKb": "8388608", + "volumeType": "ThinProvisioned", + "storagepool": "bronze", + }, + { + "name": "k8s-0fc0695995-snapshot", + "protectionDomainId": "6b2ffe6c00000000", + "storagePoolId": "ae376b0300000000", + "volumeSizeInKb": "8388608", + "volumeType": "ThinProvisioned", + "storagepool": "bronze", + }, + ], + "storagesystemid": "2222", + "systemtype": "powerflex", + } + + role := {"us-east-1": {"system_types": {"powerflex": {"system_ids": {"2222": {"pool_quotas": {"bronze": "10"}}}}}}} + + result := create.deny with input as content with data.karavi.common.roles as role + + count(result) != 0 +} + +test_snapshot_deny_multiple_roles_with_not_permitted_pool if { + content := { + "claims": { + "aud": "karavi", + "exp": 1615426023, + "group": "DevOpsGroup1", + "iss": "com.dell.karavi", + "roles": "us-east-1,us-west-1", + "sub": "karavi-tenant", + }, + "request": [ + { + "name": "k8s-0fc0695994-snapshot", + "protectionDomainId": "6b2ffe6c00000000", + "storagePoolId": "ae376b0300000000", + "volumeSizeInKb": "8388608", + "volumeType": "ThinProvisioned", + "storagepool": "bronze", + }, + { + "name": "k8s-0fc0695995-snapshot", + "protectionDomainId": "6b2ffe6c00000000", + "storagePoolId": "ae376b0300000000", + "volumeSizeInKb": "8388608", + "volumeType": "ThinProvisioned", + "storagepool": "yellow", + }, + ], + "storagesystemid": "2222", + "systemtype": "powerflex", + } + + role := { + "us-east-1": {"system_types": {"powerflex": {"system_ids": {"2222": {"pool_quotas": {"bronze": "44000000"}}}}}}, + "us-west-1": {"system_types": {"powerflex": {"system_ids": {"2222": {"pool_quotas": {"silver": 4000000}}}}}}, + } + + result := create.deny with input as content with data.karavi.common.roles as role + + count(result) != 0 +} + +test_snapshot_deny_multiple_roles_with_insufficient_quota if { + content := { + "claims": { + "aud": "karavi", + "exp": 1615426023, + "group": "DevOpsGroup1", + "iss": "com.dell.karavi", + "roles": "us-east-1,us-west-1", + "sub": "karavi-tenant", + }, + "request": [ + { + "name": "k8s-0fc0695994-snapshot", + "protectionDomainId": "6b2ffe6c00000000", + "storagePoolId": "ae376b0300000000", + "volumeSizeInKb": "8388608", + "volumeType": "ThinProvisioned", + "storagepool": "bronze", + }, + { + "name": "k8s-0fc0695995-snapshot", + "protectionDomainId": "6b2ffe6c00000000", + "storagePoolId": "ae376b0300000000", + "volumeSizeInKb": "8388608", + "volumeType": "ThinProvisioned", + "storagepool": "silver", + }, + ], + "storagesystemid": "2222", + "systemtype": "powerflex", + } + + role := { + "us-east-1": {"system_types": {"powerflex": {"system_ids": {"2222": {"pool_quotas": {"bronze": "44000000"}}}}}}, + "us-west-1": {"system_types": {"powerflex": {"system_ids": {"2222": {"pool_quotas": {"silver": 4000000}}}}}}, + } + + result := create.deny with input as content with data.karavi.common.roles as role + + count(result) != 0 +} + +test_snapshot_deny_empty_roles if { + content := { + "claims": { + "aud": "karavi", + "exp": 1615426023, + "group": "DevOpsGroup1", + "iss": "com.dell.karavi", + "roles": "us-east-1", + "sub": "karavi-tenant", + }, + "request": [{ + "name": "k8s-0fc0695994-snapshot", + "protectionDomainId": "6b2ffe6c00000000", + "storagePoolId": "ae376b0300000000", + "volumeSizeInKb": "8388608", + "volumeType": "ThinProvisioned", + "storagepool": "bronze", + }], + "storagesystemid": "2222", + "systemtype": "powerflex", + } + + create.deny["no configured roles"] with input as content with data.karavi.common.roles as {} +} diff --git a/charts/csm-authorization-v2.0/policies/snapshot-create.rego b/charts/csm-authorization-v2.0/policies/snapshot-create.rego new file mode 100644 index 00000000..4b9872c3 --- /dev/null +++ b/charts/csm-authorization-v2.0/policies/snapshot-create.rego @@ -0,0 +1,97 @@ +# Copyright © 2024 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.snapshot.create + +import data.karavi.common + +default allow := false + +allow { + count(permitted_roles) == count(input.request) + count(deny) == 0 +} + +# Deny if there are no roles found. +deny[msg] { + common.roles == {} + msg := sprintf("no configured roles", []) +} + +# Deny if claimed roles has no match for the request. +deny[msg] { + count(permitted_roles) != count(input.request) + + unpermitted_requests := [req | + element := input.request[_] + + not permitted_roles[element.name] + + req := element + ] + + msg := sprintf( + "no roles in [%s] allow the %s Kb request on %s/%s/%s for %s", + [ + input.claims.roles, + unpermitted_requests[_].volumeSizeInKb, + input.systemtype, + input.storagesystemid, + unpermitted_requests[_].storagepool, + unpermitted_requests[_].name, + ], + ) +} + +# No OR in OPA, multiple rules are needed. +size_is_valid(a, b) { + to_number(a) >= to_number(b) +} + +# No OR in OPA, multiple rules are needed. +size_is_valid(a, _) { + to_number(a) == 0 +} + +# Create a list of permitted roles. +permitted_roles[snapshot] := roles { + # Split the claimed roles by comma into an array. + claimed_roles := split(input.claims.roles, ",") + + # Iterate through the requests. + req := input.request[_] + + roles := [role | + sp := req.storagepool + size := req.volumeSizeInKb + + # Iterate through the roles in the request. + c_role := claimed_roles[_] + common.roles[c_role] + + system_ids := common.roles[c_role].system_types[input.systemtype].system_ids[input.storagesystemid] + pool_quota := system_ids.pool_quotas[sp] + + # Validate that the pool quota is valid. + size_is_valid(pool_quota, size) + + role := {"size": to_number(pool_quota), "storagepool": sp, "role": c_role} + ] + + # Ensure that the role list is not empty. + count(roles) != 0 + + # Set the snapshot name which creates an entry in the list. + snapshot := req.name +} diff --git a/charts/csm-authorization-v2.0/policies/volumes-create-test.rego b/charts/csm-authorization-v2.0/policies/volumes-create-test.rego new file mode 100644 index 00000000..619e5a8d --- /dev/null +++ b/charts/csm-authorization-v2.0/policies/volumes-create-test.rego @@ -0,0 +1,117 @@ +# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.volumes.create + +roles = { + "us-east-1": { + "system_types": { + "powerflex": { + "system_ids": { + "2222": { + "pool_quotas": { + "bronze": "44000000" + } + } + } + } + } + }, + "us-west-1": { + "system_types": { + "powerflex": { + "system_ids": { + "1111": { + "pool_quotas": { + "bronze": 83886080 + } + } + } + } + } + }, + "us-west-2-small": { + "system_types": { + "powerflex": { + "system_ids": { + "2222": { + "pool_quotas": { + "bronze": 83886080 + } + } + } + } + } + }, + "us-west-2-large": { + "system_types": { + "powerflex": { + "system_ids": { + "2222": { + "pool_quotas": { + "bronze": 838860800, + "silver": 93886080000 + } + } + } + } + } + } + } + +test_small_request_allowed { + allow with input as { + "claims": { + "aud": "karavi", + "exp": 1615426023, + "group": "DevOpsGroup1", + "iss":"com.dell.karavi", + "roles":"us-east-1", + "sub":"karavi-tenant" + }, + "request": { + "name":"k8s-0fc0695995", + "protectionDomainId":"6b2ffe6c00000000", + "storagePoolId":"ae376b0300000000", + "volumeSizeInKb":"8388608", + "volumeType":"ThinProvisioned" + }, + "storagepool":"bronze", + "storagesystemid":"2222", + "systemtype": "powerflex" + } with data.karavi.common.roles as roles +} + +test_large_request_not_allowed { + not allow with input as { + "claims": { + "aud": "karavi", + "exp": 1615426023, + "group": "DevOpsGroup1", + "iss":"com.dell.karavi", + "roles":"us-west-2-small,us-west-2-large", + "sub":"karavi-tenant" + }, + "request": { + "name":"k8s-0fc0695995", + "protectionDomainId":"6b2ffe6c00000000", + "storagePoolId":"ae376b0300000000", + "volumeSizeInKb":"9999999999", + "volumeType":"ThinProvisioned" + }, + "storagepool":"bronze", + "storagesystemid":"2222", + "storagetype": "powerflex" + } with data.karavi.common.roles as roles +} diff --git a/charts/csm-authorization-v2.0/policies/volumes-create.rego b/charts/csm-authorization-v2.0/policies/volumes-create.rego new file mode 100644 index 00000000..8015b82f --- /dev/null +++ b/charts/csm-authorization-v2.0/policies/volumes-create.rego @@ -0,0 +1,93 @@ +# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.volumes.create + +import data.karavi.common + +# Deny requests by default. +default allow = false + +# +# Allows the request if one of the claimed roles matches +# a role configured to allow the storage request. +# +allow { + count(permitted_roles) != 0 + count(deny) == 0 +} + +# +# Deny if there are no roles found. +# +deny[msg] { + common.roles == {} + msg := sprintf("no configured roles", []) +} + +# +# Deny if claimed roles has no match for the request. +# +deny[msg] { + count(permitted_roles) == 0 + msg := sprintf("no roles in [%s] allow the %s Kb request on %s/%s/%s", + [input.claims.roles, + input.request.volumeSizeInKb, + input.systemtype, + input.storagesystemid, + input.storagepool]) +} + +# +# These are permitted roles that are configured +# with the requested storage system, mapped to +# the allowable quota for the request storage +# pool. +# +# Example: { "role-1": 800000 } +# +permitted_roles[v] = y { + # Split the claimed roles by comma into an array. + claimed_roles := split(input.claims.roles, ",") + + # This block filters 'a' to contain only roles + # that are found in 'common.roles'. + some i + a := claimed_roles[i] + common.roles[a] + + # v will contain permitted roles that match the storage request. + v := claimed_roles[i] + common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] >= to_number(input.request.volumeSizeInKb) + y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) +} + +# These are the permitted roles that are configured +# with zero quota, meaning infinite capacity. +# +permitted_roles[v] = y { + # Split the claimed roles by comma into an array. + claimed_roles := split(input.claims.roles, ",") + + # This block filters 'a' to contain only roles + # that are found in 'common.roles'. + some i + a := claimed_roles[i] + common.roles[a] + + # v will contain permitted roles that match the storage request. + v := claimed_roles[i] + common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] == 0 + y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) +} diff --git a/charts/csm-authorization-v2.0/policies/volumes-delete.rego b/charts/csm-authorization-v2.0/policies/volumes-delete.rego new file mode 100644 index 00000000..2ee0938c --- /dev/null +++ b/charts/csm-authorization-v2.0/policies/volumes-delete.rego @@ -0,0 +1,48 @@ +# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.volumes.delete + +import data.karavi.common + +default response = { + "allowed": true +} +response = { + "allowed": false, + "status": { + "reason": reason, + }, +} { + reason = concat(", ", deny) + reason != "" +} + +# +# Ensure there are roles configured. +# +deny[msg] { + common.roles == {} + msg := sprintf("no role data found", []) +} + +# +# Validate input: claims. +# +default claims = {} +claims = input.claims +deny[msg] { + claims == {} + msg := sprintf("missing claims", []) +} diff --git a/charts/csm-authorization-v2.0/policies/volumes-map.rego b/charts/csm-authorization-v2.0/policies/volumes-map.rego new file mode 100644 index 00000000..15fb172e --- /dev/null +++ b/charts/csm-authorization-v2.0/policies/volumes-map.rego @@ -0,0 +1,42 @@ +# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.volumes.map + +import data.karavi.common + +default response = { + "allowed": true +} +response = { + "allowed": false, + "status": { + "reason": reason, + }, +} { + reason = concat(", ", deny) + reason != "" +} + +deny[msg] { + common.roles == {} + msg := sprintf("no role data found", []) +} + +default claims = {} +claims = input.claims +deny[msg] { + claims == {} + msg := sprintf("missing claims", []) +} diff --git a/charts/csm-authorization-v2.0/policies/volumes-powermax-create.rego b/charts/csm-authorization-v2.0/policies/volumes-powermax-create.rego new file mode 100644 index 00000000..0046f48b --- /dev/null +++ b/charts/csm-authorization-v2.0/policies/volumes-powermax-create.rego @@ -0,0 +1,93 @@ +# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.volumes.powermax.create + +import data.karavi.common + +# Deny requests by default. +default allow = false + +# +# Allows the request if one of the claimed roles matches +# a role configured to allow the storage request. +# +allow { + count(permitted_roles) != 0 + count(deny) == 0 +} + +# +# Deny if there are no roles found. +# +deny[msg] { + common.roles == {} + msg := sprintf("no configured roles", []) +} + +# +# Deny if claimed roles has no match for the request. +# +deny[msg] { + count(permitted_roles) == 0 + msg := sprintf("no roles in [%s] allow the %v Kb request on %s/%s/%s", + [input.claims.roles, + input.request.volumeSizeInKb, + input.systemtype, + input.storagesystemid, + input.storagepool]) +} + +# +# These are permitted roles that are configured +# with the requested storage system, mapped to +# the allowable quota for the request storage +# pool. +# +# Example: { "role-1": 800000 } +# +permitted_roles[v] = y { + # Split the claimed roles by comma into an array. + claimed_roles := split(input.claims.roles, ",") + + # This block filters 'a' to contain only roles + # that are found in 'common.roles'. + some i + a := claimed_roles[i] + common.roles[a] + + # v will contain permitted roles that match the storage request. + v := claimed_roles[i] + common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] >= to_number(input.request.volumeSizeInKb) + y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) +} + +# These are the permitted roles that are configured +# with zero quota, meaning infinite capacity. +# +permitted_roles[v] = y { + # Split the claimed roles by comma into an array. + claimed_roles := split(input.claims.roles, ",") + + # This block filters 'a' to contain only roles + # that are found in 'common.roles'. + some i + a := claimed_roles[i] + common.roles[a] + + # v will contain permitted roles that match the storage request. + v := claimed_roles[i] + common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] == 0 + y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) +} diff --git a/charts/csm-authorization-v2.0/policies/volumes-unmap.rego b/charts/csm-authorization-v2.0/policies/volumes-unmap.rego new file mode 100644 index 00000000..f4a85f1f --- /dev/null +++ b/charts/csm-authorization-v2.0/policies/volumes-unmap.rego @@ -0,0 +1,42 @@ +# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.volumes.unmap + +import data.karavi.common + +default response = { + "allowed": true +} +response = { + "allowed": false, + "status": { + "reason": reason, + }, +} { + reason = concat(", ", deny) + reason != "" +} + +deny[msg] { + common.roles == {} + msg := sprintf("no role data found", []) +} + +default claims = {} +claims = input.claims +deny[msg] { + claims == {} + msg := sprintf("missing claims", []) +} diff --git a/charts/csm-authorization-v2.0/templates/NOTES.txt b/charts/csm-authorization-v2.0/templates/NOTES.txt new file mode 100644 index 00000000..a006c075 --- /dev/null +++ b/charts/csm-authorization-v2.0/templates/NOTES.txt @@ -0,0 +1,14 @@ +The CSM Authorization deployment has been successfully installed. + +Execute the following commands in your shell to print the URL of the CSM Authorization NodePort LoadBalancer: + +export NODE_PORT=$(kubectl get --namespace {{ include "custom.namespace" . }} -o jsonpath="{.spec.ports[1].nodePort}" service {{ include "custom.namespace" . }}-ingress-nginx-controller) +export NODE_IP=$(kubectl get nodes --namespace {{ include "custom.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") +echo https://$NODE_IP:$NODE_PORT + +LoadBalancer host rules for proxy-server: +- {{ .Values.authorization.hostname }} +- {{ .Release.Name }}-ingress-nginx-controller.{{ include "custom.namespace" . }}.svc.cluster.local + +authorization.proxyHost value for a CSI Driver examples: +- {{ .Release.Name }}-ingress-nginx-controller.{{ include "custom.namespace" . }}.svc.cluster.local:443 (CSI Driver in the same cluster as CSM Authorization) diff --git a/charts/csm-authorization-v2.0/templates/_helpers.tpl b/charts/csm-authorization-v2.0/templates/_helpers.tpl new file mode 100644 index 00000000..918bda1e --- /dev/null +++ b/charts/csm-authorization-v2.0/templates/_helpers.tpl @@ -0,0 +1,9 @@ +{{/* +Namespace for all resources to be installed into +If not defined in values file then the helm release namespace is used +By default this is not set so the helm release namespace will be used +*/}} + +{{- define "custom.namespace" -}} + {{ .Values.namespace | default .Release.Namespace }} +{{- end -}} diff --git a/charts/csm-authorization-v2.0/templates/authorization-controller.yaml b/charts/csm-authorization-v2.0/templates/authorization-controller.yaml new file mode 100644 index 00000000..027a46e8 --- /dev/null +++ b/charts/csm-authorization-v2.0/templates/authorization-controller.yaml @@ -0,0 +1,111 @@ +# Controller +apiVersion: v1 +kind: ServiceAccount +metadata: + name: authorization-controller + namespace: {{ include "custom.namespace" . }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: authorization-controller +rules: + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["csmroles"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["csmroles/status"] + verbs: ["get", "update", "patch"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["csmroles/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["csmtenants"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["csmtenants/status"] + verbs: ["get", "update", "patch"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["csmtenants/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["storages"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["storages/status"] + verbs: ["get", "update", "patch"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["storages/finalizers"] + verbs: ["update"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "update", "get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: authorization-controller +subjects: + - kind: ServiceAccount + name: authorization-controller + namespace: {{ include "custom.namespace" . }} +roleRef: + kind: ClusterRole + name: authorization-controller + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: authorization-controller + namespace: {{ include "custom.namespace" . }} + labels: + app: authorization-controller +spec: + replicas: 1 + selector: + matchLabels: + app: authorization-controller + template: + metadata: + labels: + app: authorization-controller + spec: + serviceAccountName: authorization-controller + containers: + - name: authorization-controller + image: {{ required "Must provide the controller image." .Values.authorization.images.authorizationController }} + imagePullPolicy: Always + args: + - "--authorization-namespace={{ .Release.Namespace }}" + - "--health-probe-bind-address=:8081" + - "--leader-elect=true" + - "--tenant-service-address=tenant-service.{{ .Release.Namespace }}.svc.cluster.local:50051" + - "--storage-service-address=storage-service.{{ .Release.Namespace }}.svc.cluster.local:50051" + - "--role-service-address=role-service.{{ .Release.Namespace }}.svc.cluster.local:50051" + env: + - name: NAMESPACE + value: {{ include "custom.namespace" . }} + ports: + - containerPort: 50052 + name: http +--- +apiVersion: v1 +kind: Service +metadata: + name: authorization-controller + namespace: {{ include "custom.namespace" . }} +spec: + selector: + app: authorization-controller + ports: + - port: 50052 + targetPort: 50052 + name: http +--- diff --git a/charts/csm-authorization-v2.0/templates/certificate.yaml b/charts/csm-authorization-v2.0/templates/certificate.yaml new file mode 100644 index 00000000..70a5ec36 --- /dev/null +++ b/charts/csm-authorization-v2.0/templates/certificate.yaml @@ -0,0 +1,64 @@ +# If the cert and key are provided, use them to create a tls secret +{{- if and (.Values.authorization.certificate) (.Values.authorization.privateKey) }} +{{- $certificateFileContents := .Values.authorization.certificate }} +{{- $privateKeyFileContents := .Values.authorization.privateKey }} +apiVersion: v1 +data: + tls.crt: {{ $certificateFileContents | b64enc }} + tls.key: {{ $privateKeyFileContents | b64enc }} +kind: Secret +type: kubernetes.io/tls +metadata: + name: user-provided-tls + namespace: {{ include "custom.namespace" . }} + +--- +{{- end }} + + +# If the cert and key are not provided, user cert-manager to create a self-signed tls secret +{{- if or (not .Values.authorization.certificate) (not .Values.authorization.privateKey) }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned + namespace: {{ include "custom.namespace" . }} +spec: + selfSigned: {} + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: karavi-auth + namespace: {{ include "custom.namespace" . }} +spec: + secretName: karavi-selfsigned-tls + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - dellemc + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + usages: + - server auth + - client auth + dnsNames: + - karavi-auth + - karavi-auth.{{ include "custom.namespace" . }}.svc.kubernetes.local + - {{ .Values.authorization.hostname }} + {{- if .Values.authorization.proxyServerIngress.hosts }} + {{- range .Values.authorization.proxyServerIngress.hosts }} + - {{ tpl . $}} + {{- end }} + {{- end}} + issuerRef: + name: selfsigned + kind: Issuer + group: cert-manager.io +{{- end }} diff --git a/charts/csm-authorization-v2.0/templates/csm-config-params.yaml b/charts/csm-authorization-v2.0/templates/csm-config-params.yaml new file mode 100644 index 00000000..6f81c046 --- /dev/null +++ b/charts/csm-authorization-v2.0/templates/csm-config-params.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: csm-config-params + namespace: {{ include "custom.namespace" . }} +data: + csm-config-params.yaml: | + CONCURRENT_POWERFLEX_REQUESTS: {{ .Values.authorization.concurrentPowerFlexRequests }} + LOG_LEVEL: {{ .Values.authorization.logLevel }} + STORAGE_CAPACITY_POLL_INTERVAL: {{ .Values.authorization.storageCapacityPollInterval }} + {{- if (.Values.authorization.zipkin.collectoruri) }} + zipkin.collectoruri: {{ .Values.authorization.zipkin.collectoruri }} + zipkin.probability: {{ .Values.authorization.zipkin.probability }} + {{- end }} diff --git a/charts/csm-authorization-v2.0/templates/ingress.yaml b/charts/csm-authorization-v2.0/templates/ingress.yaml new file mode 100644 index 00000000..c7ad8b67 --- /dev/null +++ b/charts/csm-authorization-v2.0/templates/ingress.yaml @@ -0,0 +1,65 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: proxy-server + namespace: {{ include "custom.namespace" . }} + annotations: + {{- if eq .Values.openshift true }} + route.openshift.io/termination: "edge" + {{- end }} + {{- if .Values.authorization.proxyServerIngress.annotations }} + {{- range $key, $value := .Values.authorization.proxyServerIngress.annotations }} + {{ $key }}: {{ tpl $value $ | quote }} + {{- end }} + {{- end }} +spec: + {{- if eq .Values.nginx.enabled true }} + ingressClassName: {{ .Values.authorization.proxyServerIngress.ingressClassName }} + {{- end }} + tls: + - hosts: + - {{ .Values.authorization.hostname }} + {{- if .Values.authorization.proxyServerIngress.hosts }} + {{- range .Values.authorization.proxyServerIngress.hosts }} + - {{ tpl . $}} + {{- end }} + {{- end}} + {{- if and (.Values.authorization.certificate) (.Values.authorization.privateKey) }} + secretName: user-provided-tls + {{- else }} + secretName: karavi-selfsigned-tls + {{- end }} + rules: + - host: {{ .Values.authorization.hostname }} + http: + paths: + - backend: + service: + name: proxy-server + port: + number: 8080 + path: / + pathType: Prefix + {{- if .Values.authorization.proxyServerIngress.hosts }} + {{- range .Values.authorization.proxyServerIngress.hosts }} + - host: {{ tpl . $}} + http: + paths: + - backend: + service: + name: proxy-server + port: + number: 8080 + path: / + pathType: Prefix + {{- end }} + {{- end }} + - http: + paths: + - backend: + service: + name: proxy-server + port: + number: 8080 + path: / + pathType: Prefix diff --git a/charts/csm-authorization-v2.0/templates/policies.yaml b/charts/csm-authorization-v2.0/templates/policies.yaml new file mode 100644 index 00000000..02c9e52b --- /dev/null +++ b/charts/csm-authorization-v2.0/templates/policies.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: common + namespace: {{ include "custom.namespace" . }} +data: + {{- (.Files.Glob "policies/common.rego").AsConfig | nindent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: volumes-create + namespace: {{ include "custom.namespace" . }} +data: + {{- (.Files.Glob "policies/volumes-create.rego").AsConfig | nindent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: volumes-delete + namespace: {{ include "custom.namespace" . }} +data: + {{- (.Files.Glob "policies/volumes-delete.rego").AsConfig | nindent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: volumes-map + namespace: {{ include "custom.namespace" . }} +data: + {{- (.Files.Glob "policies/volumes-map.rego").AsConfig | nindent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: powermax-volumes-create + namespace: {{ include "custom.namespace" . }} +data: + {{- (.Files.Glob "policies/volumes-powermax-create.rego").AsConfig | nindent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: volumes-unmap + namespace: {{ .Release.Namespace }} +data: + {{- (.Files.Glob "policies/volumes-unmap.rego").AsConfig | nindent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: sdc-approve + namespace: {{ .Release.Namespace }} +data: + {{- (.Files.Glob "policies/sdc-approve.rego").AsConfig | nindent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: snapshot-create + namespace: {{ .Release.Namespace }} +data: + {{- (.Files.Glob "policies/snapshot-create.rego").AsConfig | nindent 2 }} diff --git a/charts/csm-authorization-v2.0/templates/proxy-server.yaml b/charts/csm-authorization-v2.0/templates/proxy-server.yaml new file mode 100644 index 00000000..a447240e --- /dev/null +++ b/charts/csm-authorization-v2.0/templates/proxy-server.yaml @@ -0,0 +1,162 @@ +# Grant OPA/kube-mgmt read-only access to resources. This lets kube-mgmt +# list configmaps to be loaded into OPA as policies. +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: opa-viewer +roleRef: + kind: ClusterRole + name: view + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: Group + name: system:serviceaccounts:{{ include "custom.namespace" . }} + apiGroup: rbac.authorization.k8s.io +--- +# Define role for OPA/kube-mgmt to update configmaps with policy status. +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: {{ include "custom.namespace" . }} + name: configmap-modifier +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["update", "patch"] +--- +# Grant OPA/kube-mgmt role defined above. +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: {{ include "custom.namespace" . }} + name: opa-configmap-modifier +roleRef: + kind: Role + name: configmap-modifier + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: Group + name: system:serviceaccounts:{{ include "custom.namespace" . }} + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: proxy-server + namespace: {{ include "custom.namespace" . }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: proxy-server +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["watch"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["storages", "csmtenants"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: proxy-server +subjects: + - kind: ServiceAccount + name: proxy-server + namespace: {{ include "custom.namespace" . }} +roleRef: + kind: ClusterRole + name: proxy-server + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: proxy-server + namespace: {{ include "custom.namespace" . }} + labels: + app: proxy-server +spec: + replicas: 1 + selector: + matchLabels: + app: proxy-server + template: + metadata: + labels: + app: proxy-server + spec: + serviceAccount: proxy-server + containers: + + - name: proxy-server + image: {{ required "Must provide the proxy-server image." .Values.authorization.images.proxyService }} + imagePullPolicy: Always + env: + {{- $str := "" -}} + {{- $ns := include "custom.namespace" . -}} + {{- $replicas := .Values.redis.replicas | int }} + {{- $sentinel := .Values.redis.sentinel }} + {{- range $i, $e := until $replicas }} + {{- if $i }} + {{- $str = print $str "," -}} + {{- end }} + {{- $str = printf "%s%s-%d.%s.%s.svc.cluster.local:5000" $str $sentinel $i $sentinel $ns -}} + {{- end }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + args: + - "--redis-sentinel={{ $str }}" + - "--redis-password=$(REDIS_PASSWORD)" + - "--tenant-service=tenant-service.{{ .Release.Namespace }}.svc.cluster.local:50051" + - "--role-service=role-service.{{ .Release.Namespace }}.svc.cluster.local:50051" + - "--storage-service=storage-service.{{ .Release.Namespace }}.svc.cluster.local:50051" + ports: + - containerPort: 8080 + volumeMounts: + - name: config-volume + mountPath: /etc/karavi-authorization/config + - name: csm-config-params + mountPath: /etc/karavi-authorization/csm-config-params + - name: opa + image: {{ required "Must provide the openpolicyagent image." .Values.authorization.images.opa }} + imagePullPolicy: IfNotPresent + args: + - "run" + - "--ignore=." + - "--server" + - "--log-level=debug" + ports: + - name: http + containerPort: 8181 + - name: kube-mgmt + image: {{ required "Must provide the opaKubeMgmt image." .Values.authorization.images.opaKubeMgmt }} + imagePullPolicy: IfNotPresent + args: + - "--policies={{ include "custom.namespace" . }}" + - "--enable-data" + volumes: + - name: config-volume + secret: + secretName: karavi-config-secret + - name: csm-config-params + configMap: + name: csm-config-params +--- +apiVersion: v1 +kind: Service +metadata: + name: proxy-server + namespace: {{ include "custom.namespace" . }} +spec: + selector: + app: proxy-server + ports: + - name: http + protocol: TCP + port: 8080 + targetPort: 8080 diff --git a/charts/csm-authorization-v2.0/templates/role-service.yaml b/charts/csm-authorization-v2.0/templates/role-service.yaml new file mode 100644 index 00000000..1774b2c8 --- /dev/null +++ b/charts/csm-authorization-v2.0/templates/role-service.yaml @@ -0,0 +1,79 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: role-service + namespace: {{ include "custom.namespace" . }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: role-service +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: role-service +subjects: + - kind: ServiceAccount + name: role-service + namespace: {{ include "custom.namespace" . }} +roleRef: + kind: ClusterRole + name: role-service + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: role-service + namespace: {{ include "custom.namespace" . }} + labels: + app: role-service +spec: + replicas: 1 + selector: + matchLabels: + app: role-service + template: + metadata: + labels: + app: role-service + spec: + serviceAccountName: role-service + containers: + - name: role-service + image: {{ required "Must provide the role-service image." .Values.authorization.images.roleService }} + imagePullPolicy: Always + ports: + - containerPort: 50051 + name: grpc + env: + - name: NAMESPACE + value: {{ include "custom.namespace" . }} + volumeMounts: + - name: csm-config-params + mountPath: /etc/karavi-authorization/csm-config-params + volumes: + - name: csm-config-params + configMap: + name: csm-config-params +--- +apiVersion: v1 +kind: Service +metadata: + name: role-service + namespace: {{ include "custom.namespace" . }} +spec: + selector: + app: role-service + ports: + - port: 50051 + targetPort: 50051 + name: grpc diff --git a/charts/csm-authorization-v2.0/templates/storage-service.yaml b/charts/csm-authorization-v2.0/templates/storage-service.yaml new file mode 100644 index 00000000..6db19c2e --- /dev/null +++ b/charts/csm-authorization-v2.0/templates/storage-service.yaml @@ -0,0 +1,199 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: storage-service + namespace: {{ include "custom.namespace" . }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: storage-service +rules: + - apiGroups: [""] + resources: ["secrets", "events"] + verbs: ["get", "patch","post", create] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["storages", "csmtenants", "csmroles"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "update", "get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: storage-service +subjects: + - kind: ServiceAccount + name: storage-service + namespace: {{ include "custom.namespace" . }} +roleRef: + kind: ClusterRole + name: storage-service + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: storage-service-tokenreview-binding + namespace: {{ include "custom.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + name: storage-service + namespace: {{ include "custom.namespace" . }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: storage-service + namespace: {{ include "custom.namespace" . }} + labels: + app: storage-service +spec: + replicas: 1 + selector: + matchLabels: + app: storage-service + template: + metadata: + labels: + app: storage-service + spec: + serviceAccountName: storage-service + containers: + - name: storage-service + image: {{ required "Must provide the storage-service image." .Values.authorization.images.storageService }} + imagePullPolicy: Always + env: + {{- $str := "" -}} + {{- $ns := include "custom.namespace" . -}} + {{- $replicas := .Values.redis.replicas | int }} + {{- $sentinel := .Values.redis.sentinel }} + {{- range $i, $e := until $replicas }} + {{- if $i }} + {{- $str = print $str "," -}} + {{- end }} + {{- $str = printf "%s%s-%d.%s.%s.svc.cluster.local:5000" $str $sentinel $i $sentinel $ns -}} + {{- end }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + args: + - "--vault-address={{ .Values.vault.address }}" + - "--vault-kv-engine-path={{ .Values.vault.kvEnginePath }}" + - "--vault-role={{ .Values.vault.role }}" + - "--vault-skip-certificate-validation={{ .Values.vault.skipCertificateValidation }}" + - "--redis-sentinel={{ $str }}" + - "--redis-password=$(REDIS_PASSWORD)" + - "--leader-election=true" + ports: + - containerPort: 50051 + name: grpc + volumeMounts: + - name: config-volume + mountPath: /etc/karavi-authorization/config + - name: csm-config-params + mountPath: /etc/karavi-authorization/csm-config-params + - name: vault-client-certificate + mountPath: /etc/vault + volumes: + - name: config-volume + secret: + secretName: karavi-config-secret + - name: csm-config-params + configMap: + name: csm-config-params + - name: vault-client-certificate + projected: + sources: + {{- if and (.Values.vault.clientCertificate) (.Values.vault.clientKey) }} + - secret: + name: vault-client-certificate + {{- else }} + - secret: + name: storage-service-selfsigned-tls + {{- end }} + {{- if .Values.vault.certificateAuthority }} + - secret: + name: vault-certificate-authority + {{- end }} + +--- +apiVersion: v1 +kind: Service +metadata: + name: storage-service + namespace: {{ include "custom.namespace" . }} +spec: + selector: + app: storage-service + ports: + - port: 50051 + targetPort: 50051 + name: grpc +--- +{{- if .Values.vault.certificateAuthority }} +{{- $certificateFileContents := .Values.vault.certificateAuthority }} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: vault-certificate-authority + namespace: {{ include "custom.namespace" . }} +data: + ca.crt: {{ $certificateFileContents | b64enc }} +{{- end }} +--- +{{- if and (.Values.vault.clientCertificate) (.Values.vault.clientKey) }} +{{- $certificateFileContents := .Values.vault.clientCertificate }} +{{- $keyFileContents := .Values.vault.clientKey }} +apiVersion: v1 +data: + tls.crt: {{ $certificateFileContents | b64enc }} + tls.key: {{ $keyFileContents | b64enc }} +kind: Secret +type: kubernetes.io/tls +metadata: + name: vault-client-certificate + namespace: {{ include "custom.namespace" . }} +{{- else }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: storage-service-selfsigned + namespace: {{ include "custom.namespace" . }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: storage-service-selfsigned + namespace: {{ include "custom.namespace" . }} +spec: + secretName: storage-service-selfsigned-tls + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - dellemc + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + usages: + - client auth + dnsNames: + - csm-authorization-storage-service + issuerRef: + name: storage-service-selfsigned + kind: Issuer + group: cert-manager.io +{{- end }} diff --git a/charts/csm-authorization-v2.0/templates/tenant-service.yaml b/charts/csm-authorization-v2.0/templates/tenant-service.yaml new file mode 100644 index 00000000..a73fbb64 --- /dev/null +++ b/charts/csm-authorization-v2.0/templates/tenant-service.yaml @@ -0,0 +1,68 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tenant-service + namespace: {{ include "custom.namespace" . }} + labels: + app: tenant-service +spec: + replicas: 1 + selector: + matchLabels: + app: tenant-service + template: + metadata: + labels: + app: tenant-service + spec: + containers: + - name: tenant-service + image: {{ required "Must provide the tenant-service image." .Values.authorization.images.tenantService }} + imagePullPolicy: Always + env: + {{- $str := "" -}} + {{- $ns := include "custom.namespace" . -}} + {{- $replicas := .Values.redis.replicas | int }} + {{- $sentinel := .Values.redis.sentinel }} + {{- range $i, $e := until $replicas }} + {{- if $i }} + {{- $str = print $str "," -}} + {{- end }} + {{- $str = printf "%s%s-%d.%s.%s.svc.cluster.local:5000" $str $sentinel $i $sentinel $ns -}} + {{- end }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + args: + - "--redis-sentinel={{ $str }}" + - "--redis-password=$(REDIS_PASSWORD)" + ports: + - containerPort: 50051 + name: grpc + volumeMounts: + - name: config-volume + mountPath: /etc/karavi-authorization/config + - name: csm-config-params + mountPath: /etc/karavi-authorization/csm-config-params + volumes: + - name: config-volume + secret: + secretName: karavi-config-secret + - name: csm-config-params + configMap: + name: csm-config-params +--- +apiVersion: v1 +kind: Service +metadata: + name: tenant-service + namespace: {{ include "custom.namespace" . }} +spec: + selector: + app: tenant-service + ports: + - port: 50051 + targetPort: 50051 + name: grpc diff --git a/charts/csm-authorization-v2.0/values.yaml b/charts/csm-authorization-v2.0/values.yaml new file mode 100644 index 00000000..06015f9b --- /dev/null +++ b/charts/csm-authorization-v2.0/values.yaml @@ -0,0 +1,76 @@ +--- +# set to true if installing on an OpenShift Container Platform +# if enabled, the OpenShift Ingress Operator will be used +# if you have your own ingress controller, keep this false and set the appropriate annotations for the ingresses in the authorization section +openshift: false + +# set to true if installing on a Kubernetes Container Platform +# if enabled, NGINX Ingress Controller will be deployed +# if you have your own ingress controller, keep this false and set the appropriate annotations for the ingresses in the authorization section +nginx: + enabled: true + +# if enabled, cert-manager will be deployed +# if cert-manager is already deployed, keep this false +cert-manager: + enabled: true + +authorization: + # images to use in installation + images: + proxyService: dellemc/csm-authorization-proxy:v2.0.0-alpha + tenantService: dellemc/csm-authorization-tenant:v2.0.0-alpha + roleService: dellemc/csm-authorization-role:v2.0.0-alpha + storageService: dellemc/csm-authorization-storage:v2.0.0-alpha + authorizationController: dellemc/csm-authorization-controller:v2.0.0-alpha + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # proxy-server ingress will use this hostname + # NOTE: additional hostnames can be configured in authorization.proxyServerIngress.hosts + # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required + hostname: csm-authorization.com + + # log level for csm-authorization + logLevel: debug + + # number, as a string, of concurrent requests for the storage-service to make to PowerFlex + # currently only used with dellctl to list tenant volumes + concurrentPowerFlexRequests: "10" + + # tracing configuration + # this can be updated on the fly via the csm-config-params configMap + zipkin: + {} + # collectoruri: http://DNS-hostname:9411/api/v2/spans + # probability: 1 + + # proxy-server ingress configuration + proxyServerIngress: + ingressClassName: nginx + + # additional host rules for the proxy-server ingress + hosts: + [] + # - [application name]-ingress-nginx-controller.[namespace].svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + # storage capacity poll interval + storageCapacityPollInterval: 5m + +redis: + name: redis-csm + sentinel: sentinel + rediscommander: rediscommander + replicas: 5 + images: + redis: redis:7.2.4-alpine + commander: rediscommander/redis-commander:latest + +vault: + address: https://10.0.0.1:8400 + kvEnginePath: secret + role: csm-authorization + skipCertificateValidation: true diff --git a/charts/csm-authorization/Chart.yaml b/charts/csm-authorization/Chart.yaml index e3a26410..a767ac9c 100644 --- a/charts/csm-authorization/Chart.yaml +++ b/charts/csm-authorization/Chart.yaml @@ -1,18 +1,18 @@ apiVersion: v2 name: csm-authorization -version: 1.10.1 -appVersion: 1.10.1 +version: 1.11.0 +appVersion: 1.11.0 type: application description: | - CSM for Authorization is part of the [Container Storage Modules](https://github.com/dell/csm) open source suite of Kubernetes + CSM for Authorization is part of the [Container Storage Modules](https://github.com/dell/csm) open source suite of Kubernetes storage enablers for Dell EMC storage products. CSM for Authorization provides storage and Kubernetes administrators the ability to apply RBAC for Dell CSI Drivers. dependencies: -- name: cert-manager - version: 1.10.0 - repository: https://charts.jetstack.io - condition: cert-manager.enabled -- name: ingress-nginx - version: 4.0.19 - repository: https://kubernetes.github.io/ingress-nginx - condition: ingress-nginx.enabled + - name: cert-manager + version: 1.10.0 + repository: https://charts.jetstack.io + condition: cert-manager.enabled + - name: ingress-nginx + version: 4.0.19 + repository: https://kubernetes.github.io/ingress-nginx + condition: ingress-nginx.enabled diff --git a/charts/csm-authorization/README.md b/charts/csm-authorization/README.md index 1b5eed59..9cde546b 100644 --- a/charts/csm-authorization/README.md +++ b/charts/csm-authorization/README.md @@ -8,7 +8,7 @@ You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 --> -# Container Storage Modules (CSM) for Authorization Dell Community Helm Chart +# Container Storage Modules (CSM) for Authorization Dell Community Helm Chart CSM for Authorization can be deployed using Helm. diff --git a/charts/csm-authorization/charts/redis/templates/redis.yaml b/charts/csm-authorization/charts/redis/templates/redis.yaml index cf077550..ce901eb4 100644 --- a/charts/csm-authorization/charts/redis/templates/redis.yaml +++ b/charts/csm-authorization/charts/redis/templates/redis.yaml @@ -1,4 +1,4 @@ -apiVersion: apps/v1 +apiVersion: apps/v1 kind: Deployment metadata: name: redis-primary diff --git a/charts/csm-authorization/policies/sdc-approve.rego b/charts/csm-authorization/policies/sdc-approve.rego index 2a816056..a0d2b53e 100644 --- a/charts/csm-authorization/policies/sdc-approve.rego +++ b/charts/csm-authorization/policies/sdc-approve.rego @@ -37,4 +37,4 @@ claims = input.claims deny[msg] { claims == {} msg := sprintf("missing claims", []) -} \ No newline at end of file +} diff --git a/charts/csm-authorization/policies/volumes-create-test.rego b/charts/csm-authorization/policies/volumes-create-test.rego index 619e5a8d..33d5ad00 100644 --- a/charts/csm-authorization/policies/volumes-create-test.rego +++ b/charts/csm-authorization/policies/volumes-create-test.rego @@ -74,7 +74,7 @@ test_small_request_allowed { allow with input as { "claims": { "aud": "karavi", - "exp": 1615426023, + "exp": 1615426023, "group": "DevOpsGroup1", "iss":"com.dell.karavi", "roles":"us-east-1", @@ -97,7 +97,7 @@ test_large_request_not_allowed { not allow with input as { "claims": { "aud": "karavi", - "exp": 1615426023, + "exp": 1615426023, "group": "DevOpsGroup1", "iss":"com.dell.karavi", "roles":"us-west-2-small,us-west-2-large", diff --git a/charts/csm-authorization/policies/volumes-delete.rego b/charts/csm-authorization/policies/volumes-delete.rego index 2ee0938c..f8247891 100644 --- a/charts/csm-authorization/policies/volumes-delete.rego +++ b/charts/csm-authorization/policies/volumes-delete.rego @@ -42,7 +42,7 @@ deny[msg] { # default claims = {} claims = input.claims -deny[msg] { +deny[msg] { claims == {} msg := sprintf("missing claims", []) } diff --git a/charts/csm-authorization/templates/NOTES.txt b/charts/csm-authorization/templates/NOTES.txt index af981ed2..a006c075 100644 --- a/charts/csm-authorization/templates/NOTES.txt +++ b/charts/csm-authorization/templates/NOTES.txt @@ -12,4 +12,3 @@ LoadBalancer host rules for proxy-server: authorization.proxyHost value for a CSI Driver examples: - {{ .Release.Name }}-ingress-nginx-controller.{{ include "custom.namespace" . }}.svc.cluster.local:443 (CSI Driver in the same cluster as CSM Authorization) - diff --git a/charts/csm-authorization/templates/csm-config-params.yaml b/charts/csm-authorization/templates/csm-config-params.yaml index aaf64a5b..19265cd1 100644 --- a/charts/csm-authorization/templates/csm-config-params.yaml +++ b/charts/csm-authorization/templates/csm-config-params.yaml @@ -10,4 +10,4 @@ data: {{- if (.Values.authorization.zipkin.collectoruri) }} zipkin.collectoruri: {{ .Values.authorization.zipkin.collectoruri }} zipkin.probability: {{ .Values.authorization.zipkin.probability }} - {{- end }} \ No newline at end of file + {{- end }} diff --git a/charts/csm-authorization/templates/proxy-server.yaml b/charts/csm-authorization/templates/proxy-server.yaml index a780ed46..ac2e6a2a 100644 --- a/charts/csm-authorization/templates/proxy-server.yaml +++ b/charts/csm-authorization/templates/proxy-server.yaml @@ -114,4 +114,4 @@ spec: - name: http protocol: TCP port: 8080 - targetPort: 8080 \ No newline at end of file + targetPort: 8080 diff --git a/charts/csm-authorization/values.yaml b/charts/csm-authorization/values.yaml index 700aeebd..756519de 100644 --- a/charts/csm-authorization/values.yaml +++ b/charts/csm-authorization/values.yaml @@ -1,3 +1,4 @@ +--- # if enabled, nginx ingress controller will be deployed # if you have your own ingress controller, keep this false and set the appropriate annotations for the ingresses in the authorization section ingress-nginx: @@ -11,10 +12,10 @@ cert-manager: authorization: # images to use in installation images: - proxyService: dellemc/csm-authorization-proxy:v1.10.1 - tenantService: dellemc/csm-authorization-tenant:v1.10.1 - roleService: dellemc/csm-authorization-role:v1.10.1 - storageService: dellemc/csm-authorization-storage:v1.10.1 + proxyService: dellemc/csm-authorization-proxy:v1.11.0 + tenantService: dellemc/csm-authorization-tenant:v1.11.0 + roleService: dellemc/csm-authorization-role:v1.11.0 + storageService: dellemc/csm-authorization-storage:v1.11.0 opa: openpolicyagent/opa opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 @@ -32,7 +33,8 @@ authorization: # tracing configuration # this can be updated on the fly via the csm-config-params configMap - zipkin: {} + zipkin: + {} # collectoruri: http://DNS-hostname:9411/api/v2/spans # probability: 1 @@ -41,7 +43,8 @@ authorization: ingressClassName: nginx # additional host rules for the proxy-server ingress - hosts: [] + hosts: + [] # - application-ingress-nginx-controller.namespace.svc.cluster.local # additional annotations for the proxy-server ingress @@ -55,4 +58,4 @@ redis: # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis # to use a different storage class for redis, uncomment the following line and specify the name of the storage class # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver to be configured with this instance of CSM Authorization - #storageClass: + # storageClass: diff --git a/charts/csm-encryption-rekey-controller/Chart.yaml b/charts/csm-encryption-rekey-controller/Chart.yaml index ec6a82eb..72ec5e5f 100644 --- a/charts/csm-encryption-rekey-controller/Chart.yaml +++ b/charts/csm-encryption-rekey-controller/Chart.yaml @@ -6,10 +6,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.0 +version: 0.6.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.2.0" +appVersion: "0.6.0" diff --git a/charts/csm-encryption-rekey-controller/templates/controller.yaml b/charts/csm-encryption-rekey-controller/templates/controller.yaml index aebb4321..fe7956b5 100644 --- a/charts/csm-encryption-rekey-controller/templates/controller.yaml +++ b/charts/csm-encryption-rekey-controller/templates/controller.yaml @@ -3,7 +3,7 @@ kind: ServiceAccount metadata: name: {{ .Release.Namespace }}-encryption-rekey-controller namespace: {{ .Release.Namespace }} ---- +--- apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/csm-encryption-rekey-controller/values.yaml b/charts/csm-encryption-rekey-controller/values.yaml index c7701b2a..2b83949b 100644 --- a/charts/csm-encryption-rekey-controller/values.yaml +++ b/charts/csm-encryption-rekey-controller/values.yaml @@ -1,5 +1,5 @@ # Rekey controller image name. -image: dellemc/csm-encryption-rekey-controller:v0.2.0 +image: dellemc/csm-encryption-rekey-controller:v0.6.0 # Rekey controller image pull policy. # Allowed values: diff --git a/charts/csm-installer/templates/cockroach-db.yaml b/charts/csm-installer/templates/cockroach-db.yaml index e424d51c..d215bffe 100644 --- a/charts/csm-installer/templates/cockroach-db.yaml +++ b/charts/csm-installer/templates/cockroach-db.yaml @@ -109,7 +109,7 @@ spec: memory: "512Mi" limits: cpu: "2" - memory: "512Mi" + memory: "512Mi" ports: - containerPort: 26257 name: grpc diff --git a/charts/csm-installer/templates/csm-installer.yaml b/charts/csm-installer/templates/csm-installer.yaml index 200a3924..f05abc4c 100644 --- a/charts/csm-installer/templates/csm-installer.yaml +++ b/charts/csm-installer/templates/csm-installer.yaml @@ -150,7 +150,7 @@ spec: {{ if eq .Values.dbSSLEnabled "true" }} - name: dell-csm-installer-dbclient-certificates secret: - secretName: dell-csm-installer-dbclient-certificates + secretName: dell-csm-installer-dbclient-certificates {{ end }} - name: csm-admin-creds secret: diff --git a/charts/csm-installer/templates/secrets.yaml b/charts/csm-installer/templates/secrets.yaml index ec6f944d..764cc7e7 100644 --- a/charts/csm-installer/templates/secrets.yaml +++ b/charts/csm-installer/templates/secrets.yaml @@ -11,4 +11,3 @@ kind: Secret type: Opaque metadata: name: dell-csm-installer-secrets - diff --git a/charts/csm-installer/values.yaml b/charts/csm-installer/values.yaml index ef05735f..735319de 100644 --- a/charts/csm-installer/values.yaml +++ b/charts/csm-installer/values.yaml @@ -33,10 +33,10 @@ dbPort: 26257 dbSSLEnabled: "true" # CSM Installer image -installerImage: dellemc/dell-csm-installer:v1.0.2 +installerImage: dellemc/dell-csm-installer:v1.0.1 # CSM Data collector image -dataCollectorImage: dellemc/csm-data-collector:v1.0.2 +dataCollectorImage: dellemc/csm-data-collector:v1.0.1 # Admin username of CSM Installer adminUserName: diff --git a/charts/csm-replication/Chart.yaml b/charts/csm-replication/Chart.yaml index e76db85f..9bf18900 100644 --- a/charts/csm-replication/Chart.yaml +++ b/charts/csm-replication/Chart.yaml @@ -3,5 +3,5 @@ name: csm-replication type: application description: | CSM for Replication helm charts -version: 1.8.1 -appVersion: "1.8.1" +version: 1.9.0 +appVersion: "1.9.0" diff --git a/charts/csm-replication/values.yaml b/charts/csm-replication/values.yaml index 70f182a8..4f1bdd3d 100644 --- a/charts/csm-replication/values.yaml +++ b/charts/csm-replication/values.yaml @@ -5,7 +5,7 @@ replicas: 1 # image: Defines controller image. This shouldn't be changed # Allowed values: string -image: dellemc/dell-replication-controller:v1.8.1 +image: dellemc/dell-replication-controller:v1.9.0 # logLevel: Defines initial log level for controller. This can be changed in runtime # Allowed values: "debug", "info", "warn", "error", "panic" diff --git a/charts/karavi-observability/Chart.yaml b/charts/karavi-observability/Chart.yaml index f21f1f76..b3bd0dde 100644 --- a/charts/karavi-observability/Chart.yaml +++ b/charts/karavi-observability/Chart.yaml @@ -1,11 +1,11 @@ apiVersion: v2 -appVersion: "1.8.1" +appVersion: "1.9.0" name: karavi-observability description: CSM for Observability is part of the [Container Storage Modules](https://github.com/dell/csm) open source suite of Kubernetes storage enablers for Dell EMC storage products. CSM for Observability provides Kubernetes administrators with visibility into metrics and topology data related to containerized storage. type: application -version: 1.8.1 +version: 1.9.0 dependencies: -- name: cert-manager - version: 1.10.0 - repository: https://charts.jetstack.io - condition: cert-manager.enabled + - name: cert-manager + version: 1.10.0 + repository: https://charts.jetstack.io + condition: cert-manager.enabled diff --git a/charts/karavi-observability/README.md b/charts/karavi-observability/README.md index edac243d..338e6a92 100644 --- a/charts/karavi-observability/README.md +++ b/charts/karavi-observability/README.md @@ -8,7 +8,7 @@ You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 --> -# Container Storage Modules (CSM) for Observability Dell Community Helm Chart +# Container Storage Modules (CSM) for Observability Dell Community Helm Chart CSM for Observability can be deployed using Helm. diff --git a/charts/karavi-observability/crds/cert-manager.crds.yaml b/charts/karavi-observability/crds/cert-manager.crds.yaml index 62f42682..eb8be408 100644 --- a/charts/karavi-observability/crds/cert-manager.crds.yaml +++ b/charts/karavi-observability/crds/cert-manager.crds.yaml @@ -22,7 +22,7 @@ metadata: app.kubernetes.io/name: 'cert-manager' app.kubernetes.io/instance: 'cert-manager' # Generated labels - app.kubernetes.io/version: "v1.10.0" + app.kubernetes.io/version: "v1.11.0" spec: group: cert-manager.io names: @@ -1313,7 +1313,7 @@ metadata: app.kubernetes.io/name: 'cert-manager' app.kubernetes.io/instance: 'cert-manager' # Generated labels - app.kubernetes.io/version: "v1.10.0" + app.kubernetes.io/version: "v1.11.0" spec: group: acme.cert-manager.io names: @@ -2377,7 +2377,7 @@ metadata: app.kubernetes.io/name: 'cert-manager' app.kubernetes.io/instance: 'cert-manager' # Generated labels - app.kubernetes.io/version: "v1.10.0" + app.kubernetes.io/version: "v1.11.0" spec: group: cert-manager.io names: @@ -2577,7 +2577,7 @@ metadata: app.kubernetes.io/name: 'cert-manager' app.kubernetes.io/instance: 'cert-manager' # Generated labels - app.kubernetes.io/version: "v1.10.0" + app.kubernetes.io/version: "v1.11.0" spec: group: cert-manager.io names: @@ -3868,7 +3868,7 @@ metadata: app.kubernetes.io/name: 'cert-manager' app.kubernetes.io/instance: 'cert-manager' # Generated labels - app.kubernetes.io/version: "v1.10.0" + app.kubernetes.io/version: "v1.11.0" spec: group: cert-manager.io names: @@ -4241,7 +4241,7 @@ metadata: app.kubernetes.io/name: 'cert-manager' app.kubernetes.io/instance: 'cert-manager' # Generated labels - app.kubernetes.io/version: "v1.10.0" + app.kubernetes.io/version: "v1.11.0" spec: group: acme.cert-manager.io names: diff --git a/charts/karavi-observability/otel-collector-config.yaml b/charts/karavi-observability/otel-collector-config.yaml index 382b9993..200e009b 100644 --- a/charts/karavi-observability/otel-collector-config.yaml +++ b/charts/karavi-observability/otel-collector-config.yaml @@ -6,20 +6,19 @@ receivers: tls: cert_file: /etc/ssl/certs/tls.crt key_file: /etc/ssl/certs/tls.key - + exporters: prometheus: endpoint: 0.0.0.0:8889 logging: - + extensions: health_check: {} - + service: extensions: [health_check] pipelines: metrics: receivers: [otlp] processors: [] - exporters: [logging,prometheus] - + exporters: [logging, prometheus] diff --git a/charts/karavi-observability/templates/NOTES.txt b/charts/karavi-observability/templates/NOTES.txt index 0a9aef0e..508b7bf2 100644 --- a/charts/karavi-observability/templates/NOTES.txt +++ b/charts/karavi-observability/templates/NOTES.txt @@ -4,7 +4,7 @@ CSM Topology The CSM Topology deployment has been successfully installed. {{ if contains "NodePort" .Values.karaviTopology.service.type -}} - Execute the following commands in your shell to print the URL that can be used to access the CSM Topology service: + Execute the following commands in your shell to print the URL that can be used to access the CSM Topology service: export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services karavi-topology) export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") echo https://$NODE_IP:$NODE_PORT @@ -21,7 +21,7 @@ CSM Metrics for PowerFlex The CSM Metrics for PowerFlex deployment has been successfully installed. Provisioner Names: {{ .Values.karaviMetricsPowerflex.provisionerNames }} - Prometheus Scrape Target: + Prometheus Scrape Target: From inside the Kubernetes cluster: otel-collector:8443 {{- end }} @@ -33,7 +33,7 @@ CSM Metrics for PowerStore The CSM Metrics for PowerStore deployment has been successfully installed. Provisioner Names: {{ .Values.karaviMetricsPowerstore.provisionerNames }} - Prometheus Scrape Target: + Prometheus Scrape Target: From inside the Kubernetes cluster: otel-collector:8443 {{- end}} @@ -45,7 +45,7 @@ CSM Metrics for PowerScale The CSM Metrics for PowerScale deployment has been successfully installed. Provisioner Names: {{ .Values.karaviMetricsPowerscale.provisionerNames }} - Prometheus Scrape Target: + Prometheus Scrape Target: From inside the Kubernetes cluster: otel-collector:8443 {{- end}} diff --git a/charts/karavi-observability/templates/karavi-metrics-powerflex-service-account.yaml b/charts/karavi-observability/templates/karavi-metrics-powerflex-service-account.yaml index 0168734f..1c0c09f7 100644 --- a/charts/karavi-observability/templates/karavi-metrics-powerflex-service-account.yaml +++ b/charts/karavi-observability/templates/karavi-metrics-powerflex-service-account.yaml @@ -39,4 +39,3 @@ roleRef: apiGroup: rbac.authorization.k8s.io {{ end }} - diff --git a/charts/karavi-observability/templates/karavi-metrics-powerflex.yaml b/charts/karavi-observability/templates/karavi-metrics-powerflex.yaml index 177b3d1c..7c84d7b2 100644 --- a/charts/karavi-observability/templates/karavi-metrics-powerflex.yaml +++ b/charts/karavi-observability/templates/karavi-metrics-powerflex.yaml @@ -53,7 +53,7 @@ spec: image: {{ .Values.karaviMetricsPowerflex.image }} resources: {} env: - - name: POWERFLEX_METRICS_ENDPOINT + - name: POWERFLEX_METRICS_ENDPOINT value: "{{ .Values.karaviMetricsPowerflex.endpoint }}" - name: POWERFLEX_METRICS_NAMESPACE valueFrom: @@ -130,4 +130,3 @@ spec: status: {} {{ end }} - diff --git a/charts/karavi-observability/templates/karavi-metrics-powerscale-service-account.yaml b/charts/karavi-observability/templates/karavi-metrics-powerscale-service-account.yaml index 5998d872..fbfe62e6 100644 --- a/charts/karavi-observability/templates/karavi-metrics-powerscale-service-account.yaml +++ b/charts/karavi-observability/templates/karavi-metrics-powerscale-service-account.yaml @@ -39,4 +39,3 @@ roleRef: apiGroup: rbac.authorization.k8s.io {{ end }} - diff --git a/charts/karavi-observability/templates/karavi-metrics-powerscale.yaml b/charts/karavi-observability/templates/karavi-metrics-powerscale.yaml index 510e9460..d0d7868b 100644 --- a/charts/karavi-observability/templates/karavi-metrics-powerscale.yaml +++ b/charts/karavi-observability/templates/karavi-metrics-powerscale.yaml @@ -53,7 +53,7 @@ spec: image: {{ .Values.karaviMetricsPowerscale.image }} resources: {} env: - - name: POWERSCALE_METRICS_ENDPOINT + - name: POWERSCALE_METRICS_ENDPOINT value: "{{ .Values.karaviMetricsPowerscale.endpoint }}" - name: POWERSCALE_METRICS_NAMESPACE valueFrom: @@ -130,4 +130,3 @@ spec: status: {} {{ end }} - diff --git a/charts/karavi-observability/templates/karavi-metrics-powerstore-service-account.yaml b/charts/karavi-observability/templates/karavi-metrics-powerstore-service-account.yaml index ab16d674..e8e91c30 100644 --- a/charts/karavi-observability/templates/karavi-metrics-powerstore-service-account.yaml +++ b/charts/karavi-observability/templates/karavi-metrics-powerstore-service-account.yaml @@ -36,4 +36,3 @@ roleRef: apiGroup: rbac.authorization.k8s.io {{ end }} - diff --git a/charts/karavi-observability/templates/karavi-metrics-powerstore.yaml b/charts/karavi-observability/templates/karavi-metrics-powerstore.yaml index a54d1d5a..0fad0265 100644 --- a/charts/karavi-observability/templates/karavi-metrics-powerstore.yaml +++ b/charts/karavi-observability/templates/karavi-metrics-powerstore.yaml @@ -47,7 +47,7 @@ spec: image: {{ .Values.karaviMetricsPowerstore.image }} resources: {} env: - - name: POWERSTORE_METRICS_ENDPOINT + - name: POWERSTORE_METRICS_ENDPOINT value: "{{ .Values.karaviMetricsPowerstore.endpoint }}" - name: POWERSTORE_METRICS_NAMESPACE valueFrom: @@ -90,4 +90,3 @@ spec: status: {} {{ end }} - diff --git a/charts/karavi-observability/templates/karavi-observability-configmap.yaml b/charts/karavi-observability/templates/karavi-observability-configmap.yaml index 87ae451e..dede710e 100644 --- a/charts/karavi-observability/templates/karavi-observability-configmap.yaml +++ b/charts/karavi-observability/templates/karavi-observability-configmap.yaml @@ -1,7 +1,7 @@ {{ if .Values.karaviMetricsPowerflex.enabled }} -apiVersion: v1 -kind: ConfigMap +apiVersion: v1 +kind: ConfigMap metadata: name: karavi-metrics-powerflex-configmap namespace: {{ include "custom.namespace" . }} @@ -20,13 +20,13 @@ data: LOG_FORMAT: "{{ .Values.karaviMetricsPowerflex.logFormat }}" {{ end }} - + --- {{ if .Values.karaviTopology.enabled }} -apiVersion: v1 -kind: ConfigMap +apiVersion: v1 +kind: ConfigMap metadata: name: karavi-topology-configmap namespace: {{ include "custom.namespace" . }} @@ -45,8 +45,8 @@ data: {{ if .Values.karaviMetricsPowerstore.enabled }} -apiVersion: v1 -kind: ConfigMap +apiVersion: v1 +kind: ConfigMap metadata: name: karavi-metrics-powerstore-configmap namespace: {{ include "custom.namespace" . }} @@ -72,8 +72,8 @@ data: {{ if .Values.karaviMetricsPowerscale.enabled }} -apiVersion: v1 -kind: ConfigMap +apiVersion: v1 +kind: ConfigMap metadata: name: karavi-metrics-powerscale-configmap namespace: {{ include "custom.namespace" . }} @@ -116,4 +116,4 @@ data: LOG_LEVEL: "{{ .Values.karaviMetricsPowermax.logLevel }}" LOG_FORMAT: "{{ .Values.karaviMetricsPowermax.logFormat }}" -{{ end }} \ No newline at end of file +{{ end }} diff --git a/charts/karavi-observability/templates/karavi-topology-service-account.yaml b/charts/karavi-observability/templates/karavi-topology-service-account.yaml index 71e3ad09..0c506cee 100644 --- a/charts/karavi-observability/templates/karavi-topology-service-account.yaml +++ b/charts/karavi-observability/templates/karavi-topology-service-account.yaml @@ -33,4 +33,3 @@ roleRef: apiGroup: rbac.authorization.k8s.io {{ end }} - diff --git a/charts/karavi-observability/templates/karavi-topology.yaml b/charts/karavi-observability/templates/karavi-topology.yaml index 68b4b199..24af5a24 100644 --- a/charts/karavi-observability/templates/karavi-topology.yaml +++ b/charts/karavi-observability/templates/karavi-topology.yaml @@ -72,4 +72,3 @@ spec: status: {} {{ end }} - diff --git a/charts/karavi-observability/templates/otel-collector.yaml b/charts/karavi-observability/templates/otel-collector.yaml index 093bf924..ca10c015 100644 --- a/charts/karavi-observability/templates/otel-collector.yaml +++ b/charts/karavi-observability/templates/otel-collector.yaml @@ -51,14 +51,14 @@ metadata: labels: app.kubernetes.io/name: otel-collector app.kubernetes.io/instance: {{ .Release.Name }} -spec: +spec: selector: matchLabels: app.kubernetes.io/name: otel-collector app.kubernetes.io/instance: {{ .Release.Name }} replicas: 1 strategy: {} - template: + template: metadata: labels: app.kubernetes.io/name: otel-collector diff --git a/charts/karavi-observability/values.yaml b/charts/karavi-observability/values.yaml index 5378613e..f593addc 100644 --- a/charts/karavi-observability/values.yaml +++ b/charts/karavi-observability/values.yaml @@ -1,5 +1,5 @@ karaviTopology: - image: dellemc/csm-topology:v1.8.1 + image: dellemc/csm-topology:v1.9.0 enabled: true # comma separated list of provisioner names (ex: csi-vxflexos.dellemc.com) provisionerNames: csi-vxflexos.dellemc.com,csi-powerstore.dellemc.com,csi-isilon.dellemc.com,csi-powermax.dellemc.com @@ -13,7 +13,7 @@ karaviTopology: probability: 0.0 karaviMetricsPowerflex: - image: dellemc/csm-metrics-powerflex:v1.8.1 + image: dellemc/csm-metrics-powerflex:v1.9.0 enabled: true collectorAddr: otel-collector:55680 # comma separated list of provisioner names (ex: csi-vxflexos.dellemc.com) @@ -40,8 +40,8 @@ karaviMetricsPowerflex: authorization: enabled: false # sidecarProxyImage: the container image used for the csm-authorization-sidecar. - # Default value: dellemc/csm-authorization-sidecar:v1.10.1 - sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.10.1 + # Default value: dellemc/csm-authorization-sidecar:v1.11.0 + sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.11.0 # proxyHost: hostname of the csm-authorization server # Default value: None proxyHost: @@ -53,7 +53,7 @@ karaviMetricsPowerflex: skipCertificateValidation: true karaviMetricsPowerstore: - image: dellemc/csm-metrics-powerstore:v1.8.1 + image: dellemc/csm-metrics-powerstore:v1.9.0 enabled: true collectorAddr: otel-collector:55680 # comma separated list of provisioner names (ex: csi-powerstore.dellemc.com) @@ -79,7 +79,7 @@ karaviMetricsPowerstore: probability: 0.0 karaviMetricsPowerscale: - image: dellemc/csm-metrics-powerscale:v1.5.1 + image: dellemc/csm-metrics-powerscale:v1.6.0 enabled: true collectorAddr: otel-collector:55680 # comma separated list of provisioner names (ex: csi-isilon.dellemc.com) @@ -116,8 +116,8 @@ karaviMetricsPowerscale: authorization: enabled: false # sidecarProxyImage: the container image used for the csm-authorization-sidecar. - # Default value: dellemc/csm-authorization-sidecar:v1.10.1 - sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.10.1 + # Default value: dellemc/csm-authorization-sidecar:v1.10.0 + sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.11.0 # proxyHost: hostname of the csm-authorization server # Default value: None proxyHost: @@ -129,7 +129,7 @@ karaviMetricsPowerscale: skipCertificateValidation: true karaviMetricsPowermax: - image: dellemc/csm-metrics-powermax:v1.3.1 + image: dellemc/csm-metrics-powermax:v1.4.0 enabled: true collectorAddr: otel-collector:55680 # comma separated list of provisioner names (ex: csi-powermax.dellemc.com) @@ -153,8 +153,8 @@ karaviMetricsPowermax: authorization: enabled: false # sidecarProxyImage: the container image used for the csm-authorization-sidecar. - # Default value: dellemc/csm-authorization-sidecar:v1.10.1 - sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.10.1 + # Default value: dellemc/csm-authorization-sidecar:v1.11.0 + sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.11.0 # proxyHost: hostname of the csm-authorization server # Default value: None proxyHost: diff --git a/ct.yaml b/ct.yaml index 5d440b84..99199ad1 100644 --- a/ct.yaml +++ b/ct.yaml @@ -5,3 +5,4 @@ target-branch: main chart-dirs: - charts validate-maintainers: false +check-version-increment: false diff --git a/docs/CODE_OF_CONDUCT.md b/docs/CODE_OF_CONDUCT.md index beaa8c88..86bd6980 100755 --- a/docs/CODE_OF_CONDUCT.md +++ b/docs/CODE_OF_CONDUCT.md @@ -69,8 +69,8 @@ representative at an online or offline event. ## Enforcement Instances of abusive, harassing, or otherwise unacceptable behavior may be -reported to the community leaders responsible for enforcement at our Slack group. -Click [Here](http://del.ly/Slack_request) to request your invite. +reported to the community leaders responsible for enforcement at our Slack group. +Click [Here](http://del.ly/Slack_request) to request your invite. All complaints will be reviewed and investigated promptly and fairly. diff --git a/docs/ISSUE_TRIAGE.md b/docs/ISSUE_TRIAGE.md index 463a7795..9a6229f8 100644 --- a/docs/ISSUE_TRIAGE.md +++ b/docs/ISSUE_TRIAGE.md @@ -120,11 +120,11 @@ The key here is asking for help and discuss issues to understand how more experi In case there is an uncertainty around the prioritization of an issue, please ask the maintainers for help. -| Label | Description | -| --------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | -| `priority/critical` | Highest priority. Must be actively worked on as someone's top priority right now. | -| `priority/high` | Must be worked on soon, ideally in time for the next release. | -| `priority/low` | Lowest priority. Possibly useful, but not yet enough interest in it. | +| Label | Description | +| ------------------- | --------------------------------------------------------------------------------- | +| `priority/critical` | Highest priority. Must be actively worked on as someone's top priority right now. | +| `priority/high` | Must be worked on soon, ideally in time for the next release. | +| `priority/low` | Lowest priority. Possibly useful, but not yet enough interest in it. | ### Critical priority @@ -194,52 +194,52 @@ This workflow starts off with a GitHub issue of type bug being created. The following flow chart outlines the triage process: -``` - +--------------------------+ - | New bug issue opened/more| - | information added | - +-------------|------------+ - | - | - +----------------------------------+ NO +--------------|-------------+ - | label: triage/needs-information --------- All required information | - | | | contained in issue? | - +-----------------------------|----+ +--------------|-------------+ - | | YES - | | - +--------------------------+ | +---------------------+ YES +---------------------------------------+ - |label: | | | Duplicate Issue? ------- Comment `Duplicate of #` - |triage/needs-investigation| | NO | | | Remove needs-triage label | - +------|-------------------+ | +----------|----------+ | label: triage/duplicate | - | | | NO +-----------------|---------------------+ - YES | | | | - | +---------------|----+ NO +------------|------------+ | - | |Needs investigation?|---------- Can it be reproduced? | | - |------- | +------------|------------+ | - +--------------------+ | YES | - | +----------|----------+ - +----------------------------------+ +------------|------------+ | Close Issue | - | Update issue with details ----------- Works as intended? | | | - | | NO | | +----------|----------+ - +-----------------|----------------+ +------------|------------+ | - | | | - | | YES | - | +----------------|----------------+ | - | | Add comment | | - | | Remove needs-triage label ------------------| - | | label: triage/works-as-intended | - | +---------------------------------+ - | - +---------|---------+ +----------+ - | Needs priority? -----------| Done ---------------------------------------- - +-------|-----------+ NO +----|-----+ | - | YES |NO | - +-------------|------------+ | +------------------|------------------+ - | label: priority/* | +----|----------------+ YES | Add details to issue | - | milestone? ----------- Signal Community? ---------- label: help wanted | - | Remove needs-triage label| | | | label: beginner friendly (optional)| - +--------------------------+ +---------------------+ +-------------------------------------+ - +``` + +--------------------------+ + | New bug issue opened/more| + | information added | + +-------------|------------+ + | + | + +----------------------------------+ NO +--------------|-------------+ + | label: triage/needs-information --------- All required information | + | | | contained in issue? | + +-----------------------------|----+ +--------------|-------------+ + | | YES + | | + +--------------------------+ | +---------------------+ YES +---------------------------------------+ + |label: | | | Duplicate Issue? ------- Comment `Duplicate of #` + |triage/needs-investigation| | NO | | | Remove needs-triage label | + +------|-------------------+ | +----------|----------+ | label: triage/duplicate | + | | | NO +-----------------|---------------------+ + YES | | | | + | +---------------|----+ NO +------------|------------+ | + | | Needs investigation? | ---------- Can it be reproduced? | | + | --- |+------------|------------+ | + +--------------------+ | YES | + | +----------|----------+ + +----------------------------------+ +------------|------------+ | Close Issue | + | Update issue with details ----------- Works as intended? | | | + | | NO | | +----------|----------+ + +-----------------|----------------+ +------------|------------+ | + | | | + | | YES | + | +----------------|----------------+ | + | | Add comment | | + | | Remove needs-triage label ------------------| + | | label: triage/works-as-intended | + | +---------------------------------+ + | + +---------|---------+ +----------+ + | Needs priority? -----------| Done ---------------------------------------- + +-------|-----------+ NO +----|-----+ | + | YES |NO | + +-------------|------------+ | +------------------|------------------+ + | label: priority/* | +----|----------------+ YES | Add details to issue | + | milestone? ----------- Signal Community? ---------- label: help wanted | + | Remove needs-triage label| | | | label: beginner friendly (optional)| + +--------------------------+ +---------------------+ +-------------------------------------+ + ``` If the author does not respond to a request for more information within the timespan of a week, close the issue with a kind note stating that the author can request for the issue to be reopened when the necessary information is provided. @@ -254,34 +254,34 @@ This workflow starts off with a GitHub issue of type feature request being creat The following flow chart outlines the triage process: -``` - +---------------------------------+ - |New feature request issue opened/| - |more information added | - +----------------|----------------+ - | - | - +---------------------------------+ NO +-------------|------------+ - | label: triage/needs-information ---------- All required information | - | | | contained in issue? | - +---------------------------------+ +-------------|------------+ - | - | - +---------------------------------------+ | - |Comment `Duplicate of #` | YES +----------|----------+ - |Remove needs-triage label ------- Duplicate issue? | - |label: triage/duplicate | | | - +-----------------|---------------------+ +-----------|---------+ - | | - | NO | - | +--------------|---------------+ - | | Assign priority | - | | label: priority/* | - | | label: type/feature | - +----------|-----+ +--------+ | Remove needs-triage label | - | Close issue | | Done ------ Remove type/feature-request | - | | | | | milestone? | - +----------------+ +--------+ +------------------------------+ +``` + +---------------------------------+ + |New feature request issue opened/| + |more information added | + +----------------|----------------+ + | + | + +---------------------------------+ NO +-------------|------------+ + | label: triage/needs-information ---------- All required information | + | | | contained in issue? | + +---------------------------------+ +-------------|------------+ + | + | + +---------------------------------------+ | + |Comment `Duplicate of #` | YES +----------|----------+ + |Remove needs-triage label ------- Duplicate issue? | + |label: triage/duplicate | | | + +-----------------|---------------------+ +-----------|---------+ + | | + | NO | + | +--------------|---------------+ + | | Assign priority | + | | label: priority/* | + | | label: type/feature | + +----------|-----+ +--------+ | Remove needs-triage label | + | Close issue | | Done ------ Remove type/feature-request | + | | | | | milestone? | + +----------------+ +--------+ +------------------------------+ ``` If the author does not respond to a request for more information within the timespan of a week, close the issue with a kind note stating that the author can request for the issue to be reopened when the necessary information is provided. diff --git a/docs/MAINTAINERS.md b/docs/MAINTAINERS.md index 549bec83..e921adca 100644 --- a/docs/MAINTAINERS.md +++ b/docs/MAINTAINERS.md @@ -16,7 +16,5 @@ You may obtain a copy of the License at * @hoppea2 * @coulof * @shaynafinocchiaro -* @lj-software -* @medegw01 * @sharmilarama * @tdawe diff --git a/installation-wizard/container-storage-modules/Chart.yaml b/installation-wizard/container-storage-modules/Chart.yaml index 1023a476..56d29aca 100644 --- a/installation-wizard/container-storage-modules/Chart.yaml +++ b/installation-wizard/container-storage-modules/Chart.yaml @@ -30,51 +30,51 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.3.2 +version: 1.4.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "1.3.2" +appVersion: "1.4.0" dependencies: -- name: csi-powerstore - version: 2.10.1 - repository: https://dell.github.io/helm-charts - condition: csi-powerstore.enabled + - name: csi-powerstore + version: 2.11.0 + repository: https://dell.github.io/helm-charts + condition: csi-powerstore.enabled -- name: csi-powermax - version: 2.10.1 - repository: https://dell.github.io/helm-charts - condition: csi-powermax.enabled + - name: csi-powermax + version: 2.11.0 + repository: https://dell.github.io/helm-charts + condition: csi-powermax.enabled -- name: csi-isilon - version: 2.10.1 - repository: https://dell.github.io/helm-charts - condition: csi-isilon.enabled + - name: csi-isilon + version: 2.11.0 + repository: https://dell.github.io/helm-charts + condition: csi-isilon.enabled -- name: csi-vxflexos - version: 2.10.2 - repository: https://dell.github.io/helm-charts - condition: csi-vxflexos.enabled + - name: csi-vxflexos + version: 2.11.0 + repository: https://dell.github.io/helm-charts + condition: csi-vxflexos.enabled -- name: csi-unity - version: 2.10.1 - repository: https://dell.github.io/helm-charts - condition: csi-unity.enabled + - name: csi-unity + version: 2.11.0 + repository: https://dell.github.io/helm-charts + condition: csi-unity.enabled -- name: csm-replication - version: 1.8.1 - repository: https://dell.github.io/helm-charts - condition: csm-replication.enabled + - name: csm-replication + version: 1.9.0 + repository: https://dell.github.io/helm-charts + condition: csm-replication.enabled -- name: karavi-observability - version: 1.8.0 - repository: https://dell.github.io/helm-charts - condition: karavi-observability.enabled + - name: karavi-observability + version: 1.9.0 + repository: https://dell.github.io/helm-charts + condition: karavi-observability.enabled -- name: cert-manager - version: 1.10.0 - repository: https://charts.jetstack.io - condition: cert-manager.enabled + - name: cert-manager + version: 1.11.0 + repository: https://charts.jetstack.io + condition: cert-manager.enabled diff --git a/installation-wizard/container-storage-modules/values.yaml b/installation-wizard/container-storage-modules/values.yaml index 8095f4c5..e1607e07 100644 --- a/installation-wizard/container-storage-modules/values.yaml +++ b/installation-wizard/container-storage-modules/values.yaml @@ -16,27 +16,27 @@ ## K8S/DRIVER ATTRIBUTES ################################### -## CSI PowerStore +## CSI PowerStore ######################## csi-powerstore: enabled: false - version: "v2.10.1" + version: "v2.11.0" images: # "driver" defines the container image, used for the driver container. - driver: dellemc/csi-powerstore:v2.10.1 + driver: dellemc/csi-powerstore:v2.11.0 # CSI sidecars - attacher: registry.k8s.io/sig-storage/csi-attacher:v4.5.0 - provisioner: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 - snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v7.0.1 - resizer: registry.k8s.io/sig-storage/csi-resizer:v1.10.0 - registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 - healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.11.0 + attacher: registry.k8s.io/sig-storage/csi-attacher:v4.6.1 + provisioner: registry.k8s.io/sig-storage/csi-provisioner:v5.0.1 + snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1 + resizer: registry.k8s.io/sig-storage/csi-resizer:v1.11.1 + registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.1 + healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.12.1 # CSM sidecars - replication: dellemc/dell-csi-replicator:v1.8.1 - vgsnapshotter: dellemc/csi-volumegroup-snapshotter:v1.5.1 - podmon: dellemc/podmon:v1.9.1 - metadataretriever: dellemc/csi-metadata-retriever:v1.7.3 + replication: dellemc/dell-csi-replicator:v1.9.0 + vgsnapshotter: dellemc/csi-volumegroup-snapshotter:v1.6.0 + podmon: dellemc/podmon:v1.10.0 + metadataretriever: dellemc/csi-metadata-retriever:v1.8.0 ## Controller ATTRIBUTES controller: controllerCount: 2 @@ -121,31 +121,31 @@ csi-powermax: - storageArrayId: "000000000001" endpoint: https://primary-1.unisphe.re:8443 backupEndpoint: https://backup-1.unisphe.re:8443 - # - storageArrayId: "000000000002" - # endpoint: https://primary-2.unisphe.re:8443 - # backupEndpoint: https://backup-2.unisphe.re:8443 + # - storageArrayId: "000000000002" + # endpoint: https://primary-2.unisphe.re:8443 + # backupEndpoint: https://backup-2.unisphe.re:8443 managementServers: - endpoint: https://primary-1.unisphe.re:8443 - endpoint: https://backup-1.unisphe.re:8443 # - endpoint: https://primary-2.unisphe.re:8443 # - endpoint: https://backup-2.unisphe.re:8443 - version: "v2.10.1" + version: "v2.11.0" images: # "driver" defines the container image, used for the driver container. - driver: dellemc/csi-powermax:v2.10.1 - csireverseproxy: dellemc/csipowermax-reverseproxy:v2.9.1 + driver: dellemc/csi-powermax:v2.11.0 + csireverseproxy: dellemc/csipowermax-reverseproxy:v2.10.0 # CSI sidecars - attacher: registry.k8s.io/sig-storage/csi-attacher:v4.5.0 - provisioner: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 - snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v7.0.1 - resizer: registry.k8s.io/sig-storage/csi-resizer:v1.10.0 - registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 - healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.11.0 + attacher: registry.k8s.io/sig-storage/csi-attacher:v4.6.1 + provisioner: registry.k8s.io/sig-storage/csi-provisioner:v5.0.1 + snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1 + resizer: registry.k8s.io/sig-storage/csi-resizer:v1.11.1 + registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.1 + healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.12.1 # CSM sidecars - replication: dellemc/dell-csi-replicator:v1.8.1 - authorization: dellemc/csm-authorization-sidecar:v1.10.1 - migration: dellemc/dell-csi-migrator:v1.3.1 - noderescan: dellemc/dell-csi-node-rescanner:v1.3.1 + replication: dellemc/dell-csi-replicator:v1.9.0 + authorization: dellemc/csm-authorization-sidecar:v1.11.0 + migration: dellemc/dell-csi-migrator:v1.5.0 + noderescan: dellemc/dell-csi-node-rescanner:v1.4.0 clusterPrefix: ABC portGroups: PortGroup1, PortGroup2, PortGroup3 controller: @@ -179,29 +179,28 @@ csi-powermax: storageCapacity: enabled: true maxPowerMaxVolumesPerNode: 0 - ## CSI PowerScale ######################## csi-isilon: enabled: false - version: "v2.10.1" + version: "v2.11.0" images: # "driver" defines the container image, used for the driver container. - driver: dellemc/csi-isilon:v2.10.1 + driver: dellemc/csi-isilon:v2.11.0 # CSI sidecars - attacher: registry.k8s.io/sig-storage/csi-attacher:v4.5.0 - provisioner: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 - snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v7.0.1 - resizer: registry.k8s.io/sig-storage/csi-resizer:v1.10.0 - registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 - healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.11.0 + attacher: registry.k8s.io/sig-storage/csi-attacher:v4.6.1 + provisioner: registry.k8s.io/sig-storage/csi-provisioner:v5.0.1 + snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1 + resizer: registry.k8s.io/sig-storage/csi-resizer:v1.11.1 + registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.1 + healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.12.1 # CSM sidecars - replication: dellemc/dell-csi-replicator:v1.8.1 - podmon: dellemc/podmon:v1.9.1 - authorization: dellemc/csm-authorization-sidecar:v1.10.1 - metadataretriever: dellemc/csi-metadata-retriever:v1.7.3 - encryption: dellemc/csm-encryption:v0.3.0 + replication: dellemc/dell-csi-replicator:v1.9.0 + podmon: dellemc/podmon:v1.10.0 + authorization: dellemc/csm-authorization-sidecar:v1.11.0 + metadataretriever: dellemc/csi-metadata-retriever:v1.8.0 + encryption: dellemc/csm-encryption:v0.6.0 ## Controller ATTRIBUTES controller: controllerCount: 2 @@ -276,24 +275,24 @@ csi-isilon: ######################## csi-vxflexos: enabled: false - version: v2.10.1 + version: v2.11.0 images: # "driver" defines the container image, used for the driver container. - driver: dellemc/csi-vxflexos:v2.10.1 + driver: dellemc/csi-vxflexos:v2.11.0 # "powerflexSdc" defines the SDC image for init container. - powerflexSdc: dellemc/sdc:4.5.1 + powerflexSdc: dellemc/sdc:4.5.2.1 # CSI sidecars - attacher: registry.k8s.io/sig-storage/csi-attacher:v4.5.0 - provisioner: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 - snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v7.0.1 - resizer: registry.k8s.io/sig-storage/csi-resizer:v1.10.0 - registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 - healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.11.0 + attacher: registry.k8s.io/sig-storage/csi-attacher:v4.6.1 + provisioner: registry.k8s.io/sig-storage/csi-provisioner:v5.0.1 + snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1 + resizer: registry.k8s.io/sig-storage/csi-resizer:v1.11.1 + registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.1 + healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.12.1 # CSM sidecars - replication: dellemc/dell-csi-replicator:v1.8.1 - vgsnapshotter: dellemc/csi-volumegroup-snapshotter:v1.5.1 - podmon: dellemc/podmon:v1.9.1 - authorization: dellemc/csm-authorization-sidecar:v1.10.1 + replication: dellemc/dell-csi-replicator:v1.9.0 + vgsnapshotter: dellemc/csi-volumegroup-snapshotter:v1.6.0 + podmon: dellemc/podmon:v1.10.0 + authorization: dellemc/csm-authorization-sidecar:v1.11.0 certSecretCount: 0 controller: replication: @@ -316,7 +315,7 @@ csi-vxflexos: approveSDC: enabled: false tolerations: - # Uncomment if CSM for Resiliency and CSI Driver pods monitor is enabled + # Uncomment if CSM for Resiliency and CSI Driver pods monitor is enabled # - key: "offline.vxflexos.storage.dell.com" # operator: "Exists" # effect: "NoSchedule" @@ -344,8 +343,8 @@ csi-vxflexos: vgsnapshotter: enabled: false # maxVxflexosVolumesPerNode - Maximum number of volumes that controller can publish to the node. - maxVxflexosVolumesPerNode: 0 - + maxVxflexosVolumesPerNode: 0 + podmon: enabled: false controller: @@ -368,26 +367,26 @@ csi-vxflexos: - "--ignoreVolumelessPods=false" authorization: enabled: false - sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.10.1 + sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.11.0 proxyHost: ## CSI Unity ######################## csi-unity: enabled: false - version: "v2.10.1" + version: "v2.11.0" images: # "driver" defines the container image, used for the driver container. - driver: dellemc/csi-unity:v2.10.1 + driver: dellemc/csi-unity:v2.11.0 # CSI sidecars - attacher: registry.k8s.io/sig-storage/csi-attacher:v4.5.0 - provisioner: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 - snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v7.0.1 - resizer: registry.k8s.io/sig-storage/csi-resizer:v1.10.0 - registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 - healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.11.0 + attacher: registry.k8s.io/sig-storage/csi-attacher:v4.6.1 + provisioner: registry.k8s.io/sig-storage/csi-provisioner:v5.0.1 + snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1 + resizer: registry.k8s.io/sig-storage/csi-resizer:v1.11.1 + registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.1 + healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.12.1 # CSM sidecars - podmon: dellemc/podmon:v1.9.1 + podmon: dellemc/podmon:v1.10.0 # certSecretCount: Represents number of certificate secrets, which user is going to create for # ssl authentication. (unity-cert-0..unity-cert-n) # Allowed values: n, where n > 0 @@ -397,13 +396,13 @@ csi-unity: # Allowed values: # ReadWriteOnceWithFSType: supports volume ownership and permissions change only if the fsType is defined # and the volume's accessModes contains ReadWriteOnce. - # File: kubernetes may use fsGroup to change permissions and ownership of the volume + # File: kubernetes may use fsGroup to change permissions and ownership of the volume # to match user requested fsGroup in the pod's security policy regardless of fstype or access mode. # None: volumes will be mounted with no modifications. # Default value: ReadWriteOnceWithFSType fsGroupPolicy: ReadWriteOnceWithFSType - #To set nodeSelectors and tolerations for controller. + # To set nodeSelectors and tolerations for controller. # controller: configure controller pod specific parameters controller: controllerCount: 2 @@ -453,7 +452,7 @@ csi-unity: # - key: "node.kubernetes.io/network-unavailable" # operator: "Exists" # effect: "NoExecute" - # Uncomment if CSM for Resiliency and CSI Driver pods monitor are enabled + # Uncomment if CSM for Resiliency and CSI Driver pods monitor are enabled # - key: "offline.vxflexos.storage.dell.com" # operator: "Exists" # effect: "NoSchedule" @@ -534,5 +533,5 @@ karavi-observability: ## K8S/Cert-manager ATTRIBUTES ######################## -cert-manager: +cert-manager: enabled: false diff --git a/kubelinter-config.yaml b/kubelinter-config.yaml index 9e79fd83..0eefc43b 100644 --- a/kubelinter-config.yaml +++ b/kubelinter-config.yaml @@ -54,7 +54,7 @@ checks: # NOTE: manually exclude failing for documentation, fix them in future or # comment why are they disabled. exclude: - - "access-to-secrets" # NOTE: COSI Provisioner Sidecar requires access to secrets + - "access-to-secrets" # NOTE: COSI Provisioner Sidecar requires access to secrets - "dnsconfig-options" - "minimum-three-replicas" - "no-liveness-probe"