From 7895d8617492c6e88277973d3f681ebda92b3c79 Mon Sep 17 00:00:00 2001 From: Lucas Lopes Date: Mon, 18 Dec 2023 10:10:42 -0300 Subject: [PATCH 01/10] Emptying release.yaml before release --- release.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/release.yaml b/release.yaml index 33089a00da..8b13789179 100644 --- a/release.yaml +++ b/release.yaml @@ -1,2 +1 @@ -rancher-webhook: - - 103.0.1+up0.4.2 + From 16509bc458fed4cadfe2a3811fcae4e5abe30913 Mon Sep 17 00:00:00 2001 From: Lucas Lopes Date: Mon, 4 Dec 2023 13:10:19 -0300 Subject: [PATCH 02/10] make forward-port neuvector 102.0.6+up2.6.6 --- .../neuvector/neuvector-102.0.6+up2.6.6.tgz | Bin 0 -> 21605 bytes charts/neuvector/102.0.6+up2.6.6/.helmignore | 21 + charts/neuvector/102.0.6+up2.6.6/Chart.yaml | 27 + charts/neuvector/102.0.6+up2.6.6/README.md | 256 +++++++++ .../neuvector/102.0.6+up2.6.6/app-readme.md | 35 ++ .../102.0.6+up2.6.6/crds/_helpers.tpl | 32 ++ .../neuvector/102.0.6+up2.6.6/questions.yaml | 336 +++++++++++ .../102.0.6+up2.6.6/templates/NOTES.txt | 20 + .../102.0.6+up2.6.6/templates/_helpers.tpl | 55 ++ .../templates/admission-webhook-service.yaml | 18 + .../templates/cert-manager-secret.yaml | 33 ++ .../templates/clusterrole.yaml | 121 ++++ .../templates/clusterrolebinding-least.yaml | 150 +++++ .../templates/clusterrolebinding.yaml | 147 +++++ .../templates/controller-deployment.yaml | 264 +++++++++ .../templates/controller-ingress.yaml | 219 ++++++++ .../templates/controller-route.yaml | 98 ++++ .../templates/controller-secret.yaml | 15 + .../templates/controller-service.yaml | 97 ++++ .../templates/crd-role-least.yaml | 299 ++++++++++ .../102.0.6+up2.6.6/templates/crd-role.yaml | 299 ++++++++++ .../templates/enforcer-daemonset.yaml | 150 +++++ .../templates/init-configmap.yaml | 13 + .../templates/init-secret.yaml | 15 + .../templates/manager-deployment.yaml | 118 ++++ .../templates/manager-ingress.yaml | 71 +++ .../templates/manager-route.yaml | 33 ++ .../templates/manager-secret.yaml | 15 + .../templates/manager-service.yaml | 26 + .../102.0.6+up2.6.6/templates/psp.yaml | 86 +++ .../102.0.6+up2.6.6/templates/pvc.yaml | 27 + .../templates/registry-adapter-ingress.yaml | 109 ++++ .../templates/registry-adapter-secret.yaml | 15 + .../templates/registry-adapter.yaml | 192 +++++++ .../102.0.6+up2.6.6/templates/role-least.yaml | 29 + .../templates/rolebinding-least.yaml | 62 +++ .../templates/rolebinding.yaml | 56 ++ .../templates/scanner-deployment.yaml | 102 ++++ .../templates/serviceaccount-least.yaml | 47 ++ .../templates/serviceaccount.yaml | 13 + .../templates/updater-cronjob.yaml | 79 +++ .../templates/validate-psp-install.yaml | 7 + charts/neuvector/102.0.6+up2.6.6/values.yaml | 521 ++++++++++++++++++ index.yaml | 31 ++ release.yaml | 3 +- 45 files changed, 4361 insertions(+), 1 deletion(-) create mode 100644 assets/neuvector/neuvector-102.0.6+up2.6.6.tgz create mode 100644 charts/neuvector/102.0.6+up2.6.6/.helmignore create mode 100644 charts/neuvector/102.0.6+up2.6.6/Chart.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/README.md create mode 100644 charts/neuvector/102.0.6+up2.6.6/app-readme.md create mode 100644 charts/neuvector/102.0.6+up2.6.6/crds/_helpers.tpl create mode 100644 charts/neuvector/102.0.6+up2.6.6/questions.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/NOTES.txt create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/_helpers.tpl create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/admission-webhook-service.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/cert-manager-secret.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/clusterrole.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/clusterrolebinding-least.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/clusterrolebinding.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/controller-deployment.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/controller-ingress.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/controller-route.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/controller-secret.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/controller-service.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/crd-role-least.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/crd-role.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/enforcer-daemonset.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/init-configmap.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/init-secret.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/manager-deployment.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/manager-ingress.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/manager-route.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/manager-secret.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/manager-service.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/psp.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/pvc.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/registry-adapter-ingress.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/registry-adapter-secret.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/registry-adapter.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/role-least.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/rolebinding-least.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/rolebinding.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/scanner-deployment.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/serviceaccount-least.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/serviceaccount.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/updater-cronjob.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/templates/validate-psp-install.yaml create mode 100644 charts/neuvector/102.0.6+up2.6.6/values.yaml diff --git a/assets/neuvector/neuvector-102.0.6+up2.6.6.tgz b/assets/neuvector/neuvector-102.0.6+up2.6.6.tgz new file mode 100644 index 0000000000000000000000000000000000000000..d98291b9799125c2c89043e456f930a2c3aec86c GIT binary patch literal 21605 zcmV*sKtsPDiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMYeciT47IQsmpPl2nnH!n3Mzq_lueeTb7+}2MMN5^*3XV0EJ z2}D8?))c`4pd4+|``Pco8wrviMZH*d5^?vWG6@U@17Kz_7|cW{nIfMP+C3XX$~!YS z3IA)&&+hK-?(yNF{O|7WZt=f+$A`!NwRd>5e{{0Hdvdt@U%Pt;`}@291$Nhsi0erh zhxEU8S8l7=xi92_QA9Z8m_)4C0>FnHhGf+7A?G3LVA6#NCmxO%hhf+Q>2&dY8vHbY z+#fq@`G|5n#3<+i3L}4vsIyprSscQd7r_bYflHLUlfa#2Z<7J?rie03q8@nq-#_hj z_I~W_db{B7V6U_PH}UhSv!;N~V(6nDP%pi#8*IinnmDTw)&n7ql8?@>F`^U9nK!2t zB~u(A=8dM*qF%=*lkRlSSw+(;*Hy6JIniC+@BCQZQ;I?a8PfDjn{$@svse%$Oc+Ph zMrqE?aUj3m@Y5|+VLp(ydn7;jc1CGpiZKz!4{aj}hQ# z5{Hl@)@ij!j3PG1L*4^J7&6pqQ8dDg(^(G$#J@$fgGq~^Nv}l*(C-0G69k?BivCP6 z6^#>WBnyBEAESt4U&^tT<{_uPPm+k+D^f5=-luqqLo`BZ)1#0KVAyL09y~LP`R`Y% z!27pXul~FHTyakxA|XcsNNA{jC<&vfe3kaH-IiZt7OP?aph!?J&}e}tpnu)hFDEGC zfQ?BK1|ZPm#fipWNa$Ztgec_b3{kF#)oSU2?_h`n%x8T>F$sF$;P|N3!VyO_Qk_;! zfV(k@fRNkX1V(U#s2FrD_%%huD4Lo;i+Ep*sOUSQTvt>b%6CVR0{Im20-y8@#8yl2 zZA!vWfp`KghN|)o$i9F(9EKnwTuiYPy_VIU>^%UsW&=L`)dGNVL88%2;iu%^6$wKe zjo!uq0g^}s<3fB-X^NVz&lf)V1XZRU?rkc5a{3i7r9 zh$$vQuAPODvGgSgUcmth4M}1WoR;W>qG=EO^Iw97!y%3^*A$b5IX=z36b+#vq7(%$ z6N;nJwL%0(ql-~Q(%0u7k)KFqKvx6619u3I#$3p|-Sn+$N4If<=%iCry-;?r$k10t;WBplB%+%+hH8M{u=F|h9 zv-bda;`#af*NaPVc7Anp@yo^8>CL%(TPk*b`Ld>v56?ExN`M&GBse?WM1yjDRKf0F zUA#NJIS0R=|DzhVqmX8SjFE<7HZMXnOOMSQc1#xZ5eq_%&O(SM_6O+uh_Tls$d;}L zt`H3VpqQiAFq$dZ#0iBXB)O$3=ffEKn$N-iBozIELv%fc6wMKEhS>tZL}~Mh~?03Gh8Jk2|+W;S{4u_A-{+R9kR!t(hfElQNUdWHL!2P09}F%Uz);Cq?-6>FaZF zb}FmDFqH3nGKooqBF@0GjDPI_=EEowKVSf3E`})z0E&i$`iMSPbSm~M?U_r+s{+pM z7CP)xu3!65z4f7Z37&vS!le8cm@_y*c5h5eofZH?6lgZ8Fq=TJ*-crY%?!m9{v|CA zUdxi;A{q%4kkjJf(W4iv?;n16WrsFju3BK+&+a{F#eb) z8sX?;M`P5<3#kG0Z&4I@F(sV%Bx#?6>5T?hz(EBjG@S) zTaL2jC|i!Q+E?oQG-6Eu+)oc)u(?Z3wQwb;ENR;sw?thoQ zT3^oIIz0iGZ*I{! z#TRB<2!Bb!P#KJ2Fu}G}uCK{%i@7TjrX^cums+$XoA-?^$%~tHO%sYYxsAGsG%#N` zut~4Ol4~0jTZ*)3I7B}0flH!IwkX@2_oThi6BD(-f7KRxB@o)a;Kd<~&?Di`Tf0hg zyGqMC=dl--IXAk$b){RVTUO4+BG!RY3|N>pFJBw;`V+%&6tg*ddwuif_51$mujlW7 zJ3oDSe)azB&8s(8SxJ2y&;#u!zsRRu59OCPZ*Cew$(!oIB?(ZU$nnuffJ*ZNoB$7; zDF==V#r{JAgP&mtBVW8KoB8#?TYDX8+059tIy>zQ5Ql|TD+_v}0dJsN@Um6Y7DR2Y z3ddu~AQBV24da;UzZ7BT?a7{i*YFkrmQa*VL=;WMh>NwX&Q!%*F7C-%xgA(>j?US5 zWt%Q*!{y#=HQI$V*nw1Su+|2D{-$beP31OHjW$tpHc)G_v2S=6c0c>4e0c-Kmj@hR zGV>(#v~*otcVo;^h#B{kp!O(?Mxq~k9r?d@BPdnIn)+IblAfs?l2M7-kSLs~r5yzx zCmxCdF`AM^0MF20^;aGT#hd|6Kfq8p^cWtAeSnxfbGDO0NX|SSGEcpHBH@#ZkvLxuiO8swY^wFlZY)cG+x+B0Ka9&Oin=WFln?jP#vg)uLWdd0Zg z+XB}taLt2Ue@k=0F&mbh4-(iDaP#U~uEy>ynstECG2wuri0|aS0GMzxfgJlV3};}Z zouC4xfexf*9&|KJ16sR9^}w@;L};F>y?|b=gol_*bdb?4-d3W@dS}M@g#6Z5>L!8i$h7(V6quWZ`48nnSa^wpOvaRy*ig zOlMn{*0!wPwzB4SKf0Ua?5|#bdz8i>r%Y;K0IC#Kl}4Zy+-sBxlNwFca@U9x!>VB(LuU)=!Q8fN&lnDtg2l zf>hmSV?5C?GN4Wf1?tsd<5Nr;!JwGPe{?+TFO*CGNjSrS;y0Qv@5n#WTfX4!)hmEmuQld8?sdDLK2-u2 zJ2wGY;D9DH09F^grd-|h&vh@%*3jWa5NGhnPlV>7zM1?(!JITlYzD|x3o(L zv8mq?i$=5qz~!5l=kNP(u5Nz%?wQa)eI9}l;=uFLOXfiI>PlV2?p&sC|N0Af1pJ$k zNG$T7+MhZsMt(=S4gPcYU!6!}@K-y%1Z~L&{mQ#Tg9JY}h+OmwXb2!|DP%B56Nv}o zkSDAIgFuV}lJE2%f3-!+$RCr`VdOiFNAJ6oGPxnkD4epKc_co2_4fMa{Hol!rD^P& zrW?{W-@^=_-j9ce2Nm6WWm(|nPokUi9=PCO0%w53TLd5&qB}6bQNr~VTrr((nBbzX zuhpi?ZYLG}e?ab!m7JHOXHWg7HVN6(Z%D?wDgr%iwE(z2zj}9Z=9qwu8>oO@8b37~ zZTqHS5n^KE*fl3J?5q)sf|Q-8pAXG>AIIa8|L?~rj1grW9}H=?h7!*lb+gR;SdQv^^@2;K!1#S;6+z1o9>I&`NvqO34+at1rEqiiFz3~ zsHMw!+Nlz>vmgTUQY-MX@ACe7M+F=bTp{I`qU4(?qEzS+pM}mE`QZ3K{=}2(WH`hh zLEFoKiM1?#D-6#lf?RM@)5b6f!x{K9fuRgW17I9W+&is5kb*ADbJ2$A2Ll7-L$MiT zWP-r&sf|hXc!*ILFaRl1dmj`48QTCe@N6)X)OdM$Ey@bcD`d~}PU~U_bXXPzB$XK| z42pb*dG5#xKqf>&5{4Sv8sZMMgJeb%JWT0nKBhD^Whx6aBD#=%=8x}W2YNp>A6E;{ zlokp~PE=&L=H4!hU`%nuhoJpE^S)>80yNd`A~UV(cWwq+Lo1eyj_V?ZRSvJ7E2@;d z&|W*lvRu2eLpHtDZykvTe3oW8A#vM3v_boQdx6@A_O<-h2Axci(9oZE0#U=BLxR9Iv}a?;en+$1yUs0| zJ(raLuu%F5;3z;JOGWb&Nvx+VmPUeHaPkE{15U0v6-?kW7#ts>$al^iJTwr>W7{r% zs+xdiAXJ=@_ZpG+#_H+h3o7D?iSp!(P~t$T+g=JlZZ)>+SJXp`!*A|!>3^x2$DoBH9;JjyDr73J#6ZGrHP`; z>0o~InMUz_YUO0nz8wrUx*iuPK|2EcOXBruM9l>ub#b^KlH z-wpz$kI7dG3pX$R=i&ZdVgGk>a&ov`|C@LUia~lVWQFsx4ZSwIu%}4}lWxjB)U7fH z_pp|Rv!N_Lm|7%Fc!^ox428pM=?WsxD?QI^hOFfQwPB0{?YY(idnZTxyJPSK?1LGC zl!@*ngMTAmJEIXgf)V~t-r2~@#Y@HP>@+>(@yTRDqRTwT?pSAxK_m~UB`nWfBoE&9 zpjnhA34dZaq@p))5YL4*x$a>3@62N89+%n|TWSpAKNQRsD|mhhlSX z9}Z^cZqFE+Oc6aJlNeG2+A<*XzPH;3&sZ{GoPs^z?Sal2jNt%>m}A5`zb6Bvd2;7h z%=ORb&+Rr3YTAqlmuNkAHvhL(TNfL0fj~jh!Gw{dfTI9MBTofO+?>izlTd|ChB5wCFn%pOr2AIR z5yev{o-L)*2kJ)}L)u)#l#*BcIYo4!>y4!Arw2mJ)Q>wI%iPnBi!G@_Y-dH~tPl-9 z#Iz`Itehi2Y05}Pz}(oBr;se8f}A&-Bo^sP4OR|Exm_V&H8ENGLjAHNaIS>)z8R|9 zNj!(OnH~D0U~nlm+IU+(f2J_R0pvIuY4bwvK8%_$lZ4lnXvPtJd8%PEN2$xB5IOkd z;X;GE+_3rNQH+-&=N$H;*Q|*xTu1c>a8#J1{~LnK$mz>&2IlDhCwoWxMf>mG(f0g* zBag%XPwoNCANi2^-{{uh+Z3QbtF`|)w+JLe(m13?Mi2ghDsI?x4P9EsaAb=fiyHM^ z)z&#F6LLo;I_X4OJs01>3s;?6emAb{uMf5cvn3grEaH%jgCX2ZsfIX)d5;FTYf^P@h#IO=(zHC?D=MyS}A-37TxJ0TV{Kp7Es>Q^xmWB`S3YSn-y#;<==bwP@JYSH#4Q@|=~= z$9}HGB?n+dWK6Jin&-~B*Hz-JqVBxb<#nNc5{4>Dku@B}FBxz29G8+S!7R}IQrPjV zQaK`d1sQ5!%)_MM9G;Osx4pY8`y`YLISSaCU^U!1yGmC}4XTuSp2l!?jOtu{!UUwx z>x-2En}puz9xHX7EsI`Xuy~Y8ayYVip-!+M2Af12eYEn$>nWo~GM_UCxB}VN&&#y9 z(mZRJK~^&51bh2=ob7o~hSd~6UK)uW!2m~yu|6dOlqUrGn8^h5=-|P{*YbuBp>zs4j;GhMk6`T62< zvnbR|eU+ksG2&7lZRD>`FVB8Ezj}Xt{l-05Z7W5OtKxaTqMpSP@`2hC8iK$6YR_96 zwVRH3>ep>1WOlD#aEPwQkfM1sIJ>!e^}c_8b$xMt^ZxA3Rua6iv-0 z*s%p`#4x5LOeW~HkQ1!91}EZeKMUTUF0(>sw7i&lOc1B=QSgd4Q8>%zE~;!|`aVE| zWK`9H>tl5bj`^%J7E}&k5urIr4+_*ZffaRww+C!PE!mkMHq@ld;ILRz`NR(n@QuLO z89WLwinBYLJ314FSE!YrKLz!mh`^XI-i;~ooh^tD-jswZLHA`yASZnFX_Xcb_q%F` z?ruPS@)SpC+D47JAqzpJZ6)=?E3nJ#_M$fHG8TH`S1wnKdRQ`072TSm-MY>?Q#Cab zhNzWiZ7H%=B5u-WE`_+xinA`nU8}gx%Cf#Oswt!A-UHCTrp)38-C`X# z(7MYln;bF?*H4<|blroP@5{m~$=R1VOKJmsfgK0zWxAqLW39C(rTJ=Qmi?7NANBK_ zxP#r@mI28)q`Xf;?9Y1OG`xc|lNMM>6qkvis4~{rge?6$*W(ybh8af@etHff5eRAXe8@{&uQTI>;TLQAcyUe6}G4rEw*V$%j8k6h)h@wJgZQg5R$@+ zKr-cvfU5LtH|rDXjGWSWBS775!oe-QdiBlK$ihm0>{@ubiuhJxw`r&fm!XTo&EVGT zA4*_FSu5S!eBe#C45e0bmF71$51dxzE2!a~3JyKHcCO_VcCSvEt_8zptUF{y1>KvY zJI9p#8~Gd+ENl+5qk^X3yoRyMfK#-~;s}>bbO4Z8uxl7Pb!gQ_txaz6H9fc&cP=wQQ_RvC&A0K z4?oL3H1_fd1`Eb!p5W*-ODgOhqasDu;?S~b563zFeLJ^JK8%b=6~4T-P_*( z+{iQE|F4`qCda2rxj<{U$=V>7!Ka6Ya&Uodo7 zgLmHMlVi*uUj5&Ki$L*hwJ@uI@)`V@5N-~3^P;Q<4mW;vJk(JXh1!%R_ozq0PApsB zOnIZ&L~gt4x|uovIIEiTh$bB_e&zyrKeH5ZB2$D?7g~)>&%cVbmyz#tJr`HS1AZZg!vCY|9hA zaGtQDK2==o3mK!fx&9x~Gw1x5l7z3E1a?mR-=mY`!(#sLqup)%myJB1s;- z-zJ{<{=W`^;<{!cihSosp!bu-9oyL#QLOh97@_DIg~Mw+iclcyib@dT{Kor63~=$C9^G8eR_2cUic!kiUuHp9yN2YW8jHT)aF> z0I2$`6B2Tp#BJ~_z&;11we3rjC7jxzeT!yo(6-TNgLX!h1ho}uJHMmZ zbH%;w%i50t=NL^Ya2CV=99Wl7P!wdWYHK0f#50%wOW}X7`M(Yij(3av|KwzU%l|j= zG~@pjY*s0Tb$m9jAU<048vvd2?xNoVmn1@3eN9iaVs*0dV|I-{ri2rpggwx{IqRF? zRI2}N4b9_z?8!>)5}dtd;OsSm^Y&#GoFuT|D`{o_8>i)4*gW%Tec2kVwu{a! z^SH3mEX}nS8M_QICKioy$^AB$PNOvwO-&jIMXATYk*yZUq|A!TD2sR6tX2GE@#c|? zQs#jWGxZ}tA>wEue!QJ&t1{^aop2Awn~UB4Mp$wX#^3tlXt*kZF#ZBLu>iiO3tTdxN7d;@C#II99Z9vF0-9T3v%Iyolg(RcuPJ1l6mc?O@vGT z>Ylpu|J6_a)idw>|9G!>{(p3Qe7rsX-^63FovjbR)(2qg1F-c0cog$%>jSV!9{|gb zljTZe4R27vtHoyPC$RMs*!l^4IWukRCvbm$0$)Gd-ue=3eF?U{1Y2K%tuMisJK?sz z1o!Pr@YU!6+qJdzH~3=w4ZfOHw>?VU`Xp?95*`(&-ufhbGyM2r{T5v3|0o&~>Lcm} z5KTzLRt*3-=lp+vfA_c)|7-tbd;Y(Pr*Qw@481G*<9$X0hH=d5n5!cjP>I>Tl(Y4E zPUOdQa>ry7;eZRQbuK$L@m17;@-?TBqmhg~>7|iiier^83qFI$4ir-in=*miAHT9X zREnfhAd%^&u5Qs*JYf#fJXq?PE0DzVsTfKp?Qcv1g@3WQ6)MM&;KyQ_R0Pd!T;uPptlz!cD^TKb%XI((0Xfb}vL zm8hi)&c9^f=VwOGXz6QL9oGUx#rCaCZ!M~(Rq>giH&he}(`OLf(( zY0Fup@Y!Z{)ez?>HLh0XRw<2w*at%#A?lb{bC$B6ngxESbfxz?=<9omMwoFrQ+&}i zHWEmOqL?tu37r)*s6sgoNA|LoslKGfct#?QJ{Gdh#b)dRYnmBGWbKG-F5#MiXyLgd3^1$FGFeyz#c;JplF)!xf#Q=S8uOx&adA8&zpxL^?hA(W;2in9gr!JCqBCFuT$k|cJ*SD#jCA;g33gaq1d zQf@(iTcrsxM$zGHBsaXXt89_FXooaWUh@09%3JIBw+l4!_rJP-8Xe)2>4}*JijL~nylQD7)>6y zC$Qsyy?94_xb}XOn2nX!w&%fG(I*(j6=%%B*gx#2TsE~I5W#p z$uNhqS;4*JE@h2@YsONtF| z4p&ggJn~3XWW4ew%BJ;DSa3f;01#z_fLI5W!Ze+68ua{aF*^P76+ zt^eb_V*a1wgOhFk?~Odw>t9cRd5gb6vb9IP@;yLdG(zCJTQu7N-%Vi%dOy`rL^1&h z^3x|-3H*fS>QO;?4@&Z|ktg)m{dTd-gYJPKTwPI~o9(hr=TN9RtX) z@BE(s_He!(&1p`P=#;%>h}x}HxKX5Koy2!QTGGYDC2dyoFflmJaWKgjEBTjHdsf_B zy?TFre)aDB>V3ftVNGropUMH6G9_)=VJxh2#CUyrdHU=5)%)w~S8l}GWH@Y>8gm>j zSITmM0g9$<0jGx5+!{>7btYy*g?R^Xc2?~Mhi|T?=bVDB`^eDFsl6n|b51)KJ{&BZ zHr44!>l>AtG7m@inlek$wzx)`c&nv6x!zf=Tx^5BY6~0Hl1&g247_M-U_B_`lSC`*h&@OI{9TK zh|l29gm5E6EQVEs2R9}n9_kyZW5Tlh<~7ZWat#{D*lcRCs22zBif$GRfWDS%5U+)3 zFqUJ+d2HlC4EZ<}hF;mTrU<9#Vk7>(k*S*d6b#I_zM85RO;J~?S|<8^U#30JRz<$Q z-d}%hO#avDf0QJA9YMh7=zn|1yZfd5-+KpJ{cjUbVNqwnwY};UujYm27_fm8Le*wv zK!^sh7_J0_T3I67NSEy6JQ}PWl8o zy~gVJ|GHej=JEgi{ezPK=i%1>Ya>r{|BpHwmnia`AA#Oa7RPI6UqrFqPhf%=CU~bD@M2pM*VdbJj2UGS+w- zZY9Dd9vAdOUGC(v! z9LY097>48y1$|0}I7BM?BY67a>4QXpbA&E3E+bcj@LzCdj>x)bI*X8+*^_Te8zqvX+JC}c6^v~YEdUN)>#OKchQxv?U zBrd}|ef6r9bL#LkEyslMOLd@|VkYlC8v)~i366R|g%g;-k3DdFbaZf}i(T~3^3|*u zVwtm|B6Jd>9(Z~s-kwIYr&0#J!cp?E`g;<`A)26w!!Qe|>nu8CDj2H!yV&G34lHZT zlnsLpt4aRY;uluMB37$g{>;w%$}x#!5}4H~Yv5u~;)EfqmJZIE3wE3%(2@hNNU+{V zIu0g=?_vRad2S9b)S!~c(ti~Ilmy}kV{|KG?{T&Yvk(W9Q@)TI?|l`HxKe;Mw;Rg-*KJGF}< zU!=Xd!ALLRA>0T|6E9&Gpys}fuG$s;jjp1NeH`akUdGR{4*NxY9bK?C<~>|oe2pE6 z|8{SV#9Mx_JU`g3zx!E#YxXz(TZO-InibBmvCAAnU5J0(o}dmc^*HyKH7jSXV`z2Z z6`eyJ)N}iZIttEp7%gMn$Z52`TBYOYoN6`BqmG)*9Z0Lz>NNQ2vhY) z3su4p6~G$yq)c6Klc-fW2dx|iVo7(JTD9(L ziV9KeS50JyV$quD5KgFzMu?cxUTu^Jo!PrM_~t~Z0@dP{u07^FW(HMY+(gR`q4vig zcmKBADlNu^B2qXFMPJczwDbIzgvgUt%k^9Xoag^@v|Eh-aJ-HGv!TbqT<8G$RmN*` z7W^IY4?*vz3Rh9*y^sA>0!8RH4{F+s2$yI*U+*ckb^0w4D4ts9Zc|r!rB))6FSS0$%BbEau0*V#lzzpCLK~Zws zh0=n}la!!Z@P206p_M|6tQ_nMgcaNAHJt=IDQGF#ycd|8`69e~%9j zxA7l0@>J=6&+Ldmc_r}qRtwx}flBXz!30N-S;nrc``KdGp#mxbG?ue#iX*osovjv| ztrqviX>ng~l)~+EUyn=w)4NzNvyHB%2F}s{PIeEA`QJ`Xj<@GO8+jbg9eVh`;`@JQ zf^X*9-?G8K8K;n=QRO8jGft*lDO_ZBZ?JHbZ)%zXs`#Q83-eT5={{i|ROWzE^7}BD zulI&vT{F)6Z;pF_^BZ66a+^V6@yl(cn#*1&Gk})8+~%skDlW@kZgWETVlTI)Gjx^9 zZ4H2IFSk|Gem$4lYM?E7xy{8*SHGTQ@N95BDPOd7Jt>{}PVZCjz}J#$20S4CEu#HG zlr|f`>$B6#%k!)EFW;Q~etz}-?bRzcf)xa-YM{~+y;5?`x$n}%)7|ovsOP8+UFp9V zulaQPehpspwVnCGyyk2B^3Y!MOHJ{DtNq$tzH2E~V{(K{k)BcmQAFu8LHqZa} zcz3rL|8M_z8~(y;}-HNKQ?E#?cg z$zDAo={leP-+TW5-J`uy{^z}I{?E-kpUU~4$}+$dLRIDy6U(!`w7^)y+2sSR;77EW zmv~(3Uo%e6rzH9}8QgRJ_r2Z2!`)K;_ig^S%{&fkmmdD6=YRWqYdQcNK<=`Lj& zvEpRs6B8rE9!B_8D;($1u}(g!HQsJgehPr>H*;2WN?!^ z{IgHC^2dU}aWn`V$Ah4JM3^U`ZMDSg&Z`T*O3cwOJ8dvm(%F zV{9C_*kiK5i593m)dGv2Y&DHPYDnZh?E?)@{G3oKOw^0vRdZkl8lAi~0yH0|s?#@6 zab}iniQJ{iCETIzmOPJhHQ1NqXvlImb4Rp3Y2^vcJip{vlkSc@^-KN z^n;)P_~HA1c;8RF?}MA~f9rk!y7&F{_y76uwEdTOo`R<`Xh^SXcT%sME{rkjYM--i zs*$m7l}6UJZi;uEXYEfNQ=rT`t44Y|evfke%3&rK8ra+I$bLB^yB*j2AJ?)M?|lq$ zrM~ELaB6uJPT0-o~a~Ypj~&Rs}0)LJ*GBji~m1=4t8Cs;zl7Ez_8;(&O_9RS?ov`8W9ej z<(2c({)JY^S?4#%Ks%NzG-Von5?t%uoLakC0>&Z4A!y%>kiE_HeaVVIfSEuU^soC2;0W+BX38c9253kq0x=~%Lh{CRJEcNx7RQGk zc>QGSzcWVR1dk#@(VE*>{QU3WaPMTh{x|VF0e#3hq7eg}05$yJZj2%@NN^}7G>D;p z3rC1`T2H`@nE5P;WrRn-#wZMdSmElr2#!WOfT9p`JVi3)vGpECLF);K&`4!XeHP1< z;wVrC(*Nsu2fT^G86c6YDNq72q9DW(>a;p9uisyDLQ(4pI3tq@iNL$FYY@IG-=nUX(>qUo8;?|4* zuk{4HgA|j5fs2>ttksDr`8V=;tAhgsyQ&-||9&iMdXXnv|5xXyFJGT`Cc)acQSCD^Y24Lnc4B}(2Y)A(;FoPaYS)>Pu$fv@pEBSJuAz4_ ztkY^ec>>PHgfPKAvI;bbIG&)E5X~7tp>z%jon&l9dBN`hpJI>5Ko2R506-=scL{0- z{6Z*z;P!xZ=`Gsd0fd495n2Zo@KQBkN7SFCIsm4C+(iZoV5+R(T^;Zbk^nX)Nf-d7 zwCD<^Fp1?3Y6pC{Jzz$!`5-a=U^kt965LU2%>;i8XPQtX8sbr+E=aW`afT!e$(p%a)Wl=UV|-9HdR)HjvEXYdj+pJLe=`IjpC z8C(*MSj#gH_zXPH@t674`jFmX{{TLNi=mFLC^~{8@FqslwfMLL7~)Ea;zasfgU{f@ z5QYqW0H0eQj8R(vaZS85%g<-1Id?O^z0}hUXoqY8LGF3D ztWMBGRDW~++8irNYrQBH;ZPPSo^55##Yq@yS8Th2P^9x6x%&C^47`RB9wITUkRqTr zSwa{J(JM<}28^cs8GH~_5@4>-p9!WYkUhJCkv~QhoF;sXBCgE?9noye;(V)p5&)y? z0r)V6$IL!(`o}dG;4qY2o5etfytWAsUc3-Y;l+zyN*Wmg zMW!4Q^G9!$^hAbt3``)E95sYKO2KP1c0@h1XgC2rMPigBNRN^bDY%^I1#3+&D>y-} zgL<}HCX)f8a#s9t4a||EdYdgz@QdWMvJ6WG85a~Jp@}b9vJG9}bO|TO02UkIZ1S7l zEf0Tzl~x!bUoH4W8+7rrzQxIkEh%2NdzA8Q-&Uq%;Z)Y$mK05z$A1PNE{2zc_bFm1TD)`rNhqr4BBI2) z`G|zMNlqfWxwh3P(QioGb*;#S+hkcr%lAHu-^V2A*s7RonP!R@OBf16e@LhVsm4kU zm1@J+O4@qylOGo1A)cN%o`mcTW}d*@3qybH$St+}*GHB$afLYuS(mF_TtTlxO9!`g zFRQXsFl4pr;K(oZb8Q@#Dvi=t``p0x$<;is&81 z9I5?SCNAX0sw4EZT>B=(N}=^M@`_Lmi#QuMOKLQY>@Y3$(WIrFi3Pw!{wOq>1_Y5I z@&Wh^IvtrPJf;W+R!O-p3-EA=sOWY?0>lbUSTQ|BE3Yt?#0_Y>0#G-#V0{_(8-5H#O|9WOL z;(dQvEj$V zS$-` zBmH5w*jC8_vCvrQdk4Hu7zgMhR=YJKg{q*LEl9yD1g8j~Nz7+C%-jef+r1q>8T^(K^h0UF{61pq};Oi3iC*A!ALuxABxf&}-^f0bsn z+J7-doE%YGk{FIg@;{>pkSMpcv-PB=`+b`vQ@^g^7*U29N0E<;=8;4i?E3G{TqtA} zxxTh8Q&@qkKmK<|&2vtu;D&p@;u1d4_Yq^S1tXDbUH%CslCcORq-{%zia@llDBHe5 zF!)0-+t)CfwM&GS9ToEsN29Y4;)(9AMtuiB5TQHSpF13eV34*UxjF=lQ)!!GAf{xB z1EEI32pE{UCLb$Xm1MXEP{IV1oJpd9nI?x^IC5TU^2irrO=u`Z>qr5N4`b+SUT#2` zccSXvueikig~k8!okOt8IMJ@;OGjt)Xa($+pZC%cl=BJY)n{kq0~Zwc_t==p`F(*FZxRGoor1*rX=C+NnrL!nPnEp z!lE_wF(yn+kh+dl4!+$sM|6TC*%O;V-@Lj8)+fmaikOIZHSKpmpD>1%F`O|zrX(4S zcK`}TXa`V)BA?D;sUTS2Ymprj#*Iy`j^v_ToeGvCK*&0`Xx0R5|NOO4M8%wzbFpCy zmYs9KmTU{@LM_6x#o9bO&9yawGrwHZ7@|OLIXV-_IHET9eVv3Hd&bizrg#GB zEcN`c`LLAzDZS)rpuLx{1-xZ0B3vk58XmLwj@l6b9Qk1qAaF?n)F+hh06WE|lu_De z>Y`tz1v@)9Uog~ny_u|VHodasXf`NSGNcA4n@JZ@5Z@%DsA;b$@z)~18c|_AlB}*1 zc^TxAGb?pq39`CnRspk;YW;A9WY542QXwrx+R!Ol8s2_p4$wk8z;nE##r*;PV*ibo-NHssRM{bW{aG8 zM}$SEg#K^Nq;-?+x5eln7?@3;spZRkc_v#`S{!g;0ZT0fdN2GLd}y~9LM^`wzAW#6 zExUji^P5-Ko@V_yg%_y9AvJe1y9Qt=h7@uX&cL%*h(8r{l(lz+B9n;S{PX76#*mK< zGcZFVy*fXC=-M+2b1=c9vBV@oK4MHPZmt#-1Qbb&ximWi9OW!>&5@a}2pJUR&taHI z6W0KZ;S>{f=s&{I#}r`xvdaMaw(b^BrM$~lqWU0hV}Ep~nhy*F)p&5Cc;xHM9H3rIE6d{r&Wg=!JP--FIuL4bSE zd5gVRm(p7^go_e(uGYJx#=B+|AC1bp-hMrt&by9&tfKU))*n{uEp=oCwO94${`KAx z&hr#scZGY=d`nF|BGtEq+vC=KOXxnR@>{~@+thv+otrs zo>9?K06F|nyt9V7;u)3#Mau4|o&FE!AlNT}~=PCspv z`3yc>5$TTnR({X-$LX7wLcB-MybOcI{POI2%X#HlvuY8aJX4L?E_o@e#eG#hfQCcl z^B%Y)*V^Ou!`}z=zdzifSx?rKmkJ8JP#G;n8|t`N1NUJhm^lmr6aY9Bn?Ii2Ewd0^ z+#fcb4UfPZwvgn;#SpA(mnlCm)m-erl&|Lox|9Q&;RSg(_rnTI%g$A65V*%ho3_8$ znzgDew`8+npLQ4v^{`9Hvy=8)+LuG=Jqkz!goXf=PpGXIO2xrBIRtPNO(kA$>UR;WQ-+ahN02B0h_p7qUp~xqJ z)M&u~G87yiDm6VMBcksv#UY#_d08ETgWX;55&XCdV*C+>3}9dS?1EC`=Wkz~zVE+z zb#eBO55>lRyLtTz2zB-Re{YHi93MKt^-q62fB)P0>C5x0_h)Y|Z_Y1oJ{WKl_^|`_ z_IKqyap-eI*^Y)~pf`Z|>dn=M48?>Y;FFN(s|n9$NDRYspp1SA0?(cdhr{9S?(<5> zzr1;KvuITLkU#|LHRwqy73u&Fvlbx{vRPs#3qZ236mKQ z(_jdMIyPW(nnmf2In2O^^mN4_#7X`L1`oAb=!YZ;jH9z4AWQtQn4!|^bqAbI;D1Q8 z1AZlB6ry~OLkps63J={~$1Kt8V?=i)#05GmLbaa;r;3~w6v!byYRn)wvm;n|VP7_iI zoBO<)Z6mYb-RykTB`;^^Cfy>IU{lM!nr#6qZr@8p{rdLt#qK-z^7V9B=)w(ZL6#ue}#wv1Z%m6wfeRq(M`HC#xo!GFsE^&uR%9B4eag~Nr^ zH)Q2-b-#h7qr6*MpL1i?66mV#rxg zR*$@9kJEAnl0wRCm$2}s$Rt-S>B#wHlDXPOmyk-nEyFNNHHiQeu9B59MA~aEVOse3 zPzga>C#h^sw6ItvGaq(*%1a0t`;Qe@)S^rwt|%v&@x*vLT0uuEK<7e8I)J;aO1e}9 z!tTiO`7yO3$(I47At=*28!#wUrWr1h=ALayr8L{kZAtEI*$di|iV4hR_bG|~O$IqK zSP9NQ?1EkJLj11;Wi1@1lvH>zj#Egio98%F1oU^7-t1MQmP;m(hvZ(E`s;EFvk1Dl zFpI$53saY>K-k3aE`ck?@OD+U7iGTo{jEuZLFJk>h}`pIk}PRaKcp`g-#rS0I`Yj&wR2lNkmN!P!Ok>?ObvMBeP276=ng;?u;x_)erfxSr;fK@}CUtT%xEP){?!6F%f&|TeP1?QPk6& z=x2zE;wzF{;CXw%=8@Z(&Z^LX^oU9(lCe{7<+_psRqj)+;u<=qmKGc1N!A+}OfX}Z zM0aQ~Cge6f6HGq<{Ur_EY9G*v855YQ7BMt)@u`)(C<@XYAPrP9}rMu*_)^Mu@6(&@-hts$7zjf!rYIsO(6Y@1^v41!stY6RVversxiaVaId~ zFcdK?{W${2p@L#{!7t^uOdUBocK40yFW3(rjd?gzpiF#z(F4n2M4p{@O zQP#!~L7q_Kz>?+pXNuS9vrrJAA&Qth%Lq`+$DJ&nUkX9T#D zPl@&apy(Dy48&nF^01|fXV=swJ>Tnd8gg03R ze=VCV3c(U+E%R9G2RQ``Gc1RHg!mnyw>xHDscZ!H4C=UxpqSsKjcN$D#|BD$* z5bGYC93Gx@~L3CVJ&k_e0; z4Uk}bSHGX{EB;2}VGCxe@YF%vskU)Qw5tnLj+0Fsu7qB@iAU z6s5CKc0)`)3y;(OMW@v|W%59pB_ZDdFJ5TtP*T^m7camwLIwFC7*e(JmF6i}beR%{ zu+QZQ4^=l_(Z?A1T2I_3X3 zhD?zo)+{2Nr3K{plZh3<1=8Ee+}ecqYWCprmNP93lfhL@)wLoOSWJm_Jwt>@@tG;L?(`!-UEeEMbt?7~ND85#d0Jsb?DD$ZQXH3SHO%i2I%Aofj`! zhEh5WH3K8W0pp2(t4!*cDZF+-tS}aPtR&1Q!4->9au0GR)1MepNVvKF>f^{xtMxXP zUXPN0)Xrc|%nkK)>!c*7>V=tQ?9oVBPm)6vl|M4v)jNwJ~S^ zzrTBMP}u(;9vz%)_y3!CK7H!G08>2aNm(s6O?(!kpM=g0{W0o+7u~=9YKc;<^N%sq zdssVZmS$zToCnky9%!dCt0PLcftP)kJh5{oD@yOI&O2on6D8kF5v4dl;Ir7*M?N?{ zkU#O{IvEb}N6_{%U}94(ek%;mjQ6@}W0(jj`ey<|<*N$gSmNGk{ecv8S)PkFL_Y*u z_o2)rOeQ%!P9^#k3WL(D8LS-ll2Mzx$=MiWdCTd zDF65O_O|kW6Hhwoz19bb{6vP)xFCr-HnYb^4HxTL6qGN#Y)8pQTnd`I)ur(dTfK!@GoI!QC^h-yFdk z*+et^sv_Z4&{h{OAzc+TuM%l(1YCxs1)LWosHxo$vqflG8D+GBn5KLQ(%N!gN*{34Xql`HYf<2H}7PqJ56`uL?rl4*ZCZ4b1u<}^V? zyunN5wm0wSChf|AkPyKr>x%|(m6l^;a`&Dk10#Rm<6+u%xs$q{AgEP`^;!TpdKIf- zw1>jwXxP?etd6$xc*+T(iWP<^?U-G%By95@jJdfXt*@mCa+djZEl+C;$UW1$;0jrw zIcVU@=o*7E{ws}x1g(g|*1vDM8-LBJS)O;ibQ0Oda~1kp4xJ6idwY;` z&YgP}49>=cmIhf-onx6+cBa{#y$2?F%5`vgXzCJ>xh5MiHyFB46YCi{-Btn*D#tr zyZYmQpI48psD8~MPnb1g;^mp$zslW^=%1#Dylhf0#jiE()Yb0nDs8ojl&f$FC#W9F zC)S<#s?n(kKG=MC7QMq?P5g9|qU)3f!h9%nvwq#xEiG3FxWf8!tewSz1=KF4VwZn2 z2+ZwrT{m1D-O-O?T!4izO(76faABtzrr@+eGbZ%z$dt|Zm zySFm)T_}V9{9(S2I92PT)`hD-_d>ZW^wE5pEgBeUee}4_V|g!>__n0_e45{bysyej z{b&Wg${GE5B)%&j_PvRGXTt2|WWJk@_aXG1$+RDZ)OXWhy<*>)lzLNg-`&CW3jVnX z%)cPX@21!NiT;`d>yJeCSFqcA5dL-f(!Vw7@22{K;{S=cblSiMZ-VOQjtxwR{POX^ zLRs@t8IPi5QntC9Uf!tYO{dK3(p*wUXi`3liIu}rzDQ$hq;KrV_luc9N;E0a;zl3n4az2|d3p%u)R(9mIOeF-!5cEl4a52}O z)kIA1+-ljxAsr!}-Cw*I=I)7N256#U1X$N$Li=c5zTpqzv oc+&MEXngycBlysc^4n+oY@hA(l|BD|00030|5>nB69Ccz02AUUTL1t6 literal 0 HcmV?d00001 diff --git a/charts/neuvector/102.0.6+up2.6.6/.helmignore b/charts/neuvector/102.0.6+up2.6.6/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/neuvector/102.0.6+up2.6.6/Chart.yaml b/charts/neuvector/102.0.6+up2.6.6/Chart.yaml new file mode 100644 index 0000000000..44fd0697f7 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/Chart.yaml @@ -0,0 +1,27 @@ +annotations: + catalog.cattle.io/auto-install: neuvector-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: NeuVector + catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.29.0-0' + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux + catalog.cattle.io/provides-gvr: neuvector.com/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: neuvector + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/upstream-version: 2.6.6 +apiVersion: v1 +appVersion: 5.2.4 +description: Helm feature chart for NeuVector's core services +home: https://neuvector.com +icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 +keywords: +- security +maintainers: +- email: support@neuvector.com + name: becitsthere +name: neuvector +sources: +- https://github.com/neuvector/neuvector +version: 102.0.6+up2.6.6 diff --git a/charts/neuvector/102.0.6+up2.6.6/README.md b/charts/neuvector/102.0.6+up2.6.6/README.md new file mode 100644 index 0000000000..caccb0d6a3 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/README.md @@ -0,0 +1,256 @@ +# NeuVector Helm Chart + +Helm chart for NeuVector container security's core services. + +## Choosing container runtime +The NeuVector platform supports docker, cri-o and containerd as the container runtime. For a k3s/rke2, or bottlerocket cluster, they have their own runtime socket path. You should enable their runtime options, `k3s.enabled` and `bottlerocket.enabled`, respectively. + +## Configuration + +The following table lists the configurable parameters of the NeuVector chart and their default values. + +Parameter | Description | Default | Notes +--------- | ----------- | ------- | ----- +`openshift` | If deploying in OpenShift, set this to true | `false` | +`registry` | NeuVector container registry | `docker.io` | +`tag` | image tag for controller enforcer manager | `latest` | +`oem` | OEM release name | `nil` | +`imagePullSecrets` | image pull secret | `nil` | +`rbac` | NeuVector RBAC Manifests are installed when RBAC is enabled | `true` | Required for Rancher Authentication. | +`psp` | NeuVector Pod Security Policy when psp policy is enabled | `false` | +`serviceAccount` | Service account name for NeuVector components | `default` | +`leastPrivilege` | Use least privileged service account | `false` | +`autoGenerateCert` | Automatically generate certificate or not | `true` | +`defaultValidityPeriod` | The default validity period used for certs automatically generated (days) | `365` | +`global.cattle.url` | Set the Rancher Server URL | | Required for Rancher Authentication. `https:///` | +`global.aws.enabled` | If true, install AWS billing csp adapter | `false` | **Note**: default admin user is disabled when aws market place billing enabled, use secret to create admin-role user to manage NeuVector deployment. +`global.aws.accountNumber` | AWS Account Number | `nil` | Follow AWS subscription instruction +`global.aws.roleName` | AWS Role name for billing | `nil` | Follow AWS subscription instruction +`global.aws.serviceAccount` | Service account name for csp adapter | `csp` | Follow AWS subscription instruction +`global.aws.imagePullSecrets` | Pull secret for csp adapter image | `nil` | Follow AWS subscription instruction +`global.aws.image.repository` | csp adapter image repository | `neuvector/neuvector-csp-adapter` | Follow AWS subscription instruction +`global.aws.image.tag` | csp adapter image tag | `latest` | Follow AWS subscription instruction +`global.aws.image.digest` | csp adapter image digest | `nil` | Follow AWS subscription instruction +`global.aws.image.imagePullPolicy` | csp adapter image pull policy | `IfNotPresent` | Follow AWS subscription instruction +`global.azure.enabled` | If true, install Azure billing csp adapter | `false` | **Note**: default admin user is disabled when azure market place billing enabled, use secret to create admin-role user to manage NeuVector deployment. +`global.azure.serviceAccount` | Service account name for csp adapter | `csp` | Follow Azure subscription instruction +`global.azure.imagePullSecrets` | Pull secret for csp adapter image | `nil` | Follow Azure subscription instruction +`global.azure.images.neuvector_csp_pod.registry` | csp adapter image registry | `susellcforazuremarketplace.azurecr.io` | Follow Azure subscription instruction +`global.azure.images.neuvector_csp_pod.image` | csp adapter image repository | `neuvector-billing-azure-by-suse-llc` | Follow Azure subscription instruction +`global.azure.images.neuvector_csp_pod.digest` | csp adapter image digest | `nil` | Follow Azure subscription instruction +`global.azure.images.neuvector_csp_pod.imagePullPolicy` | csp adapter image pull policy | `IfNotPresent` | Follow Azure subscription instruction +`controller.enabled` | If true, create controller | `true` | +`controller.image.repository` | controller image repository | `neuvector/controller` | +`controller.image.hash` | controller image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`controller.replicas` | controller replicas | `3` | +`controller.schedulerName` | kubernetes scheduler name | `nil` | +`controller.affinity` | controller affinity rules | ... | spread controllers to different nodes | +`controller.tolerations` | List of node taints to tolerate | `nil` | +`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.6/charts/core/values.yaml) +`controller.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`controller.disruptionbudget` | controller PodDisruptionBudget. 0 to disable. Recommended value: 2. | `0` | +`controller.priorityClassName` | controller priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`controller.podLabels` | Specify the pod labels. | `{}` | +`controller.podAnnotations` | Specify the pod annotations. | `{}` | +`controller.env` | User-defined environment variables for controller. | `[]` | +`controller.ranchersso.enabled` | If true, enable single sign on for Rancher | `false` | Required for Rancher Authentication. | +`controller.pvc.enabled` | If true, enable persistence for controller using PVC | `false` | Require persistent volume type RWX, and storage 1Gi +`controller.pvc.accessModes` | Access modes for the created PVC. | `["ReadWriteMany"]` | +`controller.pvc.existingClaim` | If `false`, a new PVC will be created. If a string is provided, an existing PVC with this name will be used. | `false` | +`controller.pvc.storageClass` | Storage Class to be used | `default` | +`controller.pvc.capacity` | Storage capacity | `1Gi` | +`controller.azureFileShare.enabled` | If true, enable the usage of an existing or statically provisioned Azure File Share | `false` | +`controller.azureFileShare.secretName` | The name of the secret containing the Azure file share storage account name and key | `nil` | +`controller.azureFileShare.shareName` | The name of the Azure file share to use | `nil` | +`controller.apisvc.type` | Controller REST API service type | `nil` | +`controller.apisvc.annotations` | Add annotations to controller REST API service | `{}` | +`controller.apisvc.route.enabled` | If true, create a OpenShift route to expose the Controller REST API service | `false` | +`controller.apisvc.route.termination` | Specify TLS termination for OpenShift route for Controller REST API service. Possible passthrough, edge, reencrypt | `passthrough` | +`controller.apisvc.route.host` | Set controller REST API service hostname | `nil` | +`controller.apisvc.route.tls.key` | Set controller REST API service PEM format key file | `nil` | +`controller.apisvc.route.tls.certificate` | Set controller REST API service PEM format certificate file | `nil` | +`controller.apisvc.route.tls.caCertificate` | Set controller REST API service CA certificate may be required to establish a certificate chain for validation | `nil` | +`controller.apisvc.route.tls.destinationCACertificate` | Set controller REST API service CA certificate to validate the endpoint certificate | `nil` | +`controller.certificate.secret` | Replace controller REST API certificate using secret if secret name is specified | `nil` | +`controller.certificate.keyFile` | Replace controller REST API certificate key file | `tls.key` | +`controller.certificate.pemFile` | Replace controller REST API certificate pem file | `tls.pem` | +`controller.federation.mastersvc.type` | Multi-cluster primary cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` | +`controller.federation.mastersvc.annotations` | Add annotations to Multi-cluster primary cluster REST API service | `{}` | +`controller.federation.mastersvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster primary cluster service | `false` | +`controller.federation.mastersvc.route.host` | Set OpenShift route host for primary cluster service | `nil` | +`controller.federation.mastersvc.route.termination` | Specify TLS termination for OpenShift route for Multi-cluster primary cluster service. Possible passthrough, edge, reencrypt | `passthrough` | +`controller.federation.mastersvc.route.tls.key` | Set PEM format key file for OpenShift route for Multi-cluster primary cluster service | `nil` | +`controller.federation.mastersvc.route.tls.certificate` | Set PEM format key certificate file for OpenShift route for Multi-cluster primary cluster service | `nil` | +`controller.federation.mastersvc.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for Multi-cluster primary cluster service | `nil` | +`controller.federation.mastersvc.route.tls.destinationCACertificate` | Set CA certificate to validate the endpoint certificate for OpenShift route for Multi-cluster primary cluster service | `nil` | +`controller.federation.mastersvc.ingress.enabled` | If true, create ingress for federation master service, must also set ingress host value | `false` | enable this if ingress controller is installed +`controller.federation.mastersvc.ingress.tls` | If true, TLS is enabled for controller federation master ingress service |`false` | If set, the tls-host used is the one set with `controller.federation.mastersvc.ingress.host`. +`controller.federation.mastersvc.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`controller.federation.mastersvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`controller.federation.mastersvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`controller.federation.mastersvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. +`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.6/charts/core/values.yaml) +`controller.federation.managedsvc.type` | Multi-cluster managed cluster service type. If specified, the deployment will be managed by the managed clsuter. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` | +`controller.federation.managedsvc.annotations` | Add annotations to Multi-cluster managed cluster REST API service | `{}` | +`controller.federation.managedsvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster managed cluster service | `false` | +`controller.federation.managedsvc.route.host` | Set OpenShift route host for manageed service | `nil` | +`controller.federation.managedsvc.route.termination` | Specify TLS termination for OpenShift route for Multi-cluster managed cluster service. Possible passthrough, edge, reencrypt | `passthrough` | +`controller.federation.managedsvc.route.tls.key` | Set PEM format key file for OpenShift route for Multi-cluster managed cluster service | `nil` | +`controller.federation.managedsvc.route.tls.certificate` | Set PEM format certificate file for OpenShift route for Multi-cluster managed cluster service | `nil` | +`controller.federation.managedsvc.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for Multi-cluster managed cluster service | `nil` | +`controller.federation.managedsvc.route.tls.destinationCACertificate` | Set CA certificate to validate the endpoint certificate for OpenShift route for Multi-cluster managed cluster service | `nil` | +`controller.federation.managedsvc.ingress.enabled` | If true, create ingress for federation managed service, must also set ingress host value | `false` | enable this if ingress controller is installed +`controller.federation.managedsvc.ingress.tls` | If true, TLS is enabled for controller federation managed ingress service |`false` | If set, the tls-host used is the one set with `controller.federation.managedsvc.ingress.host`. +`controller.federation.managedsvc.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`controller.federation.managedsvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`controller.federation.managedsvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`controller.federation.managedsvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. +`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.6/charts/core/values.yaml) +`controller.ingress.enabled` | If true, create ingress for rest api, must also set ingress host value | `false` | enable this if ingress controller is installed +`controller.ingress.tls` | If true, TLS is enabled for controller rest api ingress service |`false` | If set, the tls-host used is the one set with `controller.ingress.host`. +`controller.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`controller.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`controller.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`controller.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. +`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.6/charts/core/values.yaml) +`controller.configmap.enabled` | If true, configure NeuVector global settings using a ConfigMap | `false` +`controller.configmap.data` | NeuVector configuration in YAML format | `{}` +`controller.secret.enabled` | If true, configure NeuVector global settings using secrets | `false` +`controller.secret.data` | NeuVector configuration in key/value pair format | `{}` +`enforcer.enabled` | If true, create enforcer | `true` | +`enforcer.image.repository` | enforcer image repository | `neuvector/enforcer` | +`enforcer.image.hash` | enforcer image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`enforcer.updateStrategy.type` | enforcer update strategy type. | `RollingUpdate` | +`enforcer.priorityClassName` | enforcer priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`enforcer.podLabels` | Specify the pod labels. | `{}` | +`enforcer.podAnnotations` | Specify the pod annotations. | `{}` | +`enforcer.env` | User-defined environment variables for enforcers. | `[]` | +`enforcer.tolerations` | List of node taints to tolerate | `- effect: NoSchedule`
`key: node-role.kubernetes.io/master` | other taints can be added after the default +`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.6/charts/core/values.yaml) +`manager.enabled` | If true, create manager | `true` | +`manager.image.repository` | manager image repository | `neuvector/manager` | +`manager.image.hash` | manager image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`manager.priorityClassName` | manager priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`manager.podLabels` | Specify the pod labels. | `{}` | +`manager.podAnnotations` | Specify the pod annotations. | `{}` | +`manager.env.ssl` | If false, manager will listen on HTTP access instead of HTTPS | `true` | +`manager.env.envs` | Other environment variables. The following variables are accepted. | `[]` | +` CUSTOM_LOGIN_LOGO` | SVG file encoded in based64, the logo is displayed as a 300 x 80 pixels icon. | +` CUSTOM_EULA_POLICY` | HTML or TEXT encoded in base64. | +` CUSTOM_PAGE_HEADER_CONTENT` | max. 120 characters, base64 encoded. | +` CUSTOM_PAGE_HEADER_COLOR` | use color name (yellow) or value (#ffff00) | +` CUSTOM_PAGE_FOOTER_CONTENT` | max. 120 characters, base64 encoded. | +` CUSTOM_PAGE_FOOTER_COLOR` | use color name (yellow) or value (#ffff00) | +`manager.svc.type` | set manager service type for native Kubernetes | `NodePort`;
if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google +`manager.svc.loadBalancerIP` | if manager service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` | +`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.6/charts/core/values.yaml) +`manager.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` | +`manager.route.host` | Set OpenShift route host for management console service | `nil` | +`manager.route.termination` | Specify TLS termination for OpenShift route for management console service. Possible passthrough, edge, reencrypt | `passthrough` | +`manager.route.tls.key` | Set PEM format key file for OpenShift route for management console service | `nil` | +`manager.route.tls.certificate` | Set PEM format certificate file for OpenShift route for management console service | `nil` | +`manager.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for management console service | `nil` | +`manager.route.tls.destinationCACertificate` | Set controller REST API service CA certificate to validate the endpoint certificate for OpenShift route for management console service | `nil` | +`manager.certificate.secret` | Replace manager UI certificate using secret if secret name is specified | `nil` | +`manager.certificate.keyFile` | Replace manager UI certificate key file | `tls.key` | +`manager.certificate.pemFile` | Replace manager UI certificate pem file | `tls.pem` | +`manager.ingress.enabled` | If true, create ingress, must also set ingress host value | `false` | enable this if ingress controller is installed +`manager.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`manager.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`manager.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/` +`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.6/charts/core/values.yaml) +`manager.ingress.tls` | If true, TLS is enabled for manager ingress service |`false` | If set, the tls-host used is the one set with `manager.ingress.host`. +`manager.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.6/charts/core/values.yaml) +`manager.affinity` | manager affinity rules | `{}` | +`manager.tolerations` | List of node taints to tolerate | `nil` | +`manager.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`manager.runAsUser` | Specify the run as User ID | `nil` | +`cve.adapter.enabled` | If true, create registry adapter | `true` | +`cve.adapter.image.repository` | registry adapter image repository | `neuvector/registry-adapter` | +`cve.adapter.image.tag` | registry adapter image tag | | +`cve.adapter.image.hash` | registry adapter image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`cve.adapter.priorityClassName` | registry adapter priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`cve.adapter.podLabels` | Specify the pod labels. | `{}` | +`cve.adapter.podAnnotations` | Specify the pod annotations. | `{}` | +`cve.adapter.env` | User-defined environment variables for adapter. | `[]` | +`cve.adapter.svc.type` | set registry adapter service type for native Kubernetes | `NodePort`;
if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google +`cve.adapter.svc.loadBalancerIP` | if registry adapter service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` | +`cve.adapter.svc.annotations` | Add annotations to registry adapter service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.6/charts/core/values.yaml) +`cve.adapter.harbor.protocol` | Harbor registry request protocol [http|https] | `https` | +`cve.adapter.harbor.secretName` | Harbor registry adapter's basic authentication secret | | +`cve.adapter.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` | +`cve.adapter.route.host` | Set OpenShift route host for management console service | `nil` | +`cve.adapter.route.termination` | Specify TLS termination for OpenShift route for management console service. Possible passthrough, edge, reencrypt | `passthrough` | +`cve.adapter.route.tls.key` | Set PEM format key file for OpenShift route for management console service | `nil` | +`cve.adapter.route.tls.certificate` | Set PEM format certificate file for OpenShift route for management console service | `nil` | +`cve.adapter.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for management console service | `nil` | +`cve.adapter.route.tls.destinationCACertificate` | Set controller REST API service CA certificate to validate the endpoint certificate for OpenShift route for management console service | `nil` | +`cve.adapter.certificate.secret` | Replace registry adapter certificate using secret if secret name is specified | `nil` | +`cve.adapter.certificate.keyFile` | Replace registry adapter certificate key file | `tls.key` | +`cve.adapter.certificate.pemFile` | Replace registry adapter certificate pem file | `tls.pem` | +`cve.adapter.ingress.enabled` | If true, create ingress, must also set ingress host value | `false` | enable this if ingress controller is installed +`cve.adapter.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`cve.adapter.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`cve.adapter.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/` +`cve.adapter.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.6/charts/core/values.yaml) +`cve.adapter.ingress.tls` | If true, TLS is enabled for registry adapter ingress service |`false` | If set, the tls-host used is the one set with `cve.adapter.ingress.host`. +`cve.adapter.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`cve.adapter.resources` | Add resources requests and limits to registry adapter deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.6/charts/core/values.yaml) +`cve.adapter.affinity` | registry adapter affinity rules | `{}` | +`cve.adapter.tolerations` | List of node taints to tolerate | `nil` | +`cve.adapter.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`cve.adapter.runAsUser` | Specify the run as User ID | `nil` | +`cve.updater.enabled` | If true, create cve updater | `true` | +`cve.updater.secure` | If true, API server's certificate is validated | `false` | +`cve.updater.cacert` | If set, use this ca file to validate API server's certificate | `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` | +`cve.updater.image.registry` | cve updater image registry to overwrite global registry | | +`cve.updater.image.repository` | cve updater image repository | `neuvector/updater` | +`cve.updater.image.tag` | image tag for cve updater | `latest` | +`cve.updater.image.hash` | cve updateer image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`cve.updater.priorityClassName` | cve updater priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`cve.updater.podLabels` | Specify the pod labels. | `{}` | +`cve.updater.podAnnotations` | Specify the pod annotations. | `{}` | +`cve.updater.schedule` | cronjob cve updater schedule | `0 0 * * *` | +`cve.updater.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`cve.updater.runAsUser` | Specify the run as User ID | `nil` | +`cve.scanner.enabled` | If true, cve scanners will be deployed | `true` | +`cve.scanner.image.registry` | cve scanner image registry to overwrite global registry | | +`cve.scanner.image.repository` | cve scanner image repository | `neuvector/scanner` | +`cve.scanner.image.tag` | cve scanner image tag | `latest` | +`cve.scanner.image.hash` | cve scanner image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`cve.scanner.priorityClassName` | cve scanner priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`cve.scanner.podLabels` | Specify the pod labels. | `{}` | +`cve.scanner.podAnnotations` | Specify the pod annotations. | `{}` | +`cve.scanner.env` | User-defined environment variables for scanner. | `[]` | +`cve.scanner.replicas` | external scanner replicas | `3` | +`cve.scanner.dockerPath` | the remote docker socket if CI/CD integration need scan images before they are pushed to the registry | `nil` | +`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.6/charts/core/values.yaml) | +`cve.scanner.affinity` | scanner affinity rules | `{}` | +`cve.scanner.tolerations` | List of node taints to tolerate | `nil` | +`cve.scanner.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`cve.scanner.runAsUser` | Specify the run as User ID | `nil` | +`docker.path` | docker path | `/var/run/docker.sock` | +`containerd.enabled` | Set to true, if the container runtime is containerd | `false` | **Note**: For k3s and rke clusters, set k3s.enabled to true instead +`containerd.path` | If containerd is enabled, this local containerd socket path will be used | `/var/run/containerd/containerd.sock` | +`crio.enabled` | Set to true, if the container runtime is cri-o | `false` | +`crio.path` | If cri-o is enabled, this local cri-o socket path will be used | `/var/run/crio/crio.sock` | +`k3s.enabled` | Set to true for k3s or rke2 | `false` | +`k3s.runtimePath` | If k3s is enabled, this local containerd socket path will be used | `/run/k3s/containerd/containerd.sock` | +`bottlerocket.enabled` | Set to true if using AWS bottlerocket | `false` | +`bottlerocket.runtimePath` | If bottlerocket is enabled, this local containerd socket path will be used | `/run/dockershim.sock` | +`admissionwebhook.type` | admission webhook type | `ClusterIP` | +`crdwebhook.enabled` | Enable crd service and create crd related resources | `true` | +`crdwebhook.type` | crd webhook type | `ClusterIP` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +$ helm install my-release --namespace neuvector ./neuvector-helm/ --set manager.env.ssl=off +``` + +Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, + +```console +$ helm install my-release --namespace neuvector ./neuvector-helm/ -f values.yaml +``` diff --git a/charts/neuvector/102.0.6+up2.6.6/app-readme.md b/charts/neuvector/102.0.6+up2.6.6/app-readme.md new file mode 100644 index 0000000000..a3e31c5e11 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/app-readme.md @@ -0,0 +1,35 @@ +### Run-Time Protection Without Compromise + +NeuVector delivers a complete run-time security solution with container process/file system protection and vulnerability scanning combined with the only true Layer 7 container firewall. Protect sensitive data with a complete container security platform. + +NeuVector integrates tightly with Rancher and Kubernetes to extend the built-in security features for applications that require defense in depth. Security features include: + ++ Build phase vulnerability scanning with Jenkins plug-in and registry scanning ++ Admission control to prevent vulnerable or unauthorized image deployments using Kubernetes admission control webhooks ++ Complete run-time scanning with network, process, and file system monitoring and protection ++ The industry's only layer 7 container firewall for multi-protocol threat detection and automated segmentation ++ Advanced network controls including DLP detection, service mesh integration, connection blocking and packet captures ++ Run-time vulnerability scanning and CIS benchmarks + +Additional Notes: ++ Previous deployments from Rancher, such as from our Partners chart repository or the primary NeuVector Helm chart, must be completely removed in order to update to the new integrated feature chart. See https://github.com/rancher/rancher/issues/37447. ++ Configure correct container runtime and runtime path under container runtime. Enable only one runtime. ++ For deploying on hardened RKE2 and K3s clusters, enable PSP and set user id from other configuration for Manager, Scanner and Updater deployments. User id can be any number other than 0. ++ For deploying on hardened RKE cluster, enable PSP from security settings. + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. + **Note:** + In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + + **Note:** + If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** + + If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. + +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. diff --git a/charts/neuvector/102.0.6+up2.6.6/crds/_helpers.tpl b/charts/neuvector/102.0.6+up2.6.6/crds/_helpers.tpl new file mode 100644 index 0000000000..c0cc49294e --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/crds/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "neuvector.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "neuvector.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "neuvector.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/neuvector/102.0.6+up2.6.6/questions.yaml b/charts/neuvector/102.0.6+up2.6.6/questions.yaml new file mode 100644 index 0000000000..ab478103ff --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/questions.yaml @@ -0,0 +1,336 @@ +questions: +#image configurations +- variable: controller.image.repository + default: "neuvector/controller" + description: controller image repository + type: string + label: Controller Image Path + group: "Container Images" +- variable: controller.image.tag + default: "" + description: image tag for controller + type: string + label: Controller Image Tag + group: "Container Images" +- variable: manager.image.repository + default: "neuvector/manager" + description: manager image repository + type: string + label: Manager Image Path + group: "Container Images" +- variable: manager.image.tag + default: "" + description: image tag for manager + type: string + label: Manager Image Tag + group: "Container Images" +- variable: enforcer.image.repository + default: "neuvector/enforcer" + description: enforcer image repository + type: string + label: Enforcer Image Path + group: "Container Images" +- variable: enforcer.image.tag + default: "" + description: image tag for enforcer + type: string + label: Enforcer Image Tag + group: "Container Images" +- variable: cve.scanner.image.repository + default: "neuvector/scanner" + description: scanner image repository + type: string + label: Scanner Image Path + group: "Container Images" +- variable: cve.scanner.image.tag + default: "" + description: image tag for scanner + type: string + label: Scanner Image Tag + group: "Container Images" +- variable: cve.updater.image.repository + default: "neuvector/updater" + description: cve updater image repository + type: string + label: CVE Updater Image Path + group: "Container Images" +- variable: cve.updater.image.tag + default: "" + description: image tag for updater + type: string + label: Updater Image Tag + group: "Container Images" +#Container Runtime configurations +- variable: docker.enabled + default: true + description: Docker runtime. Enable only one runtime + type: boolean + label: Docker Runtime + show_subquestion_if: true + group: "Container Runtime" + subquestions: + - variable: docker.path + default: "/var/run/docker.sock" + description: "Docker Runtime Path" + type: string + label: Runtime Path +- variable: containerd.enabled + default: "false" + description: Containerd runtime. Enable only one runtime + type: boolean + label: Containerd Runtime + show_subquestion_if: true + group: "Container Runtime" + subquestions: + - variable: containerd.path + default: " /var/run/containerd/containerd.sock" + description: "Containerd Runtime Path" + type: string + label: Runtime Path +- variable: crio.enabled + default: "false" + description: CRI-O runtime. Enable only one runtime + type: boolean + label: CRI-O Runtime + show_subquestion_if: true + group: "Container Runtime" + subquestions: + - variable: crio.path + default: "/var/run/crio/crio.sock" + description: "CRI-O Runtime Path" + type: string + label: Runtime Path +- variable: k3s.enabled + default: "false" + description: k3s containerd runtime. Enable only one runtime. Choose this option for RKE2 and K3S based clusters + type: boolean + label: k3s Containerd Runtime + show_subquestion_if: true + group: "Container Runtime" + subquestions: + - variable: k3s.runtimePath + default: " /run/k3s/containerd/containerd.sock" + description: "k3s Containerd Runtime Path" + type: string + label: Runtime Path +#storage configurations +- variable: controller.pvc.enabled + default: false + description: If true, enable persistence for controller using PVC. PVC should support ReadWriteMany(RWX) + type: boolean + label: PVC Status + group: "PVC Configuration" +- variable: controller.pvc.storageClass + default: "" + description: Storage Class to be used + type: string + label: Storage Class Name + group: "PVC Configuration" +#ingress configurations +- variable: manager.ingress.enabled + default: false + description: If true, create ingress, must also set ingress host value + type: boolean + label: Manager Ingress Status + group: "Ingress Configuration" + show_subquestion_if: true + subquestions: + - variable: manager.ingress.host + default: "" + description: Must set this host value if ingress is enabled + type: string + label: Manager Ingress Host + group: "Ingress Configuration" + - variable: manager.ingress.path + default: "/" + description: Set ingress path + type: string + label: Manager Ingress Path + group: "Ingress Configuration" + - variable: manager.ingress.annotations + default: "{}" + description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation + type: string + label: Manager Ingress Annotations + group: "Ingress Configuration" +- variable: controller.ingress.enabled + default: false + description: If true, create ingress for rest api, must also set ingress host value + type: boolean + label: Controller Ingress Status + group: "Ingress Configuration" + show_subquestion_if: true + subquestions: + - variable: controller.ingress.host + default: "" + description: Must set this host value if ingress is enabled + type: string + label: Controller Ingress Host + group: "Ingress Configuration" + - variable: controller.ingress.path + default: "/" + description: Set ingress path + type: string + label: Controller Ingress Path + group: "Ingress Configuration" + - variable: controller.ingress.annotations + default: "{}" + description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation + type: string + label: Controller Ingress Annotations + group: "Ingress Configuration" +- variable: controller.federation.mastersvc.ingress.enabled + default: false + description: If true, create ingress for rest api, must also set ingress host value + type: boolean + label: Controller Federation Master Service Ingress Status + group: "Ingress Configuration" + show_subquestion_if: true + subquestions: + - variable: controller.federation.mastersvc.ingress.tls + default: false + description: If true, TLS is enabled for controller federation master ingress service + type: boolean + label: Controller Federation Master Service Ingress TLS Status + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.host + default: "" + description: Must set this host value if ingress is enabled + type: string + label: Controller Federation Master Service Ingress Host + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.path + default: "/" + description: Set ingress path + type: string + label: Controller Federation Master Service Ingress Path + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.ingressClassName + default: "" + description: To be used instead of the ingress.class annotation if an IngressClass is provisioned + type: string + label: Controller Federation Master Service Ingress IngressClassName + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.secretName + default: "" + description: Name of the secret to be used for TLS-encryption + type: string + label: Controller Federation Master Service Ingress SecretName + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.annotations + default: "{}" + description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation + type: string + label: Controller Federation Master Service Ingress Annotations + group: "Ingress Configuration" +- variable: controller.federation.managedsvc.ingress.enabled + default: false + description: If true, create ingress for rest api, must also set ingress host value + type: boolean + label: Controller Federation Managed Service Ingress Status + group: "Ingress Configuration" + show_subquestion_if: true + subquestions: + - variable: controller.federation.managedsvc.ingress.tls + default: false + description: If true, TLS is enabled for controller federation managed ingress service + type: boolean + label: Controller Federation Managed Service Ingress TLS Status + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.host + default: "" + description: Must set this host value if ingress is enabled + type: string + label: Controller Federation Managed Service Ingress Host + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.path + default: "/" + description: Set ingress path + type: string + label: Controller Federation Managed Service Ingress Path + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.ingressClassName + default: "" + description: To be used instead of the ingress.class annotation if an IngressClass is provisioned + type: string + label: Controller Federation Managed Service Ingress IngressClassName + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.secretName + default: "" + description: Name of the secret to be used for TLS-encryption + type: string + label: Controller Federation Managed Service Ingress SecretName + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.annotations + default: "{}" + description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation + type: string + label: Controller Federation Managed Service Ingress Annotations + group: "Ingress Configuration" +#service configurations +- variable: manager.svc.type + default: "NodePort" + description: Set manager service type for native Kubernetes + type: enum + label: Manager Service Type + group: "Service Configuration" + options: + - "NodePort" + - "ClusterIP" + - "LoadBalancer" +- variable: controller.federation.mastersvc.type + default: "" + description: Multi-cluster master cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and ClusterIP + type: enum + label: Fed Master Service Type + group: "Service Configuration" + options: + - "NodePort" + - "ClusterIP" + - "LoadBalancer" +- variable: controller.federation.managedsvc.type + default: "" + description: Multi-cluster managed cluster service type. If specified, the deployment will be managed by the master clsuter. Possible values include NodePort, LoadBalancer and ClusterIP + type: enum + label: Fed Managed Service Type + group: "Service Configuration" + options: + - "NodePort" + - "ClusterIP" + - "LoadBalancer" +- variable: controller.apisvc.type + default: "NodePort" + description: Controller REST API service type + type: enum + label: Controller REST API Service Type + group: "Service Configuration" + options: + - "NodePort" + - "ClusterIP" + - "LoadBalancer" +#Security Settings +- variable: global.cattle.psp.enabled + default: "false" + description: "Flag to enable or disable the installation of PodSecurityPolicies by this chart in the target cluster. If the cluster is running Kubernetes 1.25+, you must update this value to false." + label: "Enable PodSecurityPolicies" + default: "false" + type: boolean + group: "Security Settings" +- variable: manager.runAsUser + default: "" + description: Specify the run as User ID + type: int + label: Manager runAsUser ID + group: "Security Settings" +- variable: cve.scanner.runAsUser + default: "" + description: Specify the run as User ID + type: int + label: Scanner runAsUser ID + group: "Security Settings" +- variable: cve.updater.runAsUser + default: "" + description: Specify the run as User ID + type: int + label: Updater runAsUser ID + group: "Security Settings" diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/NOTES.txt b/charts/neuvector/102.0.6+up2.6.6/templates/NOTES.txt new file mode 100644 index 0000000000..014493f43b --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/NOTES.txt @@ -0,0 +1,20 @@ +{{- if and .Values.manager.enabled .Values.manager.ingress.enabled }} +From outside the cluster, the NeuVector URL is: +http://{{ .Values.manager.ingress.host }} +{{- else if not .Values.openshift }} +Get the NeuVector URL by running these commands: +{{- if contains "NodePort" .Values.manager.svc.type }} + NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services neuvector-service-webui) + NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo https://$NODE_IP:$NODE_PORT +{{- else if contains "ClusterIP" .Values.manager.svc.type }} + CLUSTER_IP=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.clusterIP}" services neuvector-service-webui) + echo https://$CLUSTER_IP:8443 +{{- else if contains "LoadBalancer" .Values.manager.svc.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w neuvector-service-webui' + + SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} neuvector-service-webui -o jsonpath="{.status.loadBalancer.ingress[0].ip}") + echo https://$SERVICE_IP:8443 +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/_helpers.tpl b/charts/neuvector/102.0.6+up2.6.6/templates/_helpers.tpl new file mode 100644 index 0000000000..53e17b863c --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/_helpers.tpl @@ -0,0 +1,55 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "neuvector.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "neuvector.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "neuvector.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Lookup secret. +*/}} +{{- define "neuvector.secrets.lookup" -}} +{{- $value := "" -}} +{{- $secretData := (lookup "v1" "Secret" .namespace .secret).data -}} +{{- if and $secretData (hasKey $secretData .key) -}} + {{- $value = index $secretData .key -}} +{{- else if .defaultValue -}} + {{- $value = .defaultValue | toString | b64enc -}} +{{- end -}} +{{- if $value -}} +{{- printf "%s" $value -}} +{{- end -}} +{{- end -}} +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/admission-webhook-service.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/admission-webhook-service.yaml new file mode 100644 index 0000000000..0d92eec7fd --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/admission-webhook-service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-admission-webhook + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + ports: + - port: 443 + targetPort: 20443 + protocol: TCP + name: admission-webhook + type: {{ .Values.admissionwebhook.type }} + selector: + app: neuvector-controller-pod \ No newline at end of file diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/cert-manager-secret.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/cert-manager-secret.yaml new file mode 100644 index 0000000000..3692886b4c --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/cert-manager-secret.yaml @@ -0,0 +1,33 @@ +{{- if .Values.internal.certmanager.enabled }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Values.internal.certmanager.secretname }} + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.internal.certmanager.secretname }} + namespace: {{ .Release.Namespace }} +spec: + duration: 17520h # 2 years + subject: + organizations: + - NeuVector + isCA: true + commonName: neuvector.internal + dnsNames: + - neuvector.internal + - NeuVector + secretName: {{ .Values.internal.certmanager.secretname }} + usages: + - digital signature + - key encipherment + issuerRef: + group: cert-manager.io + kind: Issuer + name: {{ .Values.internal.certmanager.secretname }} +{{- end }} \ No newline at end of file diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/clusterrole.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/clusterrole.yaml new file mode 100644 index 0000000000..54f33a90c2 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/clusterrole.yaml @@ -0,0 +1,121 @@ +{{- if .Values.rbac -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-app + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - "" + resources: + - nodes + - pods + - services + - namespaces + verbs: + - get + - list + - watch + - update + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-rbac + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +{{- if .Values.openshift }} +- apiGroups: + - image.openshift.io + resources: + - imagestreams + verbs: + - get + - list + - watch +{{- end }} +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + - clusterrolebindings + - clusterroles + verbs: + - get + - list + - watch + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-admission + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - create + - update + - delete + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: neuvector-binding-co + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - config.openshift.io + resources: + - clusteroperators + verbs: + - get + - list +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/clusterrolebinding-least.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/clusterrolebinding-least.yaml new file mode 100644 index 0000000000..bcfca9a212 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/clusterrolebinding-least.yaml @@ -0,0 +1,150 @@ +{{- if and .Values.rbac .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-app + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-app +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-rbac + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-rbac +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-admission + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-admission +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-view + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: view +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-co + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: neuvector-binding-co +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: enforcer + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/clusterrolebinding.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..7147a9ff16 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/clusterrolebinding.yaml @@ -0,0 +1,147 @@ +{{- if and .Values.rbac (not .Values.leastPrivilege) -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-app + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-app +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-rbac + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-rbac +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-admission + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-admission +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-view + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: view +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-co + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: neuvector-binding-co +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/controller-deployment.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/controller-deployment.yaml new file mode 100644 index 0000000000..aed556aa24 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/controller-deployment.yaml @@ -0,0 +1,264 @@ +{{- if .Values.controller.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Deployment +metadata: + name: neuvector-controller-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +{{- with .Values.controller.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.controller.replicas }} + minReadySeconds: 60 + strategy: +{{ toYaml .Values.controller.strategy | indent 4 }} + selector: + matchLabels: + app: neuvector-controller-pod + template: + metadata: + labels: + app: neuvector-controller-pod + release: {{ .Release.Name }} + {{- with .Values.controller.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if or .Values.controller.secret.enabled .Values.controller.configmap.enabled .Values.controller.podAnnotations .Values.autoGenerateCert }} + annotations: + {{- if .Values.controller.secret.enabled }} + checksum/init-secret: {{ include (print $.Template.BasePath "/init-secret.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.controller.configmap.enabled }} + checksum/init-configmap: {{ include (print $.Template.BasePath "/init-configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.autoGenerateCert }} + checksum/controller-secret: {{ include (print $.Template.BasePath "/controller-secret.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + {{- toYaml .Values.controller.podAnnotations | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} + {{- end }} + {{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 8 }} + {{- end }} + {{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.controller.schedulerName }} + schedulerName: {{ .Values.controller.schedulerName }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: controller + serviceAccount: controller + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + containers: + - name: neuvector-controller-pod + image: {{ template "system_default_registry" . }}{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }} + securityContext: + privileged: true + resources: + {{- if .Values.controller.resources }} +{{ toYaml .Values.controller.resources | indent 12 }} + {{- else }} +{{ toYaml .Values.resources | indent 12 }} + {{- end }} + readinessProbe: + exec: + command: + - cat + - /tmp/ready + initialDelaySeconds: 5 + periodSeconds: 5 + env: + - name: CLUSTER_JOIN_ADDR + value: neuvector-svc-controller.{{ .Release.Namespace }} + - name: CLUSTER_ADVERTISED_ADDR + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CLUSTER_BIND_ADDR + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.ranchersso.enabled }} + - name: RANCHER_SSO + value: "1" + - name: RANCHER_EP + value: "{{ .Values.global.cattle.url }}" + {{- end }} + {{- if or .Values.controller.pvc.enabled .Values.controller.azureFileShare.enabled }} + - name: CTRL_PERSIST_CONFIG + value: "1" + {{- end }} + {{- with .Values.controller.env }} +{{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: /var/neuvector + name: nv-share + readOnly: false + - mountPath: /var/nv_debug + name: nv-debug + readOnly: false + {{- if .Values.containerd.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.k3s.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.bottlerocket.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.crio.enabled }} + - mountPath: /var/run/crio/crio.sock + {{- else }} + - mountPath: /var/run/docker.sock + {{- end }} + name: runtime-sock + readOnly: true + - mountPath: /host/proc + name: proc-vol + readOnly: true + - mountPath: /host/cgroup + name: cgroup-vol + readOnly: true + - mountPath: /etc/config + name: config-volume + readOnly: true + {{- if .Values.controller.certificate.secret }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: {{ .Values.controller.certificate.keyFile }} + name: usercert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: {{ .Values.controller.certificate.pemFile }} + name: usercert + readOnly: true + {{- else if .Values.autoGenerateCert }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: ssl-cert.key + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: ssl-cert.pem + name: cert + readOnly: true + {{- else }} + {{- end }} + {{- if .Values.internal.certmanager.enabled }} + - mountPath: /etc/neuvector/certs/internal/cert.key + subPath: {{ .Values.controller.internal.certificate.keyFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/cert.pem + subPath: {{ .Values.controller.internal.certificate.pemFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/ca.cert + subPath: {{ .Values.controller.internal.certificate.caFile }} + name: internal-cert + readOnly: true + {{- end }} + terminationGracePeriodSeconds: 300 + restartPolicy: Always + volumes: + - name: nv-share + {{- if .Values.controller.pvc.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.controller.pvc.existingClaim | default "neuvector-data" }} + {{- else if .Values.controller.azureFileShare.enabled }} + azureFile: + secretName: {{ .Values.controller.azureFileShare.secretName }} + shareName: {{ .Values.controller.azureFileShare.shareName }} + readOnly: false + {{- else }} + hostPath: + path: /var/neuvector + {{- end }} + - name: runtime-sock + hostPath: + {{- if .Values.containerd.enabled }} + path: {{ .Values.containerd.path }} + {{- else if .Values.crio.enabled }} + path: {{ .Values.crio.path }} + {{- else if .Values.k3s.enabled }} + path: {{ .Values.k3s.runtimePath }} + {{- else if .Values.bottlerocket.enabled }} + path: {{ .Values.bottlerocket.runtimePath }} + {{- else }} + path: {{ .Values.docker.path }} + {{- end }} + - name: proc-vol + hostPath: + path: /proc + - name: cgroup-vol + hostPath: + path: /sys/fs/cgroup + - name: config-volume + projected: + sources: + - configMap: + name: neuvector-init + optional: true + - secret: + name: neuvector-init + optional: true + - name: nv-debug + hostPath: + path: /var/nv_debug + {{- if .Values.autoGenerateCert }} + - name: cert + secret: + secretName: neuvector-controller-secret + {{- end }} + {{- if .Values.controller.certificate.secret }} + - name: usercert + secret: + secretName: {{ .Values.controller.certificate.secret }} + {{- end }} + {{- if .Values.internal.certmanager.enabled }} + - name: internal-cert + secret: + secretName: {{ .Values.controller.internal.certificate.secret }} + {{- end }} +{{- if gt (int .Values.controller.disruptionbudget) 0 }} +--- +{{- if (semverCompare ">=1.21-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: neuvector-controller-pdb + namespace: {{ .Release.Namespace }} +spec: + minAvailable: {{ .Values.controller.disruptionbudget }} + selector: + matchLabels: + app: neuvector-controller-pod +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/controller-ingress.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/controller-ingress.yaml new file mode 100644 index 0000000000..1ea0cdce12 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/controller-ingress.yaml @@ -0,0 +1,219 @@ +{{- if .Values.controller.enabled }} +{{- if .Values.controller.ingress.enabled }} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-restapi-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.controller.ingress.ingressClassName }} + ingressClassName: {{ .Values.controller.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.controller.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.ingress.host }} +{{- if .Values.controller.ingress.secretName }} + secretName: {{ .Values.controller.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.ingress.host }} + http: + paths: + - path: {{ .Values.controller.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-svc-controller-api + port: + number: 10443 +{{- else }} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-restapi-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.controller.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.ingress.host }} +{{- if .Values.controller.ingress.secretName }} + secretName: {{ .Values.controller.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.ingress.host }} + http: + paths: + - path: {{ .Values.controller.ingress.path }} + backend: + serviceName: neuvector-svc-controller-api + servicePort: 10443 +{{- end }} +{{- end }} +{{- if .Values.controller.federation.mastersvc.ingress.enabled }} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-mastersvc-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.mastersvc.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.controller.federation.mastersvc.ingress.ingressClassName }} + ingressClassName: {{ .Values.controller.federation.mastersvc.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.controller.federation.mastersvc.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.federation.mastersvc.ingress.host }} +{{- if .Values.controller.federation.mastersvc.ingress.secretName }} + secretName: {{ .Values.controller.federation.mastersvc.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.federation.mastersvc.ingress.host }} + http: + paths: + - path: {{ .Values.controller.federation.mastersvc.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-svc-controller-fed-master + port: + number: 11443 +{{- else }} +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-mastersvc-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.mastersvc.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.controller.federation.mastersvc.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.federation.mastersvc.ingress.host }} +{{- if .Values.controller.federation.mastersvc.ingress.secretName }} + secretName: {{ .Values.controller.federation.mastersvc.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.federation.mastersvc.ingress.host }} + http: + paths: + - path: {{ .Values.controller.federation.mastersvc.ingress.path }} + backend: + serviceName: neuvector-svc-controller-fed-master + servicePort: 11443 +{{- end }} +{{- end }} +{{- if .Values.controller.federation.managedsvc.ingress.enabled }} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-managedsvc-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.managedsvc.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.controller.federation.managedsvc.ingress.ingressClassName }} + ingressClassName: {{ .Values.controller.federation.managedsvc.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.controller.federation.managedsvc.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.federation.managedsvc.ingress.host }} +{{- if .Values.controller.federation.managedsvc.ingress.secretName }} + secretName: {{ .Values.controller.federation.managedsvc.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.federation.managedsvc.ingress.host }} + http: + paths: + - path: {{ .Values.controller.federation.managedsvc.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-svc-controller-fed-managed + port: + number: 10443 +{{- else }} +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-managedsvc-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.managedsvc.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.controller.federation.managedsvc.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.federation.managedsvc.ingress.host }} +{{- if .Values.controller.federation.managedsvc.ingress.secretName }} + secretName: {{ .Values.controller.federation.managedsvc.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.federation.managedsvc.ingress.host }} + http: + paths: + - path: {{ .Values.controller.federation.managedsvc.ingress.path }} + backend: + serviceName: neuvector-svc-controller-fed-managed + servicePort: 10443 +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/controller-route.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/controller-route.yaml new file mode 100644 index 0000000000..377917afaf --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/controller-route.yaml @@ -0,0 +1,98 @@ +{{- if .Values.openshift -}} +{{- if .Values.controller.apisvc.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-api + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.controller.apisvc.route.host }} + host: {{ .Values.controller.apisvc.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-svc-controller-api + port: + targetPort: controller-api + tls: + termination: {{ .Values.controller.apisvc.route.termination }} +{{- if or (eq .Values.controller.apisvc.route.termination "reencrypt") (eq .Values.controller.apisvc.route.termination "edge") }} +{{- with .Values.controller.apisvc.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} + +--- +{{ end -}} +{{- if .Values.controller.federation.mastersvc.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-fed-master + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.controller.federation.mastersvc.route.host }} + host: {{ .Values.controller.federation.mastersvc.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-svc-controller-fed-master + port: + targetPort: fed + tls: + termination: {{ .Values.controller.federation.mastersvc.route.termination }} +{{- if or (eq .Values.controller.federation.mastersvc.route.termination "reencrypt") (eq .Values.controller.federation.mastersvc.route.termination "edge") }} +{{- with .Values.controller.federation.mastersvc.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +--- +{{ end -}} +{{- if .Values.controller.federation.managedsvc.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-fed-managed + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.controller.federation.managedsvc.route.host }} + host: {{ .Values.controller.federation.managedsvc.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-svc-controller-fed-managed + port: + targetPort: fed + tls: + termination: {{ .Values.controller.federation.managedsvc.route.termination }} +{{- if or (eq .Values.controller.federation.managedsvc.route.termination "reencrypt") (eq .Values.controller.federation.managedsvc.route.termination "edge") }} +{{- with .Values.controller.federation.managedsvc.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +{{ end -}} +{{- end -}} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/controller-secret.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/controller-secret.yaml new file mode 100644 index 0000000000..0db1d946b4 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/controller-secret.yaml @@ -0,0 +1,15 @@ +{{- if .Values.controller.enabled -}} +{{- if .Values.autoGenerateCert }} +{{- $cn := "neuvector" }} +{{- $cert := genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}} +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-controller-secret +type: Opaque +data: + ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-controller-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }} + ssl-cert.pem: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-controller-secret" "key" "ssl-cert.pem" "defaultValue" $cert.Cert) }} +--- +{{- end}} +{{- end}} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/controller-service.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/controller-service.yaml new file mode 100644 index 0000000000..e342a95800 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/controller-service.yaml @@ -0,0 +1,97 @@ +{{- if .Values.controller.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-controller + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + clusterIP: None + ports: + - port: 18300 + protocol: "TCP" + name: "cluster-tcp-18300" + - port: 18301 + protocol: "TCP" + name: "cluster-tcp-18301" + - port: 18301 + protocol: "UDP" + name: "cluster-udp-18301" + selector: + app: neuvector-controller-pod +{{- if .Values.controller.apisvc.type }} +--- +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-controller-api + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.apisvc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + type: {{ .Values.controller.apisvc.type }} + ports: + - port: 10443 + protocol: "TCP" + name: "controller-api" + selector: + app: neuvector-controller-pod +{{ end -}} +{{- if .Values.controller.federation.mastersvc.type }} +--- +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-controller-fed-master + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.mastersvc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + type: {{ .Values.controller.federation.mastersvc.type }} + ports: + - port: 11443 + name: fed + protocol: TCP + selector: + app: neuvector-controller-pod +{{ end -}} +{{- if .Values.controller.federation.managedsvc.type }} +--- +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-controller-fed-managed + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.managedsvc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + type: {{ .Values.controller.federation.managedsvc.type }} + ports: + - port: 10443 + name: fed + protocol: TCP + selector: + app: neuvector-controller-pod +{{ end -}} +{{- end -}} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/crd-role-least.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/crd-role-least.yaml new file mode 100644 index 0000000000..428bc31dd0 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/crd-role-least.yaml @@ -0,0 +1,299 @@ +{{- if .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +# ClusterRole for NeuVector to operate CRD +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-customresourcedefinition + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - update + - watch + - create + - get + +--- + +# ClusterRoleBinding for NeuVector to operate CRD +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-customresourcedefinition + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-customresourcedefinition +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRole for NeuVector to manage network/process CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - neuvector.com + resources: + - nvsecurityrules + - nvclustersecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage network/process CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvsecurityrules +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRole for NeuVector to manage dlp CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvdlpsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - neuvector.com + resources: + - nvdlpsecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRole for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvadmissioncontrolsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - neuvector.com + resources: + - nvadmissioncontrolsecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvdlpsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvdlpsecurityrules +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRoleBinding for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvadmissioncontrolsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvadmissioncontrolsecurityrules +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRole for NeuVector to manage waf CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvwafsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - neuvector.com + resources: + - nvwafsecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage waf CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvwafsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvwafsecurityrules +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/crd-role.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/crd-role.yaml new file mode 100644 index 0000000000..77d175e1e8 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/crd-role.yaml @@ -0,0 +1,299 @@ +{{- if not .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +# ClusterRole for NeuVector to operate CRD +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-customresourcedefinition + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - update + - watch + - create + - get + +--- + +# ClusterRoleBinding for NeuVector to operate CRD +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-customresourcedefinition + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-customresourcedefinition +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRole for NeuVector to manage network/process CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - neuvector.com + resources: + - nvsecurityrules + - nvclustersecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage network/process CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvsecurityrules +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRole for NeuVector to manage dlp CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvdlpsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - neuvector.com + resources: + - nvdlpsecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRole for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvadmissioncontrolsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - neuvector.com + resources: + - nvadmissioncontrolsecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvdlpsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvdlpsecurityrules +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRoleBinding for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvadmissioncontrolsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvadmissioncontrolsecurityrules +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRole for NeuVector to manage waf CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvwafsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - neuvector.com + resources: + - nvwafsecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage waf CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvwafsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvwafsecurityrules +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/enforcer-daemonset.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/enforcer-daemonset.yaml new file mode 100644 index 0000000000..cb2aac2d5e --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/enforcer-daemonset.yaml @@ -0,0 +1,150 @@ +{{- if .Values.enforcer.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: DaemonSet +metadata: + name: neuvector-enforcer-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + heritage: Helm + release: {{ .Release.Name }} +spec: + updateStrategy: {{- toYaml .Values.enforcer.updateStrategy | nindent 4 }} + selector: + matchLabels: + app: neuvector-enforcer-pod + template: + metadata: + labels: + app: neuvector-enforcer-pod + release: {{ .Release.Name }} + {{- with .Values.enforcer.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.enforcer.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.enforcer.tolerations }} + tolerations: +{{ toYaml .Values.enforcer.tolerations | indent 8 }} + {{- end }} + hostPID: true + {{- if .Values.enforcer.priorityClassName }} + priorityClassName: {{ .Values.enforcer.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: enforcer + serviceAccount: enforcer + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + containers: + - name: neuvector-enforcer-pod + image: {{ template "system_default_registry" . }}{{ .Values.enforcer.image.repository }}:{{ .Values.enforcer.image.tag }} + securityContext: + privileged: true + resources: + {{- if .Values.enforcer.resources }} +{{ toYaml .Values.enforcer.resources | indent 12 }} + {{- else }} +{{ toYaml .Values.resources | indent 12 }} + {{- end }} + env: + - name: CLUSTER_JOIN_ADDR + value: neuvector-svc-controller.{{ .Release.Namespace }} + - name: CLUSTER_ADVERTISED_ADDR + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CLUSTER_BIND_ADDR + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- with .Values.enforcer.env }} +{{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.containerd.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.k3s.enabled }} + - mountPath: /run/containerd/containerd.sock + {{- else if .Values.bottlerocket.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.crio.enabled }} + - mountPath: /var/run/crio/crio.sock + {{- else }} + - mountPath: /var/run/docker.sock + {{- end }} + name: runtime-sock + readOnly: true + - mountPath: /host/proc + name: proc-vol + readOnly: true + - mountPath: /host/cgroup + name: cgroup-vol + readOnly: true + - mountPath: /lib/modules + name: modules-vol + readOnly: true + - mountPath: /var/nv_debug + name: nv-debug + readOnly: false + {{- if .Values.internal.certmanager.enabled }} + - mountPath: /etc/neuvector/certs/internal/cert.key + subPath: {{ .Values.enforcer.internal.certificate.keyFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/cert.pem + subPath: {{ .Values.enforcer.internal.certificate.pemFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/ca.cert + subPath: {{ .Values.enforcer.internal.certificate.caFile }} + name: internal-cert + readOnly: true + {{- end }} + terminationGracePeriodSeconds: 1200 + restartPolicy: Always + volumes: + - name: runtime-sock + hostPath: + {{- if .Values.containerd.enabled }} + path: {{ .Values.containerd.path }} + {{- else if .Values.crio.enabled }} + path: {{ .Values.crio.path }} + {{- else if .Values.k3s.enabled }} + path: {{ .Values.k3s.runtimePath }} + {{- else if .Values.bottlerocket.enabled }} + path: {{ .Values.bottlerocket.runtimePath }} + {{- else }} + path: {{ .Values.docker.path }} + {{- end }} + - name: proc-vol + hostPath: + path: /proc + - name: cgroup-vol + hostPath: + path: /sys/fs/cgroup + - name: modules-vol + hostPath: + path: /lib/modules + - name: nv-debug + hostPath: + path: /var/nv_debug + {{- if .Values.internal.certmanager.enabled }} + - name: internal-cert + secret: + secretName: {{ .Values.enforcer.internal.certificate.secret }} + {{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/init-configmap.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/init-configmap.yaml new file mode 100644 index 0000000000..1300794afa --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/init-configmap.yaml @@ -0,0 +1,13 @@ +{{- if .Values.controller.configmap.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: neuvector-init + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +data: +{{ toYaml .Values.controller.configmap.data | indent 2 }} +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/init-secret.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/init-secret.yaml new file mode 100644 index 0000000000..d4bfca591d --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/init-secret.yaml @@ -0,0 +1,15 @@ +{{- if .Values.controller.secret.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-init + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +data: +{{- range $key, $val := .Values.controller.secret.data }} + {{ $key }}: | {{ toYaml $val | b64enc | nindent 4 }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/manager-deployment.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/manager-deployment.yaml new file mode 100644 index 0000000000..f0528c35e5 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/manager-deployment.yaml @@ -0,0 +1,118 @@ +{{- if .Values.manager.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Deployment +metadata: + name: neuvector-manager-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + replicas: 1 + selector: + matchLabels: + app: neuvector-manager-pod + template: + metadata: + labels: + app: neuvector-manager-pod + release: {{ .Release.Name }} + {{- with .Values.manager.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if or .Values.manager.podAnnotations .Values.autoGenerateCert }} + annotations: + {{- if .Values.autoGenerateCert }} + checksum/manager-secret: {{ include (print $.Template.BasePath "/manager-secret.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.manager.podAnnotations }} + {{- toYaml .Values.manager.podAnnotations | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- if .Values.manager.affinity }} + affinity: +{{ toYaml .Values.manager.affinity | indent 8 }} + {{- end }} + {{- if .Values.manager.tolerations }} + tolerations: +{{ toYaml .Values.manager.tolerations | indent 8 }} + {{- end }} + {{- if .Values.manager.nodeSelector }} + nodeSelector: +{{ toYaml .Values.manager.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.manager.priorityClassName }} + priorityClassName: {{ .Values.manager.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: basic + serviceAccount: basic + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + {{- if .Values.manager.runAsUser }} + securityContext: + runAsUser: {{ .Values.manager.runAsUser }} + {{- end }} + containers: + - name: neuvector-manager-pod + image: {{ template "system_default_registry" . }}{{ .Values.manager.image.repository }}:{{ .Values.manager.image.tag }} + env: + - name: CTRL_SERVER_IP + value: neuvector-svc-controller.{{ .Release.Namespace }} + {{- if not .Values.manager.env.ssl }} + - name: MANAGER_SSL + value: "off" + {{- end }} + {{- with .Values.manager.env.envs }} +{{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.manager.certificate.secret }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: {{ .Values.manager.certificate.keyFile }} + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: {{ .Values.manager.certificate.pemFile }} + name: cert + readOnly: true + {{- else if .Values.autoGenerateCert }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: ssl-cert.key + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: ssl-cert.pem + name: cert + readOnly: true + {{- end }} + resources: + {{- if .Values.manager.resources }} +{{ toYaml .Values.manager.resources | indent 12 }} + {{- else }} +{{ toYaml .Values.resources | indent 12 }} + {{- end }} + restartPolicy: Always + volumes: + {{- if .Values.manager.certificate.secret }} + - name: cert + secret: + secretName: {{ .Values.manager.certificate.secret }} + {{- else if .Values.autoGenerateCert }} + - name: cert + secret: + secretName: neuvector-manager-secret + {{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/manager-ingress.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/manager-ingress.yaml new file mode 100644 index 0000000000..52826fc5ec --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/manager-ingress.yaml @@ -0,0 +1,71 @@ +{{- if and .Values.manager.enabled .Values.manager.ingress.enabled -}} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-webui-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.manager.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.manager.ingress.ingressClassName }} + ingressClassName: {{ .Values.manager.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.manager.ingress.tls }} + tls: + - hosts: + - {{ .Values.manager.ingress.host }} +{{- if .Values.manager.ingress.secretName }} + secretName: {{ .Values.manager.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.manager.ingress.host }} + http: + paths: + - path: {{ .Values.manager.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-service-webui + port: + number: 8443 +{{- else }} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-webui-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.manager.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.manager.ingress.tls }} + tls: + - hosts: + - {{ .Values.manager.ingress.host }} +{{- if .Values.manager.ingress.secretName }} + secretName: {{ .Values.manager.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.manager.ingress.host }} + http: + paths: + - path: {{ .Values.manager.ingress.path }} + backend: + serviceName: neuvector-service-webui + servicePort: 8443 +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/manager-route.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/manager-route.yaml new file mode 100644 index 0000000000..77262d5bd5 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/manager-route.yaml @@ -0,0 +1,33 @@ +{{- if .Values.openshift -}} +{{- if .Values.manager.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-webui + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.manager.route.host }} + host: {{ .Values.manager.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-service-webui + port: + targetPort: manager + tls: + termination: {{ .Values.manager.route.termination }} +{{- if or (eq .Values.manager.route.termination "reencrypt") (eq .Values.manager.route.termination "edge") }} +{{- with .Values.manager.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/manager-secret.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/manager-secret.yaml new file mode 100644 index 0000000000..aeb0331486 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/manager-secret.yaml @@ -0,0 +1,15 @@ +{{- if .Values.manager.enabled -}} +{{- if .Values.autoGenerateCert }} +{{- $cn := "neuvector" }} +{{- $cert := genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}} +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-manager-secret +type: Opaque +data: + ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-manager-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }} + ssl-cert.pem: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-manager-secret" "key" "ssl-cert.pem" "defaultValue" $cert.Cert) }} +--- +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/manager-service.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/manager-service.yaml new file mode 100644 index 0000000000..ab6e659756 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/manager-service.yaml @@ -0,0 +1,26 @@ +{{- if .Values.manager.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: neuvector-service-webui + namespace: {{ .Release.Namespace }} +{{- with .Values.manager.svc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + type: {{ .Values.manager.svc.type }} +{{- if and .Values.manager.svc.loadBalancerIP (eq .Values.manager.svc.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.manager.svc.loadBalancerIP }} +{{- end }} + ports: + - port: 8443 + name: manager + protocol: TCP + selector: + app: neuvector-manager-pod +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/psp.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/psp.yaml new file mode 100644 index 0000000000..f49266ac2b --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/psp.yaml @@ -0,0 +1,86 @@ +{{- if and .Values.global.cattle.psp.enabled (semverCompare "<1.25-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: neuvector-binding-psp + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + labels: + chart: {{ template "neuvector.chart" . }} + heritage: Helm + release: {{ .Release.Name }} +spec: + privileged: true + readOnlyRootFilesystem: false + allowPrivilegeEscalation: true + allowedCapabilities: + - SYS_ADMIN + - NET_ADMIN + - SYS_PTRACE + - IPC_LOCK + requiredDropCapabilities: + - ALL + volumes: + - '*' + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + hostIPC: true + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: neuvector-binding-psp + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + heritage: Helm + release: {{ .Release.Name }} +rules: +- apiGroups: + - policy + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - neuvector-binding-psp +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: neuvector-binding-psp + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + heritage: Helm + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: neuvector-binding-psp +subjects: +{{- if .Values.leastPrivilege }} +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: enforcer + namespace: {{ .Release.Namespace }} +{{- else }} +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/pvc.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/pvc.yaml new file mode 100644 index 0000000000..b7e97e7df0 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/pvc.yaml @@ -0,0 +1,27 @@ +{{- if not .Values.controller.pvc.existingClaim -}} +{{- if and .Values.controller.enabled .Values.controller.pvc.enabled -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: neuvector-data + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + accessModes: +{{ toYaml .Values.controller.pvc.accessModes | indent 4 }} + volumeMode: Filesystem +{{- if .Values.controller.pvc.storageClass }} + storageClassName: {{ .Values.controller.pvc.storageClass }} +{{- end }} + resources: + requests: +{{- if .Values.controller.pvc.capacity }} + storage: {{ .Values.controller.pvc.capacity }} +{{- else }} + storage: 1Gi +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/registry-adapter-ingress.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/registry-adapter-ingress.yaml new file mode 100644 index 0000000000..aec7161c65 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/registry-adapter-ingress.yaml @@ -0,0 +1,109 @@ +{{- if .Values.cve.adapter.enabled -}} + +{{- if .Values.cve.adapter.ingress.enabled }} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-registry-adapter-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.cve.adapter.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.cve.adapter.ingress.ingressClassName }} + ingressClassName: {{ .Values.cve.adapter.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.cve.adapter.ingress.tls }} + tls: + - hosts: + - {{ .Values.cve.adapter.ingress.host }} +{{- if .Values.cve.adapter.ingress.secretName }} + secretName: {{ .Values.cve.adapter.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.cve.adapter.ingress.host }} + http: + paths: + - path: {{ .Values.cve.adapter.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-service-registry-adapter + port: + number: 9443 +{{- else }} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-registry-adapter-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.cve.adapter.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.cve.adapter.ingress.tls }} + tls: + - hosts: + - {{ .Values.cve.adapter.ingress.host }} +{{- if .Values.cve.adapter.ingress.secretName }} + secretName: {{ .Values.cve.adapter.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.cve.adapter.ingress.host }} + http: + paths: + - path: {{ .Values.cve.adapter.ingress.path }} + backend: + serviceName: neuvector-service-webui + servicePort: 9443 +{{- end }} +{{- end }} + +--- + +{{- if and .Values.openshift .Values.cve.adapter.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-registry-adapter + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.cve.adapter.route.host }} + host: {{ .Values.cve.adapter.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-service-registry-adapter + port: + targetPort: registry-adapter + tls: + termination: {{ .Values.cve.adapter.route.termination }} +{{- if or (eq .Values.cve.adapter.route.termination "reencrypt") (eq .Values.cve.adapter.route.termination "edge") }} +{{- with .Values.cve.adapter.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +{{- end }} + +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/registry-adapter-secret.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/registry-adapter-secret.yaml new file mode 100644 index 0000000000..5f2b3efa86 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/registry-adapter-secret.yaml @@ -0,0 +1,15 @@ +{{- if .Values.cve.adapter.enabled -}} +{{- if .Values.autoGenerateCert }} +{{- $cn := "neuvector" }} +{{- $cert := genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}} +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-registry-adapter-secret +type: Opaque +data: + ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-registry-adapter-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }} + ssl-cert.pem: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-registry-adapter-secret" "key" "ssl-cert.pem" "defaultValue" $cert.Cert) }} +--- +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/registry-adapter.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/registry-adapter.yaml new file mode 100644 index 0000000000..2aaf03ecf6 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/registry-adapter.yaml @@ -0,0 +1,192 @@ +{{- if .Values.cve.adapter.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Deployment +metadata: + name: neuvector-registry-adapter-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + replicas: 1 + selector: + matchLabels: + app: neuvector-registry-adapter-pod + template: + metadata: + labels: + app: neuvector-registry-adapter-pod + release: {{ .Release.Name }} + {{- with .Values.cve.adapter.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if or .Values.cve.adapter.podAnnotations .Values.autoGenerateCert }} + annotations: + {{- if .Values.autoGenerateCert }} + checksum/registry-adapter-secret: {{ include (print $.Template.BasePath "/registry-adapter-secret.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.cve.adapter.podAnnotations }} + {{- toYaml .Values.cve.adapter.podAnnotations | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- if .Values.cve.adapter.affinity }} + affinity: +{{ toYaml .Values.cve.adapter.affinity | indent 8 }} + {{- end }} + {{- if .Values.cve.adapter.tolerations }} + tolerations: +{{ toYaml .Values.cve.adapter.tolerations | indent 8 }} + {{- end }} + {{- if .Values.cve.adapter.nodeSelector }} + nodeSelector: +{{ toYaml .Values.cve.adapter.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.cve.adapter.priorityClassName }} + priorityClassName: {{ .Values.cve.adapter.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: basic + serviceAccount: basic + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + {{- if .Values.cve.adapter.runAsUser }} + securityContext: + runAsUser: {{ .Values.cve.adapter.runAsUser }} + {{- end }} + containers: + - name: neuvector-registry-adapter-pod + {{- if eq .Values.registry "registry.neuvector.com" }} + {{- if .Values.oem }} + image: "{{ .Values.registry }}/{{ .Values.oem }}/registry-adapter:{{ .Values.cve.adapter.image.tag }}" + {{- else }} + image: "{{ .Values.registry }}/registry-adapter:{{ .Values.cve.adapter.image.tag }}" + {{- end }} + {{- else }} + {{- if .Values.cve.adapter.image.hash }} + image: "{{ .Values.registry }}/{{ .Values.cve.adapter.image.repository }}@{{ .Values.cve.adapter.image.hash }}" + {{- else }} + image: {{ template "system_default_registry" . }}{{ .Values.cve.adapter.image.repository }}:{{ .Values.cve.adapter.image.tag }} + {{- end }} + {{- end }} + env: + - name: CLUSTER_JOIN_ADDR + value: neuvector-svc-controller.{{ .Release.Namespace }} + - name: HARBOR_SERVER_PROTO + value: {{ .Values.cve.adapter.harbor.protocol }} + {{- if .Values.cve.adapter.harbor.secretName }} + - name: HARBOR_BASIC_AUTH_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.cve.adapter.harbor.secretName }} + key: username + - name: HARBOR_BASIC_AUTH_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.cve.adapter.harbor.secretName }} + key: password + {{- end }} + {{- with .Values.cve.adapter.env }} +{{- toYaml . | nindent 14 }} + {{- end }} + volumeMounts: + {{- if .Values.cve.adapter.certificate.secret }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: {{ .Values.cve.adapter.certificate.keyFile }} + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: {{ .Values.cve.adapter.certificate.pemFile }} + name: cert + readOnly: true + {{- else if .Values.autoGenerateCert }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: ssl-cert.key + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: ssl-cert.pem + name: cert + readOnly: true + {{- end }} + resources: + {{- if .Values.cve.adapter.resources }} +{{ toYaml .Values.cve.adapter.resources | indent 12 }} + {{- else }} +{{ toYaml .Values.resources | indent 12 }} + {{- end }} + {{- if .Values.internal.certmanager.enabled }} + volumeMounts: + - mountPath: /etc/neuvector/certs/internal/cert.key + subPath: {{ .Values.cve.adapter.internal.certificate.keyFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/cert.pem + subPath: {{ .Values.cve.adapter.internal.certificate.pemFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/ca.cert + subPath: {{ .Values.cve.adapter.internal.certificate.caFile }} + name: internal-cert + readOnly: true + {{- end }} + restartPolicy: Always + volumes: + {{- if .Values.cve.adapter.certificate.secret }} + - name: cert + secret: + secretName: {{ .Values.cve.adapter.certificate.secret }} + {{- else if .Values.autoGenerateCert }} + - name: cert + secret: + secretName: neuvector-registry-adapter-secret + {{- end }} + {{- if .Values.internal.certmanager.enabled }} + - name: internal-cert + secret: + secretName: {{ .Values.cve.adapter.internal.certificate.secret }} + {{- end }} + +--- + +apiVersion: v1 +kind: Service +metadata: + name: neuvector-service-registry-adapter + namespace: {{ .Release.Namespace }} +{{- with .Values.cve.adapter.svc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + type: {{ .Values.cve.adapter.svc.type }} +{{- if and .Values.cve.adapter.svc.loadBalancerIP (eq .Values.cve.adapter.svc.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.cve.adapter.svc.loadBalancerIP }} +{{- end }} + ports: + - name: registry-adapter +{{- if (eq .Values.cve.adapter.harbor.protocol "https") }} + port: 9443 +{{- else }} + port: 8090 +{{- end }} + protocol: TCP + selector: + app: neuvector-registry-adapter-pod + +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/role-least.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/role-least.yaml new file mode 100644 index 0000000000..85202c9b7b --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/role-least.yaml @@ -0,0 +1,29 @@ +{{- if and .Values.rbac .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Role +metadata: + name: neuvector-binding-scanner + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - watch + - patch + - update +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/rolebinding-least.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/rolebinding-least.yaml new file mode 100644 index 0000000000..4f19b62f32 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/rolebinding-least.yaml @@ -0,0 +1,62 @@ +{{- if and .Values.rbac .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-scanner + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-scanner +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: updater + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:openshift:scc:privileged + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:privileged +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: enforcer + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/rolebinding.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/rolebinding.yaml new file mode 100644 index 0000000000..c2fa850346 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/rolebinding.yaml @@ -0,0 +1,56 @@ +{{- if and .Values.rbac (not .Values.leastPrivilege) -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-admin + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: admin +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:openshift:scc:privileged + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:privileged +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/scanner-deployment.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/scanner-deployment.yaml new file mode 100644 index 0000000000..a825f36ba2 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/scanner-deployment.yaml @@ -0,0 +1,102 @@ +{{- if .Values.cve.scanner.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Deployment +metadata: + name: neuvector-scanner-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + heritage: Helm + release: {{ .Release.Name }} +spec: + strategy: +{{ toYaml .Values.cve.scanner.strategy | indent 4 }} + replicas: {{ .Values.cve.scanner.replicas }} + selector: + matchLabels: + app: neuvector-scanner-pod + template: + metadata: + labels: + app: neuvector-scanner-pod + {{- with .Values.cve.scanner.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.cve.scanner.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.cve.scanner.affinity }} + affinity: +{{ toYaml .Values.cve.scanner.affinity | indent 8 }} + {{- end }} + {{- if .Values.cve.scanner.tolerations }} + tolerations: +{{ toYaml .Values.cve.scanner.tolerations | indent 8 }} + {{- end }} + {{- if .Values.cve.scanner.nodeSelector }} + nodeSelector: +{{ toYaml .Values.cve.scanner.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.cve.scanner.priorityClassName }} + priorityClassName: {{ .Values.cve.scanner.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: basic + serviceAccount: basic + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + {{- if .Values.cve.scanner.runAsUser }} + securityContext: + runAsUser: {{ .Values.cve.scanner.runAsUser }} + {{- end }} + containers: + - name: neuvector-scanner-pod + image: {{ template "system_default_registry" . }}{{ .Values.cve.scanner.image.repository }}:{{ .Values.cve.scanner.image.tag }} + imagePullPolicy: Always + env: + - name: CLUSTER_JOIN_ADDR + value: neuvector-svc-controller.{{ .Release.Namespace }} + {{- if .Values.cve.scanner.dockerPath }} + - name: SCANNER_DOCKER_URL + value: {{ .Values.cve.scanner.dockerPath }} + {{- end }} + {{- with .Values.cve.scanner.env }} +{{- toYaml . | nindent 12 }} + {{- end }} + resources: +{{ toYaml .Values.cve.scanner.resources | indent 12 }} + {{- if .Values.internal.certmanager.enabled }} + volumeMounts: + - mountPath: /etc/neuvector/certs/internal/cert.key + subPath: {{ .Values.cve.scanner.internal.certificate.keyFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/cert.pem + subPath: {{ .Values.cve.scanner.internal.certificate.pemFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/ca.cert + subPath: {{ .Values.cve.scanner.internal.certificate.caFile }} + name: internal-cert + readOnly: true + {{- end }} + restartPolicy: Always + {{- if .Values.internal.certmanager.enabled }} + volumes: + - name: internal-cert + secret: + secretName: {{ .Values.cve.scanner.internal.certificate.secret }} + {{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/serviceaccount-least.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/serviceaccount-least.yaml new file mode 100644 index 0000000000..3872322037 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/serviceaccount-least.yaml @@ -0,0 +1,47 @@ +{{- if .Values.leastPrivilege }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: basic + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: controller + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: enforcer + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: updater + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/serviceaccount.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/serviceaccount.yaml new file mode 100644 index 0000000000..46a3027c4c --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if not .Values.leastPrivilege }} +{{- if ne .Values.serviceAccount "default"}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/updater-cronjob.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/updater-cronjob.yaml new file mode 100644 index 0000000000..96237b5ee6 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/updater-cronjob.yaml @@ -0,0 +1,79 @@ +{{- if .Values.cve.updater.enabled -}} +{{- if (semverCompare ">=1.21-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: batch/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: batch/v1beta1 +{{- else }} +apiVersion: batch/v2alpha1 +{{- end }} +kind: CronJob +metadata: + name: neuvector-updater-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + schedule: {{ .Values.cve.updater.schedule | quote }} + jobTemplate: + spec: + template: + metadata: + labels: + app: neuvector-updater-pod + release: {{ .Release.Name }} + {{- with .Values.cve.updater.podLabels }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.cve.updater.podAnnotations }} + annotations: + {{- toYaml . | nindent 12 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.cve.updater.nodeSelector }} + nodeSelector: +{{ toYaml .Values.cve.updater.nodeSelector | indent 12 }} + {{- end }} + {{- if .Values.cve.updater.priorityClassName }} + priorityClassName: {{ .Values.cve.updater.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: updater + serviceAccount: updater + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + {{- if .Values.cve.updater.runAsUser }} + securityContext: + runAsUser: {{ .Values.cve.updater.runAsUser }} + {{- end }} + containers: + - name: neuvector-updater-pod + image: {{ template "system_default_registry" . }}{{ .Values.cve.updater.image.repository }}:{{ .Values.cve.updater.image.tag }} + imagePullPolicy: Always + {{- if .Values.cve.scanner.enabled }} + command: + - /bin/sh + - -c + {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + {{- if .Values.cve.updater.secure }} + {{- if .Values.cve.updater.cacert }} + - /usr/bin/curl -v --cacert {{ .Values.cve.updater.cacert }} -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' + {{- else }} + - /usr/bin/curl -v -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' + {{- end }} + {{- else }} + - /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' + {{- end }} + {{- else }} + - /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/extensions/v1beta1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' + {{- end }} + {{- end }} + restartPolicy: Never +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/templates/validate-psp-install.yaml b/charts/neuvector/102.0.6+up2.6.6/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..da62c4d183 --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +{{- if .Values.global.cattle.psp.enabled }} +{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.6+up2.6.6/values.yaml b/charts/neuvector/102.0.6+up2.6.6/values.yaml new file mode 100644 index 0000000000..262efc282e --- /dev/null +++ b/charts/neuvector/102.0.6+up2.6.6/values.yaml @@ -0,0 +1,521 @@ +# Default values for neuvector. +# This is a YAML-formatted file. +# Declare variables to be passed into the templates. + +openshift: false + +registry: docker.io +oem: +rbac: true # required for rancher authentication +serviceAccount: neuvector +leastPrivilege: false + +global: # required for rancher authentication (https:///) + cattle: + url: + systemDefaultRegistry: "" + psp: + enabled: false # PSP enablement should default to false +autoGenerateCert: true + +defaultValidityPeriod: 365 + +internal: # enable when cert-manager is installed for the internal certificates + certmanager: + enabled: false + secretname: neuvector-internal + +controller: + # If false, controller will not be installed + enabled: true + annotations: {} + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + image: + repository: rancher/mirrored-neuvector-controller + tag: 5.2.4 + hash: + replicas: 3 + disruptionbudget: 0 + schedulerName: + priorityClassName: + podLabels: {} + podAnnotations: {} + env: [] + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - neuvector-controller-pod + topologyKey: "kubernetes.io/hostname" + tolerations: [] + nodeSelector: + {} + # key1: value1 + # key2: value2 + apisvc: + type: + annotations: {} + # OpenShift Route configuration + # Controller supports HTTPS only, so edge termination not supported + route: + enabled: false + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + ranchersso: # required for rancher authentication + enabled: true + pvc: + enabled: false + existingClaim: false + accessModes: + - ReadWriteMany + storageClass: + capacity: + azureFileShare: + enabled: false + secretName: + shareName: + certificate: + secret: + keyFile: tls.key + pemFile: tls.pem + internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) + certificate: + secret: neuvector-internal + keyFile: tls.key + pemFile: tls.crt + caFile: ca.crt # must be the same CA for all internal. + federation: + mastersvc: + type: + # Federation Master Ingress + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" # or this could be "/api", but might need "rewrite-target" annotation + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # ingress.kubernetes.io/rewrite-target: / + tls: false + secretName: + annotations: {} + # OpenShift Route configuration + # Controller supports HTTPS only, so edge termination not supported + route: + enabled: false + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + managedsvc: + type: + # Federation Managed Ingress + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" # or this could be "/api", but might need "rewrite-target" annotation + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # ingress.kubernetes.io/rewrite-target: / + tls: false + secretName: + annotations: {} + # OpenShift Route configuration + # Controller supports HTTPS only, so edge termination not supported + route: + enabled: false + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" # or this could be "/api", but might need "rewrite-target" annotation + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # ingress.kubernetes.io/rewrite-target: / + tls: false + secretName: + resources: + {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + configmap: + enabled: false + data: + # passwordprofileinitcfg.yaml: | + # ... + # roleinitcfg.yaml: | + # ... + # ldapinitcfg.yaml: | + # ... + # oidcinitcfg.yaml: | + # ... + # samlinitcfg.yaml: | + # ... + # sysinitcfg.yaml: | + # ... + # userinitcfg.yaml: | + # ... + secret: + # NOTE: files defined here have preferrence over the ones defined in the configmap section + enabled: false + data: + # passwordprofileinitcfg.yaml: + # ... + # roleinitcfg.yaml: + # ... + # ldapinitcfg.yaml: + # directory: OpenLDAP + # ... + # oidcinitcfg.yaml: + # Issuer: https://... + # ... + # samlinitcfg.yaml: + # ... + # sysinitcfg.yaml: + # ... + userinitcfg.yaml: + users: + - Fullname: admin + Password: + Role: admin + +enforcer: + # If false, enforcer will not be installed + enabled: true + image: + repository: rancher/mirrored-neuvector-enforcer + tag: 5.2.4 + hash: + updateStrategy: + type: RollingUpdate + priorityClassName: + podLabels: {} + podAnnotations: {} + env: [] + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + resources: + {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) + certificate: + secret: neuvector-internal + keyFile: tls.key + pemFile: tls.crt + caFile: ca.crt # must be the same CA for all internal. + +manager: + # If false, manager will not be installed + enabled: true + image: + repository: rancher/mirrored-neuvector-manager + tag: 5.2.4 + hash: + priorityClassName: + env: + ssl: true + envs: [] + # - name: CUSTOM_PAGE_HEADER_COLOR + # value: "#FFFFFF" + # - name: CUSTOM_PAGE_FOOTER_COLOR + # value: "#FFFFFF" + svc: + type: NodePort # should be set to - ClusterIP + loadBalancerIP: + annotations: + {} + # azure + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" + # OpenShift Route configuration + # Make sure manager env ssl is false for edge termination + route: + enabled: true + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + certificate: + secret: + keyFile: tls.key + pemFile: tls.pem + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # kubernetes.io/ingress.class: my-nginx + # nginx.ingress.kubernetes.io/whitelist-source-range: "1.1.1.1" + # nginx.ingress.kubernetes.io/rewrite-target: / + # nginx.ingress.kubernetes.io/enable-rewrite-log: "true" + # only for end-to-end tls conf - ingress-nginx accepts backend self-signed cert + tls: false + secretName: # my-tls-secret + resources: + {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + affinity: {} + podLabels: {} + podAnnotations: {} + tolerations: [] + nodeSelector: + {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster + +cve: + adapter: + enabled: false + image: + repository: rancher/mirrored-neuvector-registry-adapter + tag: 0.1.1-s1 + hash: + priorityClassName: + resources: + {} + # limits: + # cpu: 400m + # memory: 512Mi + # requests: + # cpu: 100m + # memory: 1024Mi + affinity: {} + podLabels: {} + podAnnotations: {} + env: [] + tolerations: [] + nodeSelector: + {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster + ## TLS cert/key. If absent, TLS cert/key automatically generated will be used. + ## + ## default: (none) + certificate: + secret: + keyFile: tls.key + pemFile: tls.pem + harbor: + protocol: https + secretName: + svc: + type: NodePort # should be set to - ClusterIP + loadBalancerIP: + annotations: + {} + # azure + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" + # OpenShift Route configuration + route: + enabled: true + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # kubernetes.io/ingress.class: my-nginx + # nginx.ingress.kubernetes.io/whitelist-source-range: "1.1.1.1" + # nginx.ingress.kubernetes.io/rewrite-target: / + # nginx.ingress.kubernetes.io/enable-rewrite-log: "true" + # only for end-to-end tls conf - ingress-nginx accepts backend self-signed cert + tls: false + secretName: # my-tls-secret + internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) + certificate: + secret: neuvector-internal + keyFile: tls.key + pemFile: tls.crt + caFile: ca.crt # must be the same CA for all internal. + updater: + # If false, cve updater will not be installed + enabled: true + secure: false + cacert: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + image: + registry: "" + repository: rancher/mirrored-neuvector-updater + tag: latest + hash: + schedule: "0 0 * * *" + priorityClassName: + podLabels: {} + podAnnotations: {} + nodeSelector: + {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster + scanner: + enabled: true + replicas: 3 + dockerPath: "" + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + image: + registry: "" + repository: rancher/mirrored-neuvector-scanner + tag: latest + hash: + priorityClassName: + resources: + {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + affinity: {} + podLabels: {} + podAnnotations: {} + env: [] + tolerations: [] + nodeSelector: + {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster + internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) + certificate: + secret: neuvector-internal + keyFile: tls.key + pemFile: tls.crt + caFile: ca.crt # must be the same CA for all internal. + +docker: + path: /var/run/docker.sock + +resources: + {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + +k3s: + enabled: false + runtimePath: /run/k3s/containerd/containerd.sock + +bottlerocket: + enabled: false + runtimePath: /run/dockershim.sock + +containerd: + enabled: false + path: /var/run/containerd/containerd.sock + +crio: + enabled: false + path: /var/run/crio/crio.sock + +admissionwebhook: + type: ClusterIP + +crdwebhook: + enabled: true + type: ClusterIP diff --git a/index.yaml b/index.yaml index 60685de377..0b3705b821 100755 --- a/index.yaml +++ b/index.yaml @@ -4725,6 +4725,37 @@ entries: urls: - assets/neuvector/neuvector-103.0.0+up2.6.4.tgz version: 103.0.0+up2.6.4 + - annotations: + catalog.cattle.io/auto-install: neuvector-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: NeuVector + catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.29.0-0' + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux + catalog.cattle.io/provides-gvr: neuvector.com/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: neuvector + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/upstream-version: 2.6.6 + apiVersion: v1 + appVersion: 5.2.4 + created: "2023-12-04T13:08:07.615218-03:00" + description: Helm feature chart for NeuVector's core services + digest: 87eaab3ff1bbed432a987039435ff8e66ce3b01d522be58c5723d5f0db76cffc + home: https://neuvector.com + icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 + keywords: + - security + maintainers: + - email: support@neuvector.com + name: becitsthere + name: neuvector + sources: + - https://github.com/neuvector/neuvector + urls: + - assets/neuvector/neuvector-102.0.6+up2.6.6.tgz + version: 102.0.6+up2.6.6 - annotations: catalog.cattle.io/auto-install: neuvector-crd=match catalog.cattle.io/certified: rancher diff --git a/release.yaml b/release.yaml index 8b13789179..e5384125fc 100644 --- a/release.yaml +++ b/release.yaml @@ -1 +1,2 @@ - +neuvector: + - 102.0.6+up2.6.6 From ff791800dc8d6d3ff10fffe8a200ce0599ee65dd Mon Sep 17 00:00:00 2001 From: Lucas Lopes Date: Mon, 4 Dec 2023 13:10:44 -0300 Subject: [PATCH 03/10] make forward-port neuvector-crd 102.0.6+up2.6.6 --- .../neuvector-crd-102.0.6+up2.6.6.tgz | Bin 0 -> 3187 bytes .../neuvector-crd/102.0.6+up2.6.6/Chart.yaml | 16 + .../neuvector-crd/102.0.6+up2.6.6/README.md | 14 + .../102.0.6+up2.6.6/templates/_helpers.tpl | 32 + .../102.0.6+up2.6.6/templates/crd.yaml | 845 ++++++++++++++++++ .../neuvector-crd/102.0.6+up2.6.6/values.yaml | 9 + index.yaml | 20 + release.yaml | 2 + 8 files changed, 938 insertions(+) create mode 100644 assets/neuvector-crd/neuvector-crd-102.0.6+up2.6.6.tgz create mode 100644 charts/neuvector-crd/102.0.6+up2.6.6/Chart.yaml create mode 100644 charts/neuvector-crd/102.0.6+up2.6.6/README.md create mode 100644 charts/neuvector-crd/102.0.6+up2.6.6/templates/_helpers.tpl create mode 100644 charts/neuvector-crd/102.0.6+up2.6.6/templates/crd.yaml create mode 100644 charts/neuvector-crd/102.0.6+up2.6.6/values.yaml diff --git a/assets/neuvector-crd/neuvector-crd-102.0.6+up2.6.6.tgz b/assets/neuvector-crd/neuvector-crd-102.0.6+up2.6.6.tgz new file mode 100644 index 0000000000000000000000000000000000000000..3e5d06f02da4f3c6983762da65334d626e9a3979 GIT binary patch literal 3187 zcmV-(42<(1iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PJ1ebKAHP&olputAx04T?e^S^fhP@g72N|xix1^Z%&ST2CY$Nm;rc{40#7%MKqSR@B0QzBG!MN;-) zkJRmUyT^xz=5M##-Td2qcHDc=J3Q(iJ?nR$9d;jddxK}kg9p&vXCvyUkcx;0-CNhS z*}2bzNS1L$6y=#51^_Wpgz-rf6QvkNlpn+>6dhAch9F25Pf=8|O=*%~HiV861$HV~ zGLoXqNsL3V55wi;lUGtB=^ z0)hX$`0Yp=LP6m=S?6BZ86p7SR|J?nsR=j_aQr>Pgo%pikGhg0L--PWC(hL*__3mcBS?8zZjx} zvnjG1g^W~w>#d++{r9_r!N&SO9vpT3`u`O4;lsh#Fr(=ZBr3C{_0oHuYPG~u9KzQJ zA3p|~EBNkxPO`)-Wo?6ikIiReP@|ya3n9TV%@8`vO+<5dAY7K4{U)+t^OY7Ay|ac# zbN)0#A!vedt(STh!|}j;r0LsYJf`oV6E1~emYC1Bg(m`uLLiGe#syWs{gB$yl0qU#o+5l-j8J5#P}&}kDY8U@-s~7nson(5-bN)n9$gu2 zoW6Rid1*EQnPdDU3SN$(gfLc!1_*>^vP2^08C7se8PmIFq4!Lpw_Dx#vb7H7YOZw! z)A2%|^TLHr=RCCxt(4B>Qqmty2ZqnvkLyZ17rL-gqBmAi_T@!e*Pd?Oz+BKwjiK|E z48M|{4QaOCZDv~C=d~HQGPHWhlweE`s~O&Mu2?QcM#!8)Z1_609a`15{ak`zxCVha zBQZkfn+|l&I$QPhzPBb%pMdJ@e=L%{xdCqbe>@l*A8pwGqoZ!m+y75N8wO*E!lM#! zFE@G~AL@NxZ)kJ&1&oKs64M!q6Q1VUJa+#2ychNQVYdU1WigUUKo7zmL?IytGl(c;Ex~IPAo`H@x8)Kf0NP0 zpJhb(!K}A5VeR-ws7PU3(0W3!bCU5|_^a<|DqOYCcUk5h!mw1)vJkipMTdmPl+) z1}n<|Fe}o!vJePk{Ia$*!R)H0(4K8bC1^IOZq@P}ucqCOF1M^>&O(GB)eSYXYu7I1 zT&UXSHNPz=*DKF0fMyCO<~aH$Nn~c;>?Dpa_;@yTn~ z)!pyzBb<^Mt=}NswlC!wRa~6KQ<6>UMm&TOtJ9Y0+p(0{}6{gg!ot!foU!^?RK|iNd#(Y)-4?_6SBKVrp*Mh6M z4LpQb2QRi)P7@|+Ht&siq{SBAj71ueNLw7z0)@0T@y!UNwWwC;qouSq$fF5&G@y=V z%+U&QG~*37K4_tkmPn(8$Ldn517kQ9Q7_ej6dV#0Rxu^rOGBbkG@H~c8|S)fv*z4b z0vhlHG-3*9!WGbV;oLVAb)W!fv!L9INh+d>nsIWYCP&4WWbCKgP4d(2E~Z;`Z^IJA z1&uP+9=%?ycJ5;|{>b9jprQaR(LT@sGzp9{=nl&f_1Cf3}kS zTfsj*?qE}hk2~;j2b+aH?!d<#fR8(vlaD*tQj(85xJmvZc!R#Ii(nsjP(yyY`M87M zblgG0^3ONs;FRUgc!Q1didciq?wjJ(ID-uaA7gOuF$NMdS>>a+ZGzJ`Y1m-v_va>0 zUr(t!GH-i1e9MVaDC!UK8(Z4Gy_U>BeSPmdvbNM@n=OS<2-bpYiX^G=wAUF&JaM1F zTDF|T7w9@ZwY0^VbE_lqwn{07b)W5PbHv`Zc>*W+z6IZ-KN!wO`|QW>`fNX(uP-Op z-fjSH2|DMS&t1Symp5J6sI9T4HA5b2ZhRBo{`+R}ti+N8@Y)_mh)Wuu@ zNu64{flpoB9<1IwSdDo$rjxC~Dx;XGv)%3$%Ky$^Q(A|Y8VsKOABVd*@c_GZBX!0k*aVMT zigDd4ZzV_;qq8<)J+0ikZ5+HdI<>R~Xm96!Y$>v(C$N>&cHTe(GF~z@xCHH-g4Te) zUC<9KAlR8fL;IMmhHW2$T8!y7lFs(ju;yveFd>{%p=lDd82+Y#PpGs>MV#-uf^BHS zyRKMCZ7>~RsL954I<-YEkkJG)?kdhFT$sL!!kvPEykF|}OE1az^L0gkA!Dcaxlvx> zaBg=0hL5?y;N8l5cPsrJNJFDqHLa}3-+`<%`a6&s@^>KB^%w+j?j>$@8_usP^iBp$K!HtPaq9C*AoC z(R%);H{ZQD{qegfP4-$xL;lC!arbaD|MQ^d^S^!)dbmu3Z1W?V401tGmn(UmvJVB! zou`fT$qx2>!{1scJ;xi%TLB?bqZ)QRAjv zfj}a8_7vuc+4Q>^S0FIuGm~c5y!}Ym{HRRI2`|TR#S5^#pb{R%A}I@>LT-~%N>p%u zGw;_qC~kA}R*DWFc=!-b%spTsY|iQ6=PAONGsZ7zHUXvO7^hv%6>XXIW37u66$&}e zBf2uhjBd(Yqf{(1OP1NGgW&c2Ww?gZWrlC_&9Yv@E3Qy#Q)~&YAq*?N%|8X_i@ajz zaIF<*hgWxmX7E#v*;`%s)ac77Q*q;Z!!?{6J)OgKaK2%tw5(VpP(CweO~0_nY^-0p Z?>)eiCr@7{{XYNz|No80Zk7Oq000k4BMtxn literal 0 HcmV?d00001 diff --git a/charts/neuvector-crd/102.0.6+up2.6.6/Chart.yaml b/charts/neuvector-crd/102.0.6+up2.6.6/Chart.yaml new file mode 100644 index 0000000000..03c3cef3b7 --- /dev/null +++ b/charts/neuvector-crd/102.0.6+up2.6.6/Chart.yaml @@ -0,0 +1,16 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/release-name: neuvector-crd +apiVersion: v1 +appVersion: 5.2.4 +description: Helm chart for NeuVector's CRD services +home: https://neuvector.com +icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 +maintainers: +- email: support@neuvector.com + name: becitsthere +name: neuvector-crd +type: application +version: 102.0.6+up2.6.6 diff --git a/charts/neuvector-crd/102.0.6+up2.6.6/README.md b/charts/neuvector-crd/102.0.6+up2.6.6/README.md new file mode 100644 index 0000000000..a5379e6ba6 --- /dev/null +++ b/charts/neuvector-crd/102.0.6+up2.6.6/README.md @@ -0,0 +1,14 @@ +# NeuVector Helm Chart + +Helm chart for NeuVector container security's CRD services. NeuVector's CRD (Custom Resource Definition) capture and declare application security policies early in the pipeline, then defined policies can be deployed together with the container applications. + +Because the CRD policies can be deployed before NeuVector's core product, this separate helm chart is created. For the backward compatibility reason, crd.yaml is not removed in the 'core' chart. If you use this 'crd' chart, please set `crdwebhook.enabled` to false in the 'core' chart. + +## Configuration + +The following table lists the configurable parameters of the NeuVector chart and their default values. + +Parameter | Description | Default | Notes +--------- | ----------- | ------- | ----- +`openshift` | If deploying in OpenShift, set this to true | `false` | +`crdwebhook.type` | crd webhook type | `ClusterIP` | diff --git a/charts/neuvector-crd/102.0.6+up2.6.6/templates/_helpers.tpl b/charts/neuvector-crd/102.0.6+up2.6.6/templates/_helpers.tpl new file mode 100644 index 0000000000..c0cc49294e --- /dev/null +++ b/charts/neuvector-crd/102.0.6+up2.6.6/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "neuvector.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "neuvector.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "neuvector.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/neuvector-crd/102.0.6+up2.6.6/templates/crd.yaml b/charts/neuvector-crd/102.0.6+up2.6.6/templates/crd.yaml new file mode 100644 index 0000000000..675bb9e8af --- /dev/null +++ b/charts/neuvector-crd/102.0.6+up2.6.6/templates/crd.yaml @@ -0,0 +1,845 @@ +{{- if .Values.crdwebhook.enabled -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvsecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + group: neuvector.com + names: + kind: NvSecurityRule + listKind: NvSecurityRuleList + plural: nvsecurityrules + singular: nvsecurityrule + scope: Namespaced +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + egress: + items: + properties: + action: + enum: + - allow + - deny + type: string + applications: + items: + type: string + type: array + name: + type: string + ports: + type: string + priority: + type: integer + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - action + - name + - selector + type: object + type: array + file: + items: + properties: + app: + items: + type: string + type: array + behavior: + enum: + - monitor_change + - block_access + type: string + filter: + type: string + recursive: + type: boolean + required: + - behavior + - filter + type: object + type: array + ingress: + items: + properties: + action: + enum: + - allow + - deny + type: string + applications: + items: + type: string + type: array + name: + type: string + ports: + type: string + priority: + type: integer + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - action + - name + - selector + type: object + type: array + process: + items: + properties: + action: + enum: + - allow + - deny + type: string + allow_update: + type: boolean + name: + type: string + path: + type: string + required: + - action + type: object + type: array + process_profile: + properties: + baseline: + enum: + - default + - shield + - basic + - zero-drift + type: string + type: object + target: + properties: + policymode: + enum: + - Discover + - Monitor + - Protect + - N/A + type: string + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - selector + type: object + dlp: + properties: + settings: + items: + properties: + action: + enum: + - allow + - deny + type: string + name: + type: string + required: + - name + - action + type: object + type: array + status: + type: boolean + type: object + waf: + properties: + settings: + items: + properties: + action: + enum: + - allow + - deny + type: string + name: + type: string + required: + - name + - action + type: object + type: array + status: + type: boolean + type: object + required: + - target + type: object + type: object +{{- end }} +--- +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvclustersecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + group: neuvector.com + names: + kind: NvClusterSecurityRule + listKind: NvClusterSecurityRuleList + plural: nvclustersecurityrules + singular: nvclustersecurityrule + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + egress: + items: + properties: + action: + enum: + - allow + - deny + type: string + applications: + items: + type: string + type: array + name: + type: string + ports: + type: string + priority: + type: integer + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - action + - name + - selector + type: object + type: array + file: + items: + properties: + app: + items: + type: string + type: array + behavior: + enum: + - monitor_change + - block_access + type: string + filter: + type: string + recursive: + type: boolean + required: + - behavior + - filter + type: object + type: array + ingress: + items: + properties: + action: + enum: + - allow + - deny + type: string + applications: + items: + type: string + type: array + name: + type: string + ports: + type: string + priority: + type: integer + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - action + - name + - selector + type: object + type: array + process: + items: + properties: + action: + enum: + - allow + - deny + type: string + allow_update: + type: boolean + name: + type: string + path: + type: string + required: + - action + type: object + type: array + process_profile: + properties: + baseline: + enum: + - default + - shield + - basic + - zero-drift + type: string + type: object + target: + properties: + policymode: + enum: + - Discover + - Monitor + - Protect + - N/A + type: string + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - selector + type: object + dlp: + properties: + settings: + items: + properties: + action: + enum: + - allow + - deny + type: string + name: + type: string + required: + - name + - action + type: object + type: array + status: + type: boolean + type: object + waf: + properties: + settings: + items: + properties: + action: + enum: + - allow + - deny + type: string + name: + type: string + required: + - name + - action + type: object + type: array + status: + type: boolean + type: object + required: + - target + type: object + type: object +{{- end }} +--- +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvdlpsecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + group: neuvector.com + names: + kind: NvDlpSecurityRule + listKind: NvDlpSecurityRuleList + plural: nvdlpsecurityrules + singular: nvdlpsecurityrule + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + sensor: + properties: + comment: + type: string + name: + type: string + rules: + items: + properties: + name: + type: string + patterns: + items: + properties: + context: + enum: + - url + - header + - body + - packet + type: string + key: + enum: + - pattern + type: string + op: + enum: + - regex + - '!regex' + type: string + value: + type: string + required: + - key + - op + - value + - context + type: object + type: array + required: + - name + - patterns + type: object + type: array + required: + - name + type: object + required: + - sensor + type: object + type: object +{{- end }} +--- +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvadmissioncontrolsecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + group: neuvector.com + names: + kind: NvAdmissionControlSecurityRule + listKind: NvAdmissionControlSecurityRuleList + plural: nvadmissioncontrolsecurityrules + singular: nvadmissioncontrolsecurityrule + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + config: + properties: + client_mode: + enum: + - service + - url + type: string + enable: + type: boolean + mode: + enum: + - monitor + - protect + type: string + required: + - enable + - mode + - client_mode + type: object + rules: + items: + properties: + action: + enum: + - allow + - deny + type: string + comment: + type: string + criteria: + items: + properties: + name: + type: string + op: + type: string + path: + type: string + sub_criteria: + items: + properties: + name: + type: string + op: + type: string + value: + type: string + required: + - name + - op + - value + type: object + type: array + template_kind: + type: string + type: + type: string + value: + type: string + value_type: + type: string + required: + - name + - op + - value + type: object + type: array + disabled: + type: boolean + id: + type: integer + rule_mode: + enum: + - "" + - monitor + - protect + type: string + required: + - action + - criteria + type: object + type: array + type: object + type: object +{{- end }} +--- +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvwafsecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + group: neuvector.com + names: + kind: NvWafSecurityRule + listKind: NvWafSecurityRuleList + plural: nvwafsecurityrules + singular: nvwafsecurityrule + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + sensor: + properties: + comment: + type: string + name: + type: string + rules: + items: + properties: + name: + type: string + patterns: + items: + properties: + context: + enum: + - url + - header + - body + - packet + type: string + key: + enum: + - pattern + type: string + op: + enum: + - regex + - '!regex' + type: string + value: + type: string + required: + - key + - op + - value + - context + type: object + type: array + required: + - name + - patterns + type: object + type: array + required: + - name + type: object + required: + - sensor + type: object + type: object +{{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-crd-webhook + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + ports: + - port: 443 + targetPort: 30443 + protocol: TCP + name: crd-webhook + type: {{ .Values.crdwebhook.type }} + selector: + app: neuvector-controller-pod +{{- end }} diff --git a/charts/neuvector-crd/102.0.6+up2.6.6/values.yaml b/charts/neuvector-crd/102.0.6+up2.6.6/values.yaml new file mode 100644 index 0000000000..e899decf01 --- /dev/null +++ b/charts/neuvector-crd/102.0.6+up2.6.6/values.yaml @@ -0,0 +1,9 @@ +# Default values for neuvector. +# This is a YAML-formatted file. +# Declare variables to be passed into the templates. + +openshift: false + +crdwebhook: + type: ClusterIP + enabled: true diff --git a/index.yaml b/index.yaml index 0b3705b821..3d291fea47 100755 --- a/index.yaml +++ b/index.yaml @@ -5186,6 +5186,26 @@ entries: urls: - assets/neuvector-crd/neuvector-crd-103.0.0+up2.6.4.tgz version: 103.0.0+up2.6.4 + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/release-name: neuvector-crd + apiVersion: v1 + appVersion: 5.2.4 + created: "2023-12-04T13:10:31.560803-03:00" + description: Helm chart for NeuVector's CRD services + digest: 44c56bee383a2e39e986ba48da75ad5fb180a160e2d5268743bc0dfb9fc39adf + home: https://neuvector.com + icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 + maintainers: + - email: support@neuvector.com + name: becitsthere + name: neuvector-crd + type: application + urls: + - assets/neuvector-crd/neuvector-crd-102.0.6+up2.6.6.tgz + version: 102.0.6+up2.6.6 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" diff --git a/release.yaml b/release.yaml index e5384125fc..dcd5c688ac 100644 --- a/release.yaml +++ b/release.yaml @@ -1,2 +1,4 @@ neuvector: - 102.0.6+up2.6.6 +neuvector-crd: + - 102.0.6+up2.6.6 From 54e07e81da6f3d72cd5067ab139a84f36ce535a7 Mon Sep 17 00:00:00 2001 From: Lucas Lopes Date: Mon, 4 Dec 2023 13:11:11 -0300 Subject: [PATCH 04/10] make forward-port neuvector-monitor 102.0.6+up2.6.6 --- .../neuvector-monitor-102.0.6+up2.6.6.tgz | Bin 0 -> 7925 bytes .../102.0.6+up2.6.6/Chart.yaml | 26 + .../102.0.6+up2.6.6/README.md | 22 + .../102.0.6+up2.6.6/app-readme.md | 5 + .../dashboards/nv_dashboard.json | 1828 +++++++++++++++++ .../102.0.6+up2.6.6/questions.yaml | 27 + .../102.0.6+up2.6.6/templates/_helpers.tpl | 40 + .../102.0.6+up2.6.6/templates/dashboard.yaml | 15 + .../templates/exporter-deployment.yaml | 60 + .../templates/exporter-service.yaml | 28 + .../templates/exporter-servicemonitor.yaml | 39 + .../102.0.6+up2.6.6/templates/secret.yaml | 15 + .../102.0.6+up2.6.6/values.yaml | 52 + index.yaml | 30 + release.yaml | 2 + 15 files changed, 2189 insertions(+) create mode 100644 assets/neuvector-monitor/neuvector-monitor-102.0.6+up2.6.6.tgz create mode 100644 charts/neuvector-monitor/102.0.6+up2.6.6/Chart.yaml create mode 100644 charts/neuvector-monitor/102.0.6+up2.6.6/README.md create mode 100644 charts/neuvector-monitor/102.0.6+up2.6.6/app-readme.md create mode 100644 charts/neuvector-monitor/102.0.6+up2.6.6/dashboards/nv_dashboard.json create mode 100644 charts/neuvector-monitor/102.0.6+up2.6.6/questions.yaml create mode 100644 charts/neuvector-monitor/102.0.6+up2.6.6/templates/_helpers.tpl create mode 100644 charts/neuvector-monitor/102.0.6+up2.6.6/templates/dashboard.yaml create mode 100644 charts/neuvector-monitor/102.0.6+up2.6.6/templates/exporter-deployment.yaml create mode 100644 charts/neuvector-monitor/102.0.6+up2.6.6/templates/exporter-service.yaml create mode 100644 charts/neuvector-monitor/102.0.6+up2.6.6/templates/exporter-servicemonitor.yaml create mode 100644 charts/neuvector-monitor/102.0.6+up2.6.6/templates/secret.yaml create mode 100644 charts/neuvector-monitor/102.0.6+up2.6.6/values.yaml diff --git a/assets/neuvector-monitor/neuvector-monitor-102.0.6+up2.6.6.tgz b/assets/neuvector-monitor/neuvector-monitor-102.0.6+up2.6.6.tgz new file mode 100644 index 0000000000000000000000000000000000000000..429f3a007ce186242f3a4073f74328554f529496 GIT binary patch literal 7925 zcmVDc zVQyr3R8em|NM&qo0PKBfbK5w!Xg>2-;L>E9nWm(((zWQ%jR{4KtyVH5r=?}Vtot`z=*?DGl`a9P4Gh}@$0Omar7nnV>Zah|b za*yP}K|lo-ga&+QAY@~KJ?ge?EQAMbLbq&Sf{Y0`L&R`kPk_}{a|jPTJZlBmhaq|o z(MLs9=$)pj+BRp=2wGEMoX}v1e)z|aop$GC+iF?p@2J!6zLFn*sBI}n;UTtRi1f== zM#p@{1^BhiC?6t^1kpupX$Z_Gg0~jbVsuIz;4OE`hA17jZBu`1+No_4Q*9y1Rwh^;XBF2lj0M-(edbQP}kP8Ob&*18|x7*tW4#~&l&9r0S zFigJ=+TC{FaDdy4ghIXg89X120gH$MvZd@mW6E+A5JQSMuqm;D8xtz0G7%!=!>z3X z1`T4%K9e#$#R4qiv&Y&d!2c3R@E&uQ0 z*+Ba+#*rtGUU$X38ABKw=ww1TA{=4#Y4_dR)|fIM3jq!q6AxsCeXu>u08KF?c;o>` zf}#KJ8afAo*6GB>a#{eCHOSoXOAu>(FVCgr9 z+GoJpgc=n5A^PD5LrO?-$jFp<;KC4%vB$wM;6idYFxmG8dNbDVH&OB)ofFSP0TmKh z5^#Y%4;%v_2;?-JArdSC10mvLH-?ZwNV#N_S*i}Ve8L!I;N)~r$fyru0ugT|qp9Ws zyNM8$Fxe9vxDsCy#eyP?7+{A6-V8}uhyKezXz%3c?ddPa2S@LB-yIAQc6<^fuMc;R zkAMAew4c4U1@n%9*$l*cC9{6`!7vcQAvvDfc?rg+c1y}qMm-N$3x{ObvHJaX_FuO*DBFKKJ!@xe|J}v& z_3PGuqbc!+QphWlPOA7HeTf!(0z>rQTUS?xtYsWrgg9`N9*~+2(Xslhe7?33*K0|| zKmtH!W<<)`CTeBnN^!Jxph=o3sQpnp9kS+!DKJJHK$p_&2yC?7Qy+ zGYA~@SwpzT01H4k9b+7M-VFT_VNZoHq##zXw~b#x_pa&-Ifk5vl*~4cI3P}aK>tdu z3O(a70ngz`8oM6xi8O+hZA&cKY42{vYhD3R8f= zt_!cEI~#k(%FT&8I!(tOBC}(brB?H}u_Jz^-DKHJ&`;R+mT!8A0une72-MGsq^m0< z#nUu{uKgb_F?(r9r2IrY;O&2cKxSHjZ&j*G$)1dWibKp_|9SkMOsnNU=+T*UD6b_6 z7Vv-H>XrDv+u7dftoi>go+c(p*u7QacN~U%D`ooqlrZYJeqK1V71A0Jumm$JV@TCb z2(`vkYA4JZTi(^)lL`}HL}0g6BMzC#O45p#BTGw)*q9GdM+NabHK2yc$HJbx%>jud zo|eNvGK*mnS4y#1j?=}j5Xw4J8QqIc3$LDL>JfW3M7!QOp7C4_2&Ti_*NooOUe)g5o73ZiqmOU)4hof! z-gvAx0rkFB5s<9kga3c{;ppVx=v4lz@3bWG6p%kL>X!l4!s-ad#eyd7SlVVQ1Bei+ zii%|$fBjlR7WqCGvTsYzrZSVlnlg}vk0`C?(stwec^c1B_J6X~dd)DvqWr)9PQPsb zcebsy{eKrvEa7nAH2VP65hq~J%gpa0txy#5tDlG@;l+Gdc~BMIyUy> z^A38}c`7gO)BiwAS;eWFq7yXg)Q&`oEY0TEwC=KIF{uMR&sl)g9?iG8+UAQGX{EG~ zCYVYiRk1JY#>j6W?Z`;2Zsc`h(fbjYxgZY9RYOJvwW&8mCwqq#CvHjCxd`r!##p%jyHh^@wbSXX_kZu?$@u}#n;gIw=y^cJ!a&vwG|v}Q5vglz5@o@x zhrd^(ov#le{v(2PYqylZU#C6_RnR3GZTBIt(IxsLq9Pu?l!D2p3!@za^FB>ku>Sg8;^ptkMiB4Md!IN?4lt5uZ~t zjKiccxgdpBJbwQCNO}sZzLWA6mh3HUq6#xarpGL6R7hQ~0=qTc3GB+=l<6ai%}R<+Hzr(Y z7Lc!zm|%e>cnU>%ujsZYm*XU2L6JvYiBy{KLwp#kjWY6(x;bSIJ*Z-z0DY;~9$(Pk z%0T>JdRu!xR6CjqN%KsaHu+zrcbh^hud1&>9$Ms zMb#+cx&-niI>elxQ|8QtB;S{0bK^TV>z972`X7g3ORkg;-^vD9WdCpXx69{$d)>iW z|KG*4v9W=UqM&s`d?lU**h+c+O2mXl0_{;>N>#$aFfu*pfJdfMTVrHXKlDHVVo}f% zvX|u4J>t}hRA(wSm+8)sQ5!hl8WRuVGruY}9}lfE<|8ivhDXFx9oaYtq_DNAKOzA* zx<@GllsJ((2ED~IU}z^d&X_Pb$DY?tCWbf!oCq=nB&~DZOKu8T({v8fYZz1Jw^ufa z(4p4%K0X7)BL?W`;P?dX9==J{^Efssv=oyXHm8^gPmYDQZ&8?4`F~!T>Gj5#%m1Bj zcQELc;{R5^x6c2(ljo~}keQ2un?v+fIlHDb)y*OLEeW2bAvtpt5l_4c%pvM*W^W}& z>H9F!KH?JT7MsIDjm>;{L>yThCr@YDI#;>gH7l6QN^9W$p++ zw>D9?)7eDb!C(`0UgQ8U)#<4rGIw*E1Ajxi9x%c4_4KY{d2;F?m_&tT6(*&k*So>Y zj1P4e3I%p0rhogqS&yff=ju_>SWQPMJ{xg$6C5H+STo0j+t~XAm>mnu#5)>@i8(|H zcDVxKD%?)|7((Jw4A)%M5V<9#4rS!A}!O%qNHja!4^?x{Nr7loz|4 zs3pktA|dSMzF#C0ioeT+u_}G5p?fdW?=&oOg?bs^K_h|uyF;dkiPE1dVvx~3rnEr;5? z=$U5iw~`K|xzEwDhwU@8H^D&wUe--=f02ZZx4EpOV8hIwkSXx3J*&6<)As+{|M$zi zn!f)@#Lv+v>#pvGoEN_bzXyNca>(=_c~bDH;%?K&?98F(L6sOnFLFr`2OMS9SM5%F zkoI8;A`}Cd8Tt$<5fvMg&_%Co)hu<`C3XltmT1RH^P>@X9khy6~ua6 zfdP-avee8_Cy^~zXKUB2l$R4Augcx0nCBtb1bf9U^36+vHp5RN4)I8tuTYwk$pwT} zq*c+DTP1VkMdf}}1r=j4he+bCJlDea&yC9%1xovv0S%yDUC{X4t(M`-OVi#0VcJ_x zn05#0_o61z*v1$8Sl~moaa+`)O|sXc>|MM@8h<%Blmbgi6-si2|B1LD<5^OSBSG`U zl#xV&%Hj!SnDWZT z%=5MUt}w&ZC8jcSit{K;v(eC7Bnr`7afm9k4Hs(HhE?o4RTe7N3Z|z#@_o!^rx1)O zvw;UpVGm9?2PyL$657w@TfFBxR5<>DH*r{(M^IHP1@a+OEM|I*JrYz@&zN}LhY;ID%xapu3_DVOH3&adXF?qKiPc~# zCDwWjN#aO1ck0Wh8?7=?af{{@a4^f$JLhSL-b7AHadY)=1Gk_^nVC5kWqleE4-Muec7L9s?}O!snn>qgNh^*|I|w&p;Vqgp+cA!p(84! zP%l)FocJ~wGQC^AjL1w@6`)G@1S3z7QoquA9!f>U?Wzubls1z?M5fSe`F~}b%EuSa zgXw9OXmo0a(F-)1q37{ZzWDt*p@eT{PQ_4E>?s_$)!dG2L=v(LtG&Zt&@UXjP_ykz ze2C}yxXrEg=5M+A_pR|dH&l4{zq8zH&~x1tLlSotkzKr2(67tIB(UQXE+=#9 zKtM|T_E6#yH;YE7d7<58qBV(8PaqT_Z6FdvG~%rz=actOcIzs#)1>@T@$C_JB3e{i zJ5@QZ=)i%C8cANGClE5b3rC!R=h5@|V|AArtG95hCheCSs&@n3ujRBcr}CXzG|7~# z+6jLj_Ra!xk3_ev zefgWF7c^+j&a2x~og-|Yxr|1Evv%kgD$;^M{T*mhhj5z)0oVeZgYO}Md_Ol~RGsk> zYSpG*5lA;**|r z+twtIdQ~)(p2wT>J}rG zqwf4?BkssQCi)`ZyB%RbN8uqx)p5~fUHj6Ctq8A-2hD?534tsxbK%o(ND zZXJ^gaQ2pu#U&)I+FiraZ3I6?RV`8EQFSndK%f&T0dKlGIk_=s#KQi3-7FjV=@wW* zoz=fRp13|nzWF+TByna{{aWAK3cST!ATDL_Ei8i)!1J);U;!t@hh6@L(;G9uLJ`=t zu9+@$3y2>x>faXmFH4li${0h3v?BWM4=;k=H&*t63leB%T@5ux`EAZbrDx$R9+ha;aWfkKqTMn@s&&YDF^~La zznD+5i%DvYH(B9lzz$U1LzO)CdN$vxQ;B8OX`mvlG)c*M%e~0K<~F0AR~ox{K1nKE zF(y*Ju_v2N1s-*$$s8XKdj#{;9w{!Kvczg)8|osSZhx?e27Uc!wO_p`I|aH{Z)X#A zy011--;&i{Hq;wfo2awX-9)litNm){MKg6s-I2M|pFVy1)Oz=>wZD&k{(0z^G8A*s z)^5=&C&5|ml|HeDbfR6;qAMR_A%Ll6eWxx~FXc-z;J~ICaMj*94v5gwpu$5153J!z zq1dCT_jVc&9o4V6)W0Wo&5vK=S)2WofiEp>AdHiiQ(r*9V0 zPEWDxGH~N-*s8VD``H>OLocnq{``dgq!nvn4msU@wUFI)cRsL^Cw!e=D06WjrB_o& zMJk00_4Bf?6Kz_t4V46{Q^U&Y&_4sxRIbcu-c(AQ#u7!0cH_AJp`)gv^y2!a3L$MA zHohvdsW`opuD+C}Go5Q5tF)Dc=&mHSm>-i!QGebtbn4eY54O|1K%GJT@^t5|O|M~L zst|hAt)4o{t^?ejyNoXz*6`Jw1?*H2m@Z$Zilo@DDW3bt$`porbC;EY>>*p%t6E!h zKI^JeO|NH5a&BtQS7_*CV-U_P$i1q2hO~8cQ4O|zu5rqwpO;hhe7AJa^U`8G#2n!eqYo?0MR7x8B;&!FeIE#VhM-?CmHqvt-pcrh{QTWb{bWxNdw1c{CHi@B8?1L;Sci zHw$`w{PP;L8f z?B3^2=+DHR+;0X?z2?0};?8m!`S#ZF^?k16J8(#GqqPQxN0*D$yrf3??Ggr4KIpmB zuT6BCuGU-qzLt0$^>1yL2%vl>GAFVc46R$Rs5UDA73|TXkPHc&Br1%+gU_I!Zx>d4 z<d7RII>kNm{6Q$L$^TKL&6sSLD{7stSxjl4?6-8b6%>&~_OmdK-T2p2vu zOlxud7;*i2ISbm0xB!OsJ|0x=NnCAvbpC#3ahc*Aq>|veyJ&LRM#$}Y&NU5Ij5@Cx z4GszDU(PmAjgO+TMD~(=k8E&rgjpq^rGCQdEd;J8{(O^q4|UaV%>h!mRaW7}KjSE9 zq2L?FPdeQS924R=5FBeCusnMmUCG_UTUF*Jp1M`fCp~IYEs>7afgh?UaLq5P#ewcp ziH|R8y7Ea-^EOV&EA=3#P%@=lyH@>P<;^1~Z{4ex=jG6Doh21So~J^uX;?dd(zV{u z!X7Yjl7uIllI7w%0dX~VWT8@5!DmTmQ6bk%zpv5&gTMi%JPdQ}(VQUEfrAf)=wDVC zVjJohO~sNcqi_LX2+ms)R44S1tdOOHPsvZiJeHg9mJ2Y|C#5OCkHD>Lr`G(4Ox=BW zHRi3!Cs;bxwK=mz)vsCjG+Ag8IAltkC_B=9RZ%GFByI-41->99E=-Tv6*CVTgiF=k z$i|%Ei+NeCfBDM<^U1$pru6sdKVXaD%k4oEiRAABEv__mUt?ZP1kC}w(1@sqWxEL$ zoyB>5C@SPNtFA+GRIwnPYt4X16RN!5lbg#O%q$+nds3Tfh3^ZE?7Ix7#y?2!oF)le zg}P7m)LG(b9ml^={l0Rv<{HPW5-MMDa?P}{dAm#h_#^2#-k&o_Z4h>WXozby35X`R z;$}-+3x^hn4E@wxMz`F+P5T3dVXGJIp_+IyDv@PH+9g<(amU=dllyi+uZBx|D6Rgh9H>9%1HDRi zVEIgLr(fw@-*vq`FS7ML9Lin&$m|1(R4q)ST5UhAEFtcGv**S)Q8xrV9@&!QH{KrU zqAa%q_c1qX0$ffw7NhH}xZHEcTX9d}V8)}qI?X3Ra;jkP9bTSRtIqE*Mt55mzbw3l zsC+?O?cfiDSF`TA>?>^*u-+cY3bGM%!XRleaY2bSduij8DFJYA4Bu+Od#p!mIjnnnMqc~j! z1&=5qR}AkEX(Kj8+oYHANYbevRD^9Iiu2L4M}*|%B4$V65-!*bDgT3`QUq-sHp@K^ zCv3J(Utd0b{bdD?#p&z4L8c$q>Fa2nzMhn<)7R^CXE}ZSvD}<+SNZD=_bIGX*o$f7 zuliOKmFSyfipzXU$?LEBod=q{Zp2L`;Yym6Aaw>BEhe`o;NwgL_IC8^& z;M^XMDHMB){6$UrXmz}*SGpF-nM&#wLLFi`Zw-<&)~2BGJG0O%B=%X(ag4QZQQ{>t zI!#zRPdVlwXNGpH{Fi)5uTYYm{5A)EzJ;G}kuQm(%%79lNV$}0tKSy(*2!_!cJ6bh zoBPu3=f7kDM{~!?!xdi>P{jYAR4EGcmy^ACArnFK9-@z+WTAQ=OZQ-UDlNPb#muoR zOH;KuO({gl67wA3>{wuZ_S-bBjAsw=2_TxP8Mb^H5JB129}#f1IPDqsy>BswWm(pC zzpwsVmR0`W>23F(b^3$uV5esdc6OdwoxzUPdxorUG5De<;sUd0){Vz1PwtUC>1q#+ zjhF(Et#iIT4;(Hkv`K9#Yrx#t=#!GOSjn!gyIAMb*)`YR9l%L)JmF~sw%e` zQ8FOw6RAE?p--t`he&U?8VIS|t%v9!X`y^;bcn^oKuFzv7vHy}a&=617@!7 fA~5fp<<`&oSwHLNK|KE(00960kEs*r0Qdj^cXM}k literal 0 HcmV?d00001 diff --git a/charts/neuvector-monitor/102.0.6+up2.6.6/Chart.yaml b/charts/neuvector-monitor/102.0.6+up2.6.6/Chart.yaml new file mode 100644 index 0000000000..d0c749949e --- /dev/null +++ b/charts/neuvector-monitor/102.0.6+up2.6.6/Chart.yaml @@ -0,0 +1,26 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: NeuVector Monitor + catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.29.0-0' + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux + catalog.cattle.io/provides-gvr: neuvector.com/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: neuvector-monitor + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/upstream-version: 2.6.6 +apiVersion: v1 +appVersion: 5.2.4 +description: Helm feature chart for NeuVector monitor services +home: https://neuvector.com +icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 +keywords: +- security +maintainers: +- email: support@neuvector.com + name: becitsthere +name: neuvector-monitor +sources: +- https://github.com/neuvector/neuvector +version: 102.0.6+up2.6.6 diff --git a/charts/neuvector-monitor/102.0.6+up2.6.6/README.md b/charts/neuvector-monitor/102.0.6+up2.6.6/README.md new file mode 100644 index 0000000000..71578fef17 --- /dev/null +++ b/charts/neuvector-monitor/102.0.6+up2.6.6/README.md @@ -0,0 +1,22 @@ +# NeuVector Helm Chart + +Helm chart for NeuVector's monitoring services. + +## Configuration + +The following table lists the configurable parameters of the NeuVector chart and their default values. + +Parameter | Description | Default | Notes +--------- | ----------- | ------- | ----- +`registry` | NeuVector container registry | `registry.neuvector.com` | +`oem` | OEM release name | `nil` | +`leastPrivilege` | Assume monitor chart is always installed after the core chart, so service accounts created by the core chart will be used. Keep this value as same as in the core chart. | `false` | +`exporter.enabled` | If true, create Prometheus exporter | `false` | +`exporter.image.repository` | exporter image name | `neuvector/prometheus-exporter` | +`exporter.image.tag` | exporter image tag | `latest` | +`exporter.ctrlSercretName` | existing secret that have CTRL_USERNAME and CTRL_PASSWORD fields to login to the controller. | `nil` | if parameter exists then `exporter.CTRL_USERNAME` & `exporter.CTRL_PASSWORD` will be skipped +`exporter.CTRL_USERNAME` | Username to login to the controller. Suggest to replace the default admin user to a read-only user | `admin` | +`exporter.CTRL_PASSWORD` | Password to login to the controller. | `admin` | + +--- + diff --git a/charts/neuvector-monitor/102.0.6+up2.6.6/app-readme.md b/charts/neuvector-monitor/102.0.6+up2.6.6/app-readme.md new file mode 100644 index 0000000000..e0faed5b50 --- /dev/null +++ b/charts/neuvector-monitor/102.0.6+up2.6.6/app-readme.md @@ -0,0 +1,5 @@ +### Run-Time Protection Without Compromise + +NeuVector delivers a complete run-time security solution with container process/file system protection and vulnerability scanning combined with the only true Layer 7 container firewall. Protect sensitive data with a complete container security platform. + +Helm chart for NeuVector's monitoring services. Please make sure REST API service for controller in core chart is enabled. diff --git a/charts/neuvector-monitor/102.0.6+up2.6.6/dashboards/nv_dashboard.json b/charts/neuvector-monitor/102.0.6+up2.6.6/dashboards/nv_dashboard.json new file mode 100644 index 0000000000..ad7ce631be --- /dev/null +++ b/charts/neuvector-monitor/102.0.6+up2.6.6/dashboards/nv_dashboard.json @@ -0,0 +1,1828 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "gridPos": { + "h": 10, + "w": 3, + "x": 0, + "y": 0 + }, + "id": 38, + "options": { + "content": "
\n \n ![NeuVector Logo](https://avatars.githubusercontent.com/u/19367275?s=200&v=4)
\n
\n [Documentation](https://open-docs.neuvector.com)
\n
\n [Users Slack Channel](https://rancher-users.slack.com/archives/C036F6JDZ8C)
\n
\n [GitHub](https://github.com/neuvector)\n\n
", + "mode": "markdown" + }, + "pluginVersion": "9.1.5", + "title": "NeuVector Product Links", + "type": "text" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "blue", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 3, + "y": 0 + }, + "id": 25, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "mean" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "exemplar": true, + "expr": "nv_summary_enforcers", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{target}}", + "refId": "A" + } + ], + "title": "Enforcer Replica Count", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "decimals": 3, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "blue", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 6, + "y": 0 + }, + "id": 8, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "exemplar": true, + "expr": "nv_summary_cvedbVersion", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{target}}", + "refId": "A" + } + ], + "title": "CVE Database Version", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "decimals": 0, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "blue", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 9, + "y": 0 + }, + "id": 20, + "links": [], + "maxDataPoints": 1000, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "exemplar": true, + "expr": "nv_summary_pods", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{target}}", + "refId": "A" + } + ], + "title": "Discovered Pod Count", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "percentunit" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 0 + }, + "id": 34, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "code", + "exemplar": true, + "expr": "max(nv_controller_cpu) by (display)\n", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{display}}", + "range": true, + "refId": "A" + } + ], + "title": "Controller CPU Usage", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 3, + "y": 3 + }, + "id": 32, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "center", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "exemplar": true, + "expr": "nv_admission_denied", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "title": "Denied Admissions", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "continuous-RdYlGr" + }, + "mappings": [ + { + "options": { + "1": { + "color": "light-orange", + "index": 1 + }, + "2": { + "color": "yellow", + "index": 2 + }, + "3": { + "color": "green", + "index": 3 + } + }, + "type": "value" + }, + { + "options": { + "match": "null", + "result": { + "index": 0, + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "red", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 6, + "y": 3 + }, + "id": 2, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "mean" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "exemplar": true, + "expr": "nv_summary_controllers", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{target}}", + "refId": "A" + } + ], + "title": "Controller Replicas", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "decimals": 0, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 9, + "y": 3 + }, + "id": 19, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "center", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "value" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "exemplar": true, + "expr": "nv_summary_disconnectedEnforcers", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{target}}", + "refId": "A" + } + ], + "title": "Disconnected Enforcers", + "type": "stat" + }, + { + "columns": [ + { + "text": "Current", + "value": "current" + } + ], + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "custom": { + "align": "center", + "displayMode": "auto", + "filterable": false, + "inspect": false, + "width": 300 + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "string" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "log" + }, + "properties": [ + { + "id": "custom.width", + "value": 101 + }, + { + "id": "custom.displayMode", + "value": "color-text" + }, + { + "id": "color", + "value": { + "fixedColor": "light-orange", + "mode": "fixed" + } + }, + { + "id": "displayName", + "value": "Event Type" + }, + { + "id": "custom.filterable", + "value": true + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "name" + }, + "properties": [ + { + "id": "custom.filterable", + "value": true + }, + { + "id": "displayName", + "value": "Violation Type" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Last seen" + }, + "properties": [ + { + "id": "unit", + "value": "dateTimeAsIso" + }, + { + "id": "custom.width", + "value": 200 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "fromname" + }, + "properties": [ + { + "id": "displayName", + "value": "Source Pod" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "toname" + }, + "properties": [ + { + "id": "displayName", + "value": "Destination Pod" + } + ] + } + ] + }, + "fontSize": "90%", + "gridPos": { + "h": 8, + "w": 9, + "x": 3, + "y": 6 + }, + "id": 29, + "links": [], + "options": { + "footer": { + "enablePagination": true, + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true, + "sortBy": [ + { + "desc": true, + "displayName": "Last seen" + } + ] + }, + "pluginVersion": "9.1.5", + "scroll": true, + "showHeader": true, + "sort": { + "col": 1, + "desc": true + }, + "styles": [ + { + "alias": "Event", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm", + "decimals": 2, + "link": false, + "mappingType": 1, + "pattern": "Metric", + "preserveFormat": false, + "sanitize": true, + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "Time", + "colorMode": "value", + "colors": [ + "#E0B400", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "decimals": 0, + "pattern": "Current", + "thresholds": [], + "type": "number", + "unit": "dateTimeAsIso" + } + ], + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "code", + "exemplar": false, + "expr": "nv_log_events", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "range": false, + "refId": "A" + } + ], + "title": "Security Event Log", + "transform": "timeseries_aggregations", + "transformations": [ + { + "id": "labelsToFields", + "options": {} + }, + { + "id": "merge", + "options": {} + }, + { + "id": "organize", + "options": { + "excludeByName": { + "Time": true, + "endpoint": true, + "fromns": true, + "id": true, + "instance": true, + "job": true, + "namespace": true, + "pod": true, + "service": true, + "target": true, + "tons": true + }, + "indexByName": { + "Time": 0, + "Value": 14, + "endpoint": 1, + "fromname": 7, + "fromns": 15, + "id": 2, + "instance": 3, + "job": 4, + "log": 5, + "name": 6, + "namespace": 8, + "pod": 9, + "service": 10, + "target": 11, + "toname": 12, + "tons": 13 + }, + "renameByName": {} + } + }, + { + "id": "groupBy", + "options": { + "fields": { + "Value": { + "aggregations": [ + "max" + ], + "operation": "aggregate" + }, + "fromname": { + "aggregations": [], + "operation": "groupby" + }, + "log": { + "aggregations": [], + "operation": "groupby" + }, + "name": { + "aggregations": [], + "operation": "groupby" + }, + "toname": { + "aggregations": [], + "operation": "groupby" + } + } + } + }, + { + "id": "organize", + "options": { + "excludeByName": {}, + "indexByName": {}, + "renameByName": { + "Value (lastNotNull)": "Last seen", + "Value (max)": "Last seen" + } + } + } + ], + "type": "table" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "left", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 6 + }, + "id": 12, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "code", + "exemplar": true, + "expr": "max(nv_controller_memory) by (display)", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{display}}", + "range": true, + "refId": "A" + } + ], + "title": "Controller Memory Usage", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "mappings": [], + "unit": "none" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Value #A" + }, + "properties": [ + { + "id": "displayName", + "value": "High" + }, + { + "id": "color", + "value": { + "fixedColor": "red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Value #B" + }, + "properties": [ + { + "id": "displayName", + "value": "Medium" + }, + { + "id": "color", + "value": { + "fixedColor": "light-orange", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 14, + "w": 3, + "x": 0, + "y": 10 + }, + "id": 24, + "links": [], + "options": { + "displayLabels": [ + "value" + ], + "legend": { + "displayMode": "list", + "placement": "bottom", + "showLegend": true, + "values": [] + }, + "pieType": "pie", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "none", + "sort": "none" + } + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "sum(nv_container_vulnerabilityHigh) by (service)", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 2, + "legendFormat": "", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "sum(nv_container_vulnerabilityMedium) by (service)", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 2, + "legendFormat": "", + "refId": "B" + } + ], + "title": "Cluster CVE Count", + "transformations": [ + { + "id": "merge", + "options": { + "reducers": [] + } + }, + { + "id": "organize", + "options": { + "excludeByName": { + "Time": true + }, + "indexByName": {}, + "renameByName": {} + } + } + ], + "type": "piechart" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fill": 0, + "fillGradient": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 12 + }, + "hiddenSeries": false, + "id": 10, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "9.1.5", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "exemplar": true, + "expr": "max(nv_enforcer_cpu) by (display)\n", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{display}}", + "refId": "A" + } + ], + "thresholds": [], + "timeRegions": [], + "title": "Enforcer CPU Usage", + "tooltip": { + "shared": true, + "sort": 2, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "mode": "time", + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:865", + "format": "percentunit", + "logBase": 1, + "show": true + }, + { + "$$hashKey": "object:866", + "format": "short", + "logBase": 1, + "show": true + } + ], + "yaxis": { + "align": false + } + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "custom": { + "align": "center", + "displayMode": "auto", + "inspect": false, + "width": 101 + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "exported_service" + }, + "properties": [ + { + "id": "custom.filterable", + "value": true + }, + { + "id": "displayName", + "value": "Cluster Service Name" + }, + { + "id": "custom.inspect", + "value": true + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Value #A" + }, + "properties": [ + { + "id": "displayName", + "value": "High" + }, + { + "id": "thresholds", + "value": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + { + "id": "custom.displayMode", + "value": "color-text" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Value #B" + }, + "properties": [ + { + "id": "custom.displayMode", + "value": "color-text" + }, + { + "id": "displayName", + "value": "Medium" + }, + { + "id": "thresholds", + "value": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "light-orange", + "value": 1 + } + ] + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "exported_service" + }, + "properties": [ + { + "id": "custom.width", + "value": 300 + }, + { + "id": "custom.align", + "value": "right" + }, + { + "id": "displayName", + "value": "Cluster Service Name" + } + ] + } + ] + }, + "gridPos": { + "h": 10, + "w": 4, + "x": 3, + "y": 14 + }, + "id": 36, + "links": [], + "options": { + "footer": { + "enablePagination": true, + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true, + "sortBy": [] + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "code", + "expr": "sum(nv_container_vulnerabilityHigh) by (exported_service)", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "code", + "expr": "sum(nv_container_vulnerabilityMedium) by (exported_service)", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "refId": "B" + } + ], + "title": "Vulnerabilities by Service", + "transformations": [ + { + "id": "merge", + "options": { + "reducers": [] + } + }, + { + "id": "organize", + "options": { + "excludeByName": { + "Time": true + }, + "indexByName": {}, + "renameByName": {} + } + } + ], + "type": "table" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "custom": { + "align": "center", + "displayMode": "auto", + "filterable": false, + "inspect": false, + "minWidth": 50 + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "name" + }, + "properties": [ + { + "id": "unit", + "value": "string" + }, + { + "id": "custom.align", + "value": "right" + }, + { + "id": "custom.inspect", + "value": true + }, + { + "id": "custom.filterable", + "value": true + }, + { + "id": "displayName", + "value": "Repository/Image: Tag" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Value #A" + }, + "properties": [ + { + "id": "displayName", + "value": "High" + }, + { + "id": "unit", + "value": "none" + }, + { + "id": "custom.displayMode", + "value": "color-text" + }, + { + "id": "color" + }, + { + "id": "thresholds", + "value": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Value #B" + }, + "properties": [ + { + "id": "displayName", + "value": "Medium" + }, + { + "id": "unit", + "value": "none" + }, + { + "id": "custom.displayMode", + "value": "color-text" + }, + { + "id": "thresholds", + "value": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "light-orange", + "value": 1 + } + ] + } + }, + { + "id": "color" + } + ] + } + ] + }, + "gridPos": { + "h": 10, + "w": 5, + "x": 7, + "y": 14 + }, + "id": 33, + "links": [], + "options": { + "footer": { + "enablePagination": true, + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "sum(nv_image_vulnerabilityHigh) by (name)", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 2, + "legendFormat": "", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "sum(nv_image_vulnerabilityMedium) by (name)", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 2, + "legendFormat": "", + "refId": "B" + } + ], + "title": "Registry Images Vulnerabilities", + "transformations": [ + { + "id": "merge", + "options": { + "reducers": [] + } + }, + { + "id": "organize", + "options": { + "excludeByName": { + "Time": true + }, + "indexByName": {}, + "renameByName": {} + } + } + ], + "type": "table" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fill": 0, + "fillGradient": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 18 + }, + "hiddenSeries": false, + "id": 35, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "9.1.5", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "exemplar": true, + "expr": "max(nv_enforcer_memory) by (display)", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{display}}", + "refId": "A" + } + ], + "thresholds": [], + "timeRegions": [], + "title": "Enforcer Memory Usage", + "tooltip": { + "shared": true, + "sort": 2, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "mode": "time", + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:940", + "format": "bytes", + "logBase": 1, + "show": true + }, + { + "$$hashKey": "object:941", + "format": "short", + "logBase": 1, + "show": true + } + ], + "yaxis": { + "align": false + } + } + ], + "refresh": "15s", + "schemaVersion": 37, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "hidden": false, + "refresh_intervals": [ + "5s", + "10s", + "15s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "UTC", + "title": "NeuVector", + "uid": "nv_dashboard0001", + "version": 2, + "weekStart": "" +} diff --git a/charts/neuvector-monitor/102.0.6+up2.6.6/questions.yaml b/charts/neuvector-monitor/102.0.6+up2.6.6/questions.yaml new file mode 100644 index 0000000000..b8d51b3791 --- /dev/null +++ b/charts/neuvector-monitor/102.0.6+up2.6.6/questions.yaml @@ -0,0 +1,27 @@ +questions: +#monitor configurations +- variable: exporter.image.repository + default: "neuvector/prometheus-exporter" + description: exporter image repository + type: string + label: Exporter Image Path + group: "Container Images" +- variable: exporter.image.tag + default: "" + description: image tag for exporter + type: string + label: exporter Image Tag + group: "Container Images" +#controller crendential configuration +- variable: exporter.CTRL_USERNAME + default: "admin" + description: Controller Username + type: string + label: Controller Username + group: "Controller Crendential" +- variable: exporter.CTRL_PASSWORD + default: "admin" + description: Controller Password + type: string + label: Controller Password + group: "Controller Crendential" diff --git a/charts/neuvector-monitor/102.0.6+up2.6.6/templates/_helpers.tpl b/charts/neuvector-monitor/102.0.6+up2.6.6/templates/_helpers.tpl new file mode 100644 index 0000000000..5d21a18241 --- /dev/null +++ b/charts/neuvector-monitor/102.0.6+up2.6.6/templates/_helpers.tpl @@ -0,0 +1,40 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "neuvector.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "neuvector.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "neuvector.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} diff --git a/charts/neuvector-monitor/102.0.6+up2.6.6/templates/dashboard.yaml b/charts/neuvector-monitor/102.0.6+up2.6.6/templates/dashboard.yaml new file mode 100644 index 0000000000..72c5d9f709 --- /dev/null +++ b/charts/neuvector-monitor/102.0.6+up2.6.6/templates/dashboard.yaml @@ -0,0 +1,15 @@ +{{- if .Values.exporter.grafanaDashboard.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: nv-grafana-dashboard + namespace: {{ .Values.exporter.grafanaDashboard.namespace | default .Release.Namespace }} + labels: + grafana_dashboard: "1" +{{- if .Values.exporter.grafanaDashboard.labels }} + {{- toYaml .Values.exporter.grafanaDashboard.labels | nindent 4}} +{{- end }} +data: + nv_dashboard.json: | +{{ .Files.Get "dashboards/nv_dashboard.json" | indent 4 }} +{{- end }} diff --git a/charts/neuvector-monitor/102.0.6+up2.6.6/templates/exporter-deployment.yaml b/charts/neuvector-monitor/102.0.6+up2.6.6/templates/exporter-deployment.yaml new file mode 100644 index 0000000000..23f9bfadf5 --- /dev/null +++ b/charts/neuvector-monitor/102.0.6+up2.6.6/templates/exporter-deployment.yaml @@ -0,0 +1,60 @@ +{{- if .Values.exporter.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: neuvector-prometheus-exporter-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: 1 + selector: + matchLabels: + app: neuvector-prometheus-exporter-pod + template: + metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "8068" + prometheus.io/scrape: "true" + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + labels: + app: neuvector-prometheus-exporter-pod + release: {{ .Release.Name }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: basic + serviceAccount: basic + {{- end }} + containers: + - name: neuvector-prometheus-exporter-pod + {{ if eq .Values.registry "registry.neuvector.com" }} + {{ if .Values.oem }} + image: "{{ .Values.registry }}/{{ .Values.oem }}/prometheus-exporter:{{ .Values.exporter.image.tag }}" + {{- else }} + image: "{{ .Values.registry }}/prometheus-exporter:{{ .Values.exporter.image.tag }}" + {{- end }} + {{- else }} + image: {{ template "system_default_registry" . }}{{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }} + {{- end }} + imagePullPolicy: Always + env: + - name: CTRL_API_SERVICE + value: {{ .Values.exporter.apiSvc }} + - name: EXPORTER_PORT + value: "8068" + envFrom: + - secretRef: + {{- if .Values.exporter.ctrlSercretName }} + name: {{ .Values.exporter.ctrlSercretName }} + {{ else }} + name: neuvector-prometheus-exporter-pod-secret + {{- end }} + restartPolicy: Always +{{- end }} diff --git a/charts/neuvector-monitor/102.0.6+up2.6.6/templates/exporter-service.yaml b/charts/neuvector-monitor/102.0.6+up2.6.6/templates/exporter-service.yaml new file mode 100644 index 0000000000..b304562709 --- /dev/null +++ b/charts/neuvector-monitor/102.0.6+up2.6.6/templates/exporter-service.yaml @@ -0,0 +1,28 @@ +{{- if and .Values.exporter.enabled .Values.exporter.svc.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: neuvector-prometheus-exporter + namespace: {{ .Release.Namespace }} + {{- with .Values.exporter.svc.annotations }} + annotations: + {{ toYaml . | nindent 4 }} + {{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + app: neuvector-prometheus-exporter +spec: + type: {{ .Values.exporter.svc.type }} + {{- if and .Values.exporter.svc.loadBalancerIP (eq .Values.exporter.svc.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.exporter.svc.loadBalancerIP }} + {{- end }} + ports: + - port: 8068 + name: metrics + targetPort: 8068 + protocol: TCP + selector: + app: neuvector-prometheus-exporter-pod +{{- end }} diff --git a/charts/neuvector-monitor/102.0.6+up2.6.6/templates/exporter-servicemonitor.yaml b/charts/neuvector-monitor/102.0.6+up2.6.6/templates/exporter-servicemonitor.yaml new file mode 100644 index 0000000000..25ca23d121 --- /dev/null +++ b/charts/neuvector-monitor/102.0.6+up2.6.6/templates/exporter-servicemonitor.yaml @@ -0,0 +1,39 @@ +{{- if .Values.exporter.serviceMonitor.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: neuvector-prometheus-exporter + namespace: {{ .Release.Namespace }} + {{- with .Values.exporter.serviceMonitor.annotations }} + annotations: + {{ toYaml . | nindent 4 }} + {{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- if .Values.exporter.serviceMonitor.labels }} + {{- toYaml .Values.exporter.serviceMonitor.labels | nindent 4}} +{{- end }} +spec: + selector: + matchLabels: + app: neuvector-prometheus-exporter + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + endpoints: + - port: metrics + {{- if .Values.exporter.serviceMonitor.interval }} + interval: {{ .Values.exporter.serviceMonitor.interval }} + {{- end }} + path: "/metrics" + {{- if .Values.exporter.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- toYaml .Values.exporter.serviceMonitor.metricRelabelings | nindent 6 }} + {{- end }} + {{- if .Values.exporter.serviceMonitor.relabelings }} + relabelings: + {{- toYaml .Values.exporter.serviceMonitor.relabelings | nindent 6 }} + {{- end }} +{{- end }} diff --git a/charts/neuvector-monitor/102.0.6+up2.6.6/templates/secret.yaml b/charts/neuvector-monitor/102.0.6+up2.6.6/templates/secret.yaml new file mode 100644 index 0000000000..ada088b03b --- /dev/null +++ b/charts/neuvector-monitor/102.0.6+up2.6.6/templates/secret.yaml @@ -0,0 +1,15 @@ +{{- if and (.Values.exporter.enabled) (not .Values.exporter.ctrlSercretName) -}} +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-prometheus-exporter-pod-secret + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +type: Opaque +data: + CTRL_USERNAME: {{ .Values.exporter.CTRL_USERNAME | b64enc | quote }} + CTRL_PASSWORD: {{ .Values.exporter.CTRL_PASSWORD | b64enc | quote }} +{{- end }} diff --git a/charts/neuvector-monitor/102.0.6+up2.6.6/values.yaml b/charts/neuvector-monitor/102.0.6+up2.6.6/values.yaml new file mode 100644 index 0000000000..1dfa4cf54f --- /dev/null +++ b/charts/neuvector-monitor/102.0.6+up2.6.6/values.yaml @@ -0,0 +1,52 @@ +# Default values for neuvector. +# This is a YAML-formatted file. +# Declare variables to be passed into the templates. + +global: + cattle: + systemDefaultRegistry: "" + +registry: docker.io +oem: '' +leastPrivilege: false + +exporter: + # If false, exporter will not be installed + enabled: true + image: + repository: rancher/mirrored-neuvector-prometheus-exporter + tag: 5.2.4 + # changes this to a readonly user ! + CTRL_USERNAME: admin + CTRL_PASSWORD: admin + ctrlSercretName: '' + + apiSvc: neuvector-svc-controller-api:10443 + + svc: + enabled: true + type: ClusterIP + loadBalancerIP: '' + annotations: {} + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" + + grafanaDashboard: + enabled: false + namespace: "" # Release namespace, if empty + labels: {} + + serviceMonitor: + enabled: false + # labels for the ServiceMonitor. + labels: {} + # annotations for the ServiceMonitor. + annotations: {} + # Scrape interval. If not set, the Prometheus default scrape interval is used. + interval: "" + # MetricRelabelConfigs to apply to samples after scraping, but before ingestion. + # ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + metricRelabelings: [] + # RelabelConfigs to apply to samples before scraping + # ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + relabelings: [] diff --git a/index.yaml b/index.yaml index 3d291fea47..8f21d2cfc2 100755 --- a/index.yaml +++ b/index.yaml @@ -5497,6 +5497,36 @@ entries: urls: - assets/neuvector-monitor/neuvector-monitor-103.0.0+up2.6.4.tgz version: 103.0.0+up2.6.4 + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: NeuVector Monitor + catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.29.0-0' + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux + catalog.cattle.io/provides-gvr: neuvector.com/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: neuvector-monitor + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/upstream-version: 2.6.6 + apiVersion: v1 + appVersion: 5.2.4 + created: "2023-12-04T13:10:54.319704-03:00" + description: Helm feature chart for NeuVector monitor services + digest: acea2d95b773e92edfaac066a264f64e66b6e49b65d6abec5abcbc8b743c78ae + home: https://neuvector.com + icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 + keywords: + - security + maintainers: + - email: support@neuvector.com + name: becitsthere + name: neuvector-monitor + sources: + - https://github.com/neuvector/neuvector + urls: + - assets/neuvector-monitor/neuvector-monitor-102.0.6+up2.6.6.tgz + version: 102.0.6+up2.6.6 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/display-name: NeuVector Monitor diff --git a/release.yaml b/release.yaml index dcd5c688ac..ce5eb2d87d 100644 --- a/release.yaml +++ b/release.yaml @@ -2,3 +2,5 @@ neuvector: - 102.0.6+up2.6.6 neuvector-crd: - 102.0.6+up2.6.6 +neuvector-monitor: + - 102.0.6+up2.6.6 From 4cf9225c8110871f7dbf1049aded8519e5a47055 Mon Sep 17 00:00:00 2001 From: Lucas Lopes Date: Mon, 4 Dec 2023 13:12:25 -0300 Subject: [PATCH 05/10] make forward-port longhorn 102.3.1+up1.5.3 --- assets/longhorn/longhorn-102.3.1+up1.5.3.tgz | Bin 0 -> 24962 bytes charts/longhorn/102.3.1+up1.5.3/.helmignore | 21 + charts/longhorn/102.3.1+up1.5.3/Chart.yaml | 40 + charts/longhorn/102.3.1+up1.5.3/README.md | 49 + charts/longhorn/102.3.1+up1.5.3/app-readme.md | 27 + .../longhorn/102.3.1+up1.5.3/questions.yaml | 890 ++++++++++++++++++ .../102.3.1+up1.5.3/templates/NOTES.txt | 5 + .../102.3.1+up1.5.3/templates/_helpers.tpl | 66 ++ .../templates/clusterrole.yaml | 61 ++ .../templates/clusterrolebinding.yaml | 27 + .../templates/daemonset-sa.yaml | 151 +++ .../templates/default-setting.yaml | 83 ++ .../templates/deployment-driver.yaml | 118 +++ .../templates/deployment-ui.yaml | 114 +++ .../102.3.1+up1.5.3/templates/ingress.yaml | 48 + ...king-image-data-source-network-policy.yaml | 27 + .../backing-image-manager-network-policy.yaml | 27 + .../instance-manager-networking.yaml | 27 + .../manager-network-policy.yaml | 35 + .../recovery-backend-network-policy.yaml | 17 + .../ui-frontend-network-policy.yaml | 46 + .../webhook-network-policy.yaml | 33 + .../templates/postupgrade-job.yaml | 56 ++ .../templates/preupgrade-job.yaml | 58 ++ .../102.3.1+up1.5.3/templates/psp.yaml | 66 ++ .../templates/registry-secret.yaml | 13 + .../templates/serviceaccount.yaml | 21 + .../102.3.1+up1.5.3/templates/services.yaml | 74 ++ .../templates/storageclass.yaml | 44 + .../templates/tls-secrets.yaml | 16 + .../templates/uninstall-job.yaml | 57 ++ .../102.3.1+up1.5.3/templates/userroles.yaml | 53 ++ .../templates/validate-install-crd.yaml | 34 + .../templates/validate-psp-install.yaml | 7 + charts/longhorn/102.3.1+up1.5.3/values.yaml | 296 ++++++ index.yaml | 44 + release.yaml | 2 + 37 files changed, 2753 insertions(+) create mode 100644 assets/longhorn/longhorn-102.3.1+up1.5.3.tgz create mode 100644 charts/longhorn/102.3.1+up1.5.3/.helmignore create mode 100644 charts/longhorn/102.3.1+up1.5.3/Chart.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/README.md create mode 100644 charts/longhorn/102.3.1+up1.5.3/app-readme.md create mode 100644 charts/longhorn/102.3.1+up1.5.3/questions.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/NOTES.txt create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/_helpers.tpl create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/clusterrole.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/clusterrolebinding.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/daemonset-sa.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/default-setting.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/deployment-driver.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/deployment-ui.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/ingress.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/network-policies/backing-image-data-source-network-policy.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/network-policies/backing-image-manager-network-policy.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/network-policies/instance-manager-networking.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/network-policies/manager-network-policy.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/network-policies/recovery-backend-network-policy.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/network-policies/ui-frontend-network-policy.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/network-policies/webhook-network-policy.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/postupgrade-job.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/preupgrade-job.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/psp.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/registry-secret.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/serviceaccount.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/services.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/storageclass.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/tls-secrets.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/uninstall-job.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/userroles.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/validate-install-crd.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/templates/validate-psp-install.yaml create mode 100644 charts/longhorn/102.3.1+up1.5.3/values.yaml diff --git a/assets/longhorn/longhorn-102.3.1+up1.5.3.tgz b/assets/longhorn/longhorn-102.3.1+up1.5.3.tgz new file mode 100644 index 0000000000000000000000000000000000000000..4a27ca14dfd262a32b533b73b604719bfbee8b75 GIT binary patch literal 24962 zcmV)~KzhF)iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMZ%b{jXcFgkxXp8}iCEZZ72b+tXCy))}5l9Fg*%Uq(ItoS#RjW^M9vPb>H7Q1mN6bgl^LRBHv%9;y`~2__{@>l*t^U9N?8V-n_70!zzj(HP@O<~hpLX{Sb`M_s3GHqi zl7=Uj3X4DO-np;p;Qk;FW{fMWC};AhgHVhWPWiYOW2I8kqkISFibs@5h12v1IdX|& zk$gSHDxNe}iiuEkL`ial1ZMGsh{j?Gm05~s5yMk*gkIXV8;f4&LlWH(At`4^=<(mb zMti;ez20uL`?#^ZZc=7ACIQTHCKZ`B7SD*7QY9lUk5Eck{$cx;vV`Bt=F)=S(1gfn zd?SkX^_QEyAyIg*v6jU|c@+D-7kUurztMj0ukFJTBqdl9i>Y)TrqnDWM<`BnsfdUa z=V@cHJd;WgJT1W4>pklobZ|z0bZ>6;7C( zfp2@JcrJ;EIa7ows2Q_(w1b7Z<>Gp0iZvGWguN%Rl0~z+wVjx!T=;j9eiy;JUdG0q zYcjj#B9TX(sK9vSM%0PI(RLy;Uj3Hb&{%(_GM2OxAvTg7O};+{^Ij0|6jP=!Wkf(n zWQu8ego3yKPe5NCgvx6rEZC_Khvd143ADNtf|n~65jLibEL$2l2a8EG#SD*$Shk*= zV6k$g6^rL|*^-J#B^MMP;`o}faYUzhTtHr|uHF6KL2vIbd1hA8muCF-@!;R!G$-=2 z2mtf<|NZ^F-NWkszyJJU|G$^#5jrI!oTmyI0ss!}IZo#hx|&dFnEU@6zj_&sxR_$4 z`TK~bL>D+Eaf$^&H&{?SOo>E_qai^VmXaihGR4u1=K?7*%~A|(f1L6mPOZS9QlkGt zc8{>|T#~V7ud^f6?ZQ{PA)lCy&D22X5jtbKSEMwYiX)t+{I=kaiX)LT#2Hc(f-cP# zj1rQid`1%VlWEj#m$p#?O(sWZgi}d;Pggu80xN=EY6$@`o)DyYud*eS`R-&X{Y2=R z=phvQE|*>V4H=Xlp)N=q#cMJekyss}?gbyj6O!a9DL(Q{_rb*x>Yn{G$7$DtHy|mA zRREl{pY-46Blmbi=(^a30jw$GQxHF|fa6yvDRir$s?z;|IV=s^C-*&rMyK%Q&HMgGAwHwZ9 zOPfwGcy&j}YXU}dcOXyPwXd>J(%g|11I{%Ktl3|)B+)XiJj=LH-{dSw$q!Vm+Lx^# z4WWVPnyOMqyS?4s{tL~grKJI^6xOY++EFZNRo1+UeSZYD~gok+NbN?n3h*D>u%`rCTru~jP*?;4g2XL7=oTCee- zdZ~lwy?u+Ul->|Vr0femT%Bv#%9*ZQLCxP_1X-S@z;|ay=zMg+RbLQEnCf&S5n6-N zT{^~N*sI<8&-;Ed`&_6a#PU?@xFsGqzlIelQjU{vaH`pdIPW*U9)J>ciP=~){%*I^ z$+Sc-6=4QMyPch+Sjr=$L{5sA-^wchgM3hj#oJfcBiY9SPo?cKY~qq+DUI<7&zU+x z2gTP@tnf=7RUhz zQCb_e-^hoI#EK**6B1v`d}`iXtX$MYn^O1ak;4=k&RiX{e7tM`Qy|Ec-;jY_6!J9J z$oQ6~#E2JHf=-VR9Wzbm=n?8#DWQwFKwUQ(-2nfc2}!4YLEdCzffEA26Y&o|EXf!^ zE*;BTwUCk$b;-FprNRu;am+GV=q~}ctADhtqy8aS_SKJ_vS0?nke=Nmsn#U(UU4m)2xZV zkJY61vRDyj*f694AE{%e=<#SoS@q*_uDD&?7A3}>^ZJH}zQZYH<315FVM>#ASnL&L zbc$0i61Eh(B$|tnr1<gB`SafMKL*c|p_ual4_uOAG^q{ z{z2LJH9O%V;mpu$iN^j9XQY`3K?32otj`nZopR4^%JJ5 zJhd@r8vBGf(zztVoTi!rHGBbbi;`x{h8!*p71WE{fnO4{G=L%F{_sv=U8B-2uaS%s?16MjVV!RomLLfP|6smM4Y)DK$qhp zn_zbAD6$}Uv$!velIpmCF2TkpoQ#-U_vlBQPr3KzC?3BTz zWP;vcMZ7u7?|b2%X|;&i8Ao;?aIaqz!;*Ig}h(yT{$Cm5bRL4z?; zhPX(G2nKuga^TL<%H!6wpUUz;!&AA2w$ubGXi3Xpge7i&K({na(U54-o`L>_utHj4 zM2Ck5us6lI0F{NXq|)d42wYR`=S|E6H{MJ2=m1;DBDou z%{dy*P%bGO!|xH-Vx0ap%F`4YKp#KqiT(8HFCRbZ-=Fka%)n%_{~7nHt?rZ zD#S-9<5JRaSp|@8qYONtkR+A^2r_E)94h*E%OujG`iGri%7@M&DB-c(37YRslK{5! zk)G}vAqDHqEx__%4RJ<8Pn}&|v1>4eor;Rnbf!sM64eO>6T@n%2eYN6euQ8sP30V7>_}P+DEo*79L((Vnh)4N12B#{oks{(Y~j0y{#)-f`_H!ZxPg$Y z4~6A>67_k426{zMHABW8gm5yYpoeP)uLMt1BDQtoGT4CLX$pP^qQit{h5u$IGjuzl z@x(fLXw{mgWK5Dmn#gzpZ2-Y_3@H6U-)|IpuggeGM>E84h!7gL-dA)RN%&^hsHX!- zMtKTYHMHU&f)$VtBQqaXDxpg6i)LDU%Z@BStf@GpzU%m6uPsRCr0Ed~R4~5^d9#A$ zHA#(k*+Z|vK@+FF4zB2N?ttw$j={QYd>mSPayv6N#VagJH~6J}m>!<>AMgL?y|Z>M zUSFLJdg_DPR38ic|920b?N|K&4xb$yKKTFL#}oQ*Gk%M#r$0%YsBgLYe|9={tGUHg zX~~V;qA6v$vOa@w^jWZ_!tD#mTyt!RP6p@J@lNY(avK>FDgryZ+y>_9OzDoTIcGx3 zsG>NfzmcTZ>HJ6~RY>nS36FE#n)OXnULXve@fC#cAJ%)-Gr0pE*t;7zyDl1JHY&pNMH4$}8Q69)?6i z5@W6RNIoT@unPkoQIaO+&?Kc(s)&`5s66XXnq-smw=zd$zmV4H{h^Xrr8UQKid|zjSe~Ci0i=5&HN`_s{MR{ZjvFUVZxX zsp}D5Il=1%hjr*lf%qdp{GvLNh=qmB5g+;&8a_WHEPm?$Lcxd))kkP&t5axmct}#| z%#g$wkMxF`V3DBjwd!b!XtE4fWO|9W*w~$tfJCb$+-!at5{eX%KNyT z0?cC{3Ww%X9%yxM?HYdTX0;$#I`Sl70wG*jUSj}6!y4b|uGIiZWx+AJ^#xSnsKtof z5Z>k@Z5+nDB{CQMWhw?>BhO%3k=(0JPHj{>TOBttI9c$a3st4PX_44MZ+)RgeAE?R|+*b^7 z+|wH&7xXvKsCw6bHQaEob4^*|9jY&RN;*@baDo*+@=>YYu%&6IV~^LQ=AjX)iw16+ z>7joiMp;6bLWg?wiaa%8t2m?I37%(Q!-k*agCb0V#omBse05x;t1cDiQt_#K3G0@E zt*V324G}|Ith?1M^?-ivc7H9khJNm5JdxdP)Fn4sW7U6o?{9Sj4sDGu!SPylw_85! zNQG4nH6ct3nh^ZMY^V6i6SA4tFfKE6 z^mBKs`|IL?d-hbRJSIwakW#7Y&EPDP^`;UqOiDKbg%ug)srwxm1Qvoh#44WDJ9y8B z1_#FJY;ijo*rFR}JE2nKU^yM;$=JfEC&SvYGaD(kun+0|L@l8Xgy>b-n0U<8Vg#qc4N*(LRl!M)YmWw&x_ld5+!IX+gY`h1I)r(Wk;kg zKyWUYIHP`RFSQQMZX>%L)Z2H*sY~@T%@x*+=avj7oL?K6A-Aq*Fc&zb$($ms1Bcz0 zU`1fNbX%8k<*Gy7DreR~)`Fy2EIcJc$`ZpjQ8!RhT3$EI`j-~Ae}~U}{m-KIj%wfn z{crE!;Gm-ay?Flo*@OOfAJ6*w-#3Of=Ba_2eD0tI@|0YXk#5(qk2x@Q5UQ)F&5Eha zhmZ|QtC*(FpyUxzuV$HZgi8f%ezDLj)nFb1gH#knozIHuavcBf0_iRVnck$>I!Lb$ zX+@lW>816DcpCV>SJ)$oH(~&s&;R%KpY2x9f1e*bJ9yy#_wj^G31^us_>XreE3ut5 z*@~9`ah3(EyGUzNS@z`*E39{!k@%<+g!bFaI4YjJG*DZGqzw?a1Z>4%)Q}Zo<&po@ zjeK6G`q52-)2cfi2wk*&8x>FCqN?KmgQsa**TI1yBtEcM(of8b)Pv?t)j_lZC_*N; zQTh0?y0=ty-X@f9_ z8L5^AxKybL+Q!^b8-%(cz17mdH`Q&#csVE4XFz==Y1Z=SuU2dVfAjF(jcHbpTT^9f zOs%bm9=Z(Kpx-}CR;9l^+uaQqs@X~E9I{?(uU0GO%z9u%x0AVb_iJ^%QEXAwgIZNV zVt(VCk^EOda6)UTu=F!gD*KLSTh)^D61@^;$u~>86@DSnQ;9SmeU3 zl@mO}W1BVN8=6o-ViTUw+Ep|bS!^Ryn)+0!j7BsivgnMkn>v#EuTS4z9KSjn^p8)@ zg0>*q?OVa8<;epdKdS)O-kYwSU|9HYG{4Ig()*h0SPt|;GC)cN7^T?o;<3QGd9#^i<>1=gJ1=5)uOb$UxsuRgz}>K?a$z1svYhG}k%CBdk@CnQKF-S2Lmp6(TEZ8pd_QNc3T`3NowUx=gTcc8kogbH-S$6yWJgTXENan(Y6^ zr#iB3N_Rg3SaAQtix>6t-@V-j|KEFg8hIxq7aYIB*}N0S3Yo0K^48?X4xlDNJwpGA z?CR7EfN_PM=s}%J)TIm@T#D#}O2*q>nB4X$`t-^Cj+D)R8}NpCHH|4J*c9&yN;S`J z4YVlsB_gZ6EDLP4?TrAxObTE<2q+hMKe*^UA4a#jXk^sRDDnA%=L~0=-ZnC7Uqtujvr15g@IOaCLkpWb)DQl2DtXSd5sLpdhtTeC@pjwhPYvAmsNb-@2 zFjF+bUaXh{WlM{jgf_?`9RdoMBS%h&1?j^g}JOXu(nXdZ-^)^P0;Hv3zAvS z0e)dGn;c7f!tHP@Q&TGP3c`wGY42r|V_B3HJRFg*WrKl4BQ8qJWtovJ>T@IGD>Ao6fbHq# zLvRZPABsheh;7oc#o)Jhvq5R9mK47bq~KGO@idL7&+@%cgsL^T5nwAx`ZbW|Rpf*| zH6OT20~^}++Aaw&`=3Fe728S@-Te7)Z+AmrFTA_J!0!N-z8t_FO-#usHTl2ij$~n1 zn;lZ~Eeqx0Si)I%D9v4LW=ouZ4+Lz5Wj_ErmgR@Bpo@lKIP3J2)y7h}uHxxa^kfwq z^HT=^v=gb|-iwbP(O0(8X{pnza+m1nYm-J3#`IOPRN1I%m;XG*@iH(~WCc(dIF=jl z*BkCTjG`~$5%#g$R5t1<**?viXQ_+{4P5*V#e@iK#7Z+)%? z%ZAqMG9PWdeZ z(n{?2D62c%FWv0sfG+MxD?runmIkkAV3S19dPiGG2_h^M-D0YivpFp4V>4$QOI#xd zM;*RgRE!HsMi~)CU|Ou9Ez{eEhqd6&yUN%sGqr{nXXaRIgbO;}BulN_)faM7VLutu z=K{lQb90+f{}O3n9?y6pZCpc^r|B|FeNiu)JMCQVdc)$-(-Kx}D@3vgXUWl2OpymTvR*vG_bkJjlkPoRLJ-RX08Z5!MZOVZlpE ztB-gIxIQ0J>`ln?1|GZ1l2;v=ZF@rs?7~Z$jSj1e`B{-slACizUoui~pYvQjc41c= zI!AB0PTHKP%ev;e%wE*m>L%?7t#@39b_9*{NX}RsO_a)_7|Jchz83Yek)gPYxHZTr zA4jRVm3t0YuEqvkK593A2fnj$@hzI#Yrz+~eAF7;D6pm5#!H}jwPUeT(b(7~oj@Ak zbe55o0Bvq=Banu7v}^co_6^r1_SW_}P=!@DBUZND4iCbm`BvpbaCiJX5woSq61+?K z|2M{exRlJ1N&0)&2#^K&pAPn)9aiH%4i6vl|J};}C=eH$ zR@}?Iw|erYI{5dP1ghS7IXx3)RGrjPG!=1iV9IDsMfAJL)l_6qLO(y2lgHcWaTM!+ zA=Cr?jJ|pj=ORVX6z!o%qKKQs0W42b6y2ikpFe5==WWar@~MmLr9st@OSn2{=VtFI z`p>UXcYk-ci+=qtlyF4i2?tbBHvTUpQ$jMd|6g$P@#9}R4#0LS&z-K{8KT!si`9_i zYHpgVN}?;sMFnWFNGca>$%ym&$ca;iFc)d*%K~Bx%9fIkEKWbtnx~^ZQ^&GNNam*p zxogKwNkYOt2WOW*o}Zk(Jw7>k{pR9o(>>S2%Y!PFsNYypFde2uU2?8YsVLLD1NnzH z-<-WXyLx;1`t{Y@)AP$Z%%z32sM&^4{YH;2L!i1fll{C*%yUZBmc1Lu$>99$@zvGw z$@gcMZ_i&Hf7dYaN2{;7HV~WETLYloJK@F$C@n%ySa2?e`j@YNJRh9DzSuaDT3~I% zQyt>Fp~^TmX#Q(c!QcfbYpO68b-++gFVBBGyL@|j_TBm5>hgHgNL(#M7cqo@Ve zHZ;{Cz8k7idP98nxcSH`7oCf)m*+p8U7QUDnw@=fwqcC5g4~9)Ccu})TDY&et)mie zw`i}sJnO$aKRJHeB68HW@5XLwxv5qGJmBTa!5;2HtAgLw*_}pUxx;eMJ6^Ub$s1t+PcV=rn@=2gn3xHq^T%f@^H!E_vW=gAZxo?ve(s0f}>Sgf*1k zd=fa@$wLmfyXJsvLgX^j`z12Kp?PW9Mb3`p8%e|w+WiA(+4}uH^Ur^Bx`_)w7To{z z;@NKP{@-UW_8!iE?&Dec{AXi16mwcXP4e&7xb~ws2Wk*P-kdw92kFuju5?ZWfZgNK z5cF3*4e}8~zDmZEFeIpanFSdUAxL7pYl;A<^D*Q8_1Om!=ipRT5|(cX9Z!@wPYasl ziRn6eL1thMF< zi`69X@O=l$R+GpVZ9sCtd5u7U=2ni-4Hl8e=VhW7d60m9(VYc<-EFwDV4_q(ge?a< zFJE7L_xFU&9VPLR6u+I@5Ww*UIFQ7!Fis9oh+hITT|)a;as zBlNMDUekDe7MCd=PT1V?<+=Iesk?8^@22Y3>fc4peRKYx;@(Nctsro&{!=NtdDZsK z`GZ<}XSKG9#6?qjM|C!eqDnIHO19k3Cl{lJ%fnngYQ5*rGJ?97n8gz!qQ2lCX8!81 zvLNFkZfxZv)KwxU-A--n6>(-H;41w!GMPJ>bU{3`wQ%S<_4QaYvt5B*m zw1)K&R7yEcYz|Iw-bYX70sJy3+qHRP%JthotMoD#$W=gC(A5C0(!RuOOk^G0@as|O zD!~<6tr2u-So2c81Etrpy?fy+vjQ6Y2ot^g5-nNYbGllB_lELinhWc*JWZ>s=SwT` zcX%4?Ka`ENmbQ_rU*TC`|2f#L<$r&6c)0su|GAH+vV`2+2a<;^A<6WHh!Z}|upp@W z_pkSQdw+{|yQp`9GZSJ?iR}H54~g9(d*4xI|Afpz;pS;W7AYGC_g?!&w@m3FQP@^7 zi_q-U=Vk!&T$b$^@6lDc&iV=%YPY(!%m|psA$+-CTiSbw15fG9}E+^dKWK9npBv!MrnSl#CUN7{^k8mizICOI1@}yYw19 zAW_tege;#9iSUv}X`q1!P=VlLi5_jyekjN^;IU=JtJE$ul?F6tNhn%Gdf}aQ4MkNd z3oA(lmOs8!^YASDG{}E;w>9~7D3LqmOd1eJCqV;vnc-v6g%`2Rtb|35!Cc=5ph@8kKx{J(sW=6&)0@UF=RzW>1Y|Batz_hcVyu%1N(5+ zGElU@!#hGBjdyqHX24$1$9CZ2efEJ$CDEsaP%r8&9K(A)j1-pFYjv~;)78{Kf1K@X z8UF8cXWL`GRX2hK{D1e^Ud8`o|JmV-2l@YAo-fD$t5o&-*$9G|fe2-SD<1Ro2wj~x z4}asC_P1xd2Y;ZI-ux`H{&VV&x7U&Z7p(vNXU})5`v0@t=MU@uKAr|woHicN<|Afq za14A_s|^^()$Y@$pM#AA#QC{6i1kxlRf?=TKsO^sT$8=-CntpX5iBi=lzqQSiQ$eM zY!QU=c=olDoKtZw3-tMzGbMPMmJ}N z`SoYB|Li@h?*9ibb|36N_wsx>`9J3D#7UQAx${$7Q}ji;-YHJXu3xTUdlX<2}ww@JtQM8NCa=)Wlwd^Sn1=wFB`zI zqBrD};3TDt3`oo&zUFTrFb;8i%}1k`=HipRg&AY!4-MTdr%aeSW{LDA4W0jP^4hPP z(xjHteojXFs7}48n*3u?PWP7d=55K%m&xWXh-Od94g59x7Sl8r?(-in#fH6s@@{!H znj2Z1Y-5egbnO`(91sslI_{FBqX~<1(>gR&*nGMU*ULlBj=SdUXvE}FGknMF9ba0q z`eQsz^1mP(75^8?|Az<9tN9-v>_7MPR93AP*!#j=KMohB67df{Y%>JiS!EDpvl_!T z{2F1JlB7X1Q&=1~0krKPja z|1`<}GTU74uRks0|Mj9O{~tczeenOhm#4D!472DD`c*;S$lyNjmJ#>+JQ>)V8y25w zW-`0G2(5(*nvyX|j*t?$mS%98^4q?9ex91xZc?&%%sD<~;M_?CS01 z@lUQHlGKX~{%7#^`1IBJMF&9&9(#;?ghn`(#J)W5pOjzp&rb^w{52N9ZA6}uBXp@> z9tf`V2~&p(qND1_!Z9JSHf@EEf&df|GX3C zc!nP)lTgQ=_r52w0@cc-Bhpf6?Fd{9aooeXns7mXgUP5Jg!@qVol_ILs>%Eco7bV zw%9$Qk*CD!EDn)#2Gv0*Ac%G{koizk9?VZEC-1Qry4fPBe8qt*=*VVmTfN=im5s7t z|96U7WETEsKmXr-zF)ile{cW6{&z3W0y_Yh)kry0+)8GHO2%xrqF_g{{Zg@lnN?Ni1z$$%XjuQ2aaz9l`R)IEdwW&+|HbZu z{C_`B%la(scymOIJ8!agkV|xhTdF42eBKu9dcxYqRJ+cUFgK5RRYqF}Q+bwgp`u~V zlJq`LAMO)TUz(a9o>iZA{=c~d@C*3=!NH4K{`cqm5BcBk<(bFTKF|Fot$zP2#0IQ# z4@vz(5ovM;_ z&;@6thQn1-dWB_cIrz*(8nC|%%It-ze>j|3xPJ%6x8K3jB>yQc@R-CY-q0mLi{!s& zFZQbbe}~T>^8en;)5tYW{Nd0%g*G6QdsJr~G&L$cLjM8|U>TqJd}5)4vj{&>TQ@jY zK?^&GC@LV0C?t#AocO>}q8ysKf z*%9h?TRhzAU4ARC{Dpzgj5K%PEP&Kk>n`cR*3ibQ>yhkhqy-*qQ~z!u2&L-lfH9?G zffXL6!SIWB?fsYP)jQU|7I$vbfS!Z@rSUi@pa?&RhyuuLPzLv zJ42~A`JNA7Qn;$TXMo%v@T06$--x? zVTpd}jo&^E@}EkjJ^I~{32@Q*@3Wfy@A>}W!};&MJj>nxXl@8>xROv4$$H1U1=n6) za{Ou)$?>a&hL^^3U6o2NW2#j4Vs~k5OoXB%8e>J!ztHgcAz?9c_p|jN->5EjO=hLf zS~dS2rvhqN|2YH2IZZbd{kz4iQM<|L$T*M0^xn91$`0o4Hmlt0soa=(z_;Eahay^7{ zJ%n;SgmV3kLb;Yj=0hHcFa0#h|B?v7)6F>mEs+18KdbqFKHuHne~|z0<5@BC#Bzt0 z=$&rKZG?3Tq1&86w6>4OV?oAPkw|e<_Xu^B$Vs;;DhK@>2*Z?j(XXZ89Q1S7hB|e( zk^6H;Dy(vNW6sROKZB3zV}c14D>O@UAqG;Mwd4QOUo{1JR`ht*a_ zZG7j8S38#zEJ`&?FM?jI(YOG!^rE%>uvFMh)BBd*G^N-Xn)7Kc1bJqhMtlSQMWxR? z3kaa}qE;~cv$bu zUG;&}JaC!^PV>NNmf$oul-#b#X>`>GPV>NN9yrba3QjX7N|#Qlg#T}`iYHz4>zCH% zR(~4w{~MgrM6)e-3>b^#PNsl`@juTh`v3m!?(W`${(m3OBWtl6EA%8K3_VFXzs@t% zowsdvQ8(B!yQteW*L&@v=+mdpBe1@GHR3r-(9zc@p|J`+NTS@waL040Wp=)4bhPT4 z+$w9fV@-*7Yh=CJdA4r7E7%9tt!-RESFe2rd;FRMHkDVecW#A(wdd)ACo6Zmzw;XQ zv(J+eGwR12@;oV3w1BuUniHR5@A6Q1lqB2 z5B0%C16lb3sR=&pi1r zlbMqNKd1b+`|R0^n*4Y0;Qw_m&*zZ;=H(Q0AK}i}Rvy^<9!u0M=N#OrWgF~1^(~Gt zO;Pu1LTp^Aiz!42ClWfF;2Q#*rq&EP?w@;8i)T&=mEZ{8AM_=nEMPm1CuM@iglK-% z>y|l9``=%Bx@(VL|B(8fju{tZ(|s&l|9j6W=f4O0hY$H5?&W!e`dBF6a4)j(bdGS|I4%E(^qG`X|nk~ z7Oejld(W!zzxxL-9@hW8Jde;zO9ALaZ*HB=-_h3A`BX1(%+%J_QIoXp>zEA@wnu{A z6>gNEd%Y`sv=L|NtY;ek2@6KqSU2t4(c3h8tQ>2BgtTLUf&YvIpCXJVbUYyf*`z6& zTVa&)+u~KP(|Pm=8FLXj;R)$lH&Vwht6V=tT3-;tKB_d**^tKBh66D3!^hot-gN zlYH2V`EJ!B1Z2n<#s zSndOy#sG6~#K`=9?TJnVjreY#1?UKR^zXQcCqydan7Zv8_$4|SoZIMaG~xpN;Ny;# z8@ucNdC>ivbKUbPmXjgJB3Z7XoWe@!3j*4@q>4zO<>Mk^0EwI_I@NSM&9I_c6o!pD zfcnWPWV%E*d%eAbzibzk6aDI-_u?OHvV?i?gKfb+w2kx@(hUqm;-k}MWXh;Zi+=(Qb8EG~JXOViX zYR(jNZWV)`CZ3>k%@`soV@aDD1?k1`I4G06LkT8Yc%V{aO7kK)8p@MC7y>w>T*-gy=G9hl-2NAJKi_D-w1 zR23AJ338(a$#mumDv^_Sc5A%giX3fib^eadM`*@#-|39!!t1n6lk1dHz^_IV=&d&t zBaGf@)y_5b4m}|^nzl^`Q_OOlrZW_$1T&Oph10=Pjee?!n5HNtPJjMhH)f-(41R}# zU+ZmEVP%+vl?NQWGLI)_TNvd+=}jEk;Fmxf^3N>5|T z<4Twrkw~lmQswcrSK9%yZ9CqXH3jfu$WXg9E*JmYd6RL5tcOHto)tIN&uueQOAKjh zDIDp&tv~1&=tK$0Qa&SzrcKuDprDL5TImH2`_D6xd%aS9DxPYFBhOu*y42w zJ^9rIee4pQ-DO4lY-u}Bk(}^6P0*0&MU;5MNz9pEyJb01w+)a@HIXJnVVX*fhzY-i zsep_#niCf@=_kWWk)WdjiNLbcJuq^MnuiH28)sQMD;F3j%n~dTX?dojGIQZ{=ZeE3 z)tL0q!xRmP#y^f@n!sHP>8zkolAtHI6B7^N%eFa-Rgy+1W)pqXgQMH zy7}Bj5ErRs3_yXH0vORK#p9kPY?y2POB2M_7LeT5)^-`Yd1(yjJs%oU9ATRF&_FX9 z-;CmDYfJN-tu2tD)0E$~wbVoZ!*dj4W|)<4BbOQ#jwCa^O;J`7O1MDpG%>2Sx8n^Oa!OF%@swdSN2`rt6!9 zT{|eP2`uG$8qGLsGVGJS%lx3sY0oyQzBx%Too<)15N)GVU;uiN>MvN4QJxNn+D4}! zOTeE*#ZP;k&bON4E-{NWx3soaboL=jxgY|)Ip0PM-_WsUxQe6WER!$|mYj&D`$8Ri zr}4qc@1j^F@ARyldkThD6dv|E9dM%SJ61^0&nacs1>cw_T|O(fELC7?;XCV+J6t9J=lNlSzIMsbkY)8{O}B?$YjwtnLQekHTTDuB2vqcWb(H70U|-N` z(s1VC?F9gvYbrF<2}vMDN8;fq3^4!;!STel3xkm}7Ec6cMku#d6y28ILtHsy0h;Ei zqFG8@DG7ZTfzE#e^-s%iqzMAuqpz*C4mBZDNzxmwGJ3NCN$l1WBF+!CFuyy0%WZ4J zmS%dicn|x!1d&&9B;yH5a)8`=t`wD_j;;Tnoz8sYU)}JxgwgM_n*4qSvn4v^aSnH2 zsgi^{Z>QQBrhK?F#d>euf$M-Qq0O_YqXFR~S^s zG$*kYL=^c!3d4YRrc?;67DTQlN9@#H3bn7Xw z=DfDl-XI$8FsmitmY>vWwM`5rr>*n3+=S+InGwG^Uw0xKYHn!UcbGsA)bf)TR@uY= zXgL_@ZmY8Kl8^;BsCn9~Il&9t`5f4~!`!#PyF4YdH?WD3${>pAZbVV`B3c47Wv8b# z$zgsY8^_Qc2%!nm<*A^h_9g~6tjBb&MG4J*T}xo5+1+eSf>^Gx&xN-;(8oN$m#32j zt!!jLgaL>@P_-7Zly7d0uBlpT4Oz3c>HE&SqukmLRDB)>QpH!DNOpU>z5N$=#=r{f zq;2STqmfwBo=NktCJ%`vja&nB&~Y+2N3NK4=_`8cp_gC=9;TRG!}&(8ctRA3Rc}f3 z==P6Y`^(XUu5xPpPzyzP0fy>?aM;`L?XEU(g~y*~#I2;T!cYSr=C$b|Xk!6pLXYXs zL>2v@i;WXTh^;zp9P|!*dn;pLbL3GU`X(rZ@r0P7HWM~ppHg&Nk#Po(glla9#x8h5 z9IPIK&qY1Woo$?sns8dDr~TfGg}i1Sb~Z;@^U$&h8WTj)-|oPHZ2bke@&kavpNoVl zy= zBIrwZgCjiGtpl#4vBOQboF0|q!JuIzzqXZ?->7kDD2#)bkQChmQwJ8%JMX|hpEQz1>8MqQ}MZx zYli7jyXZ*xWCoJSjyXEF2I>C!bQ>mbl-kj5AaIE%>?I-SGK@g z>%LVYHt+;!ptf8pKBd2rCjT$lkbJ5L2?F0Rf<{zGg%s6m4}8fuv~AqeI7?^7iHeR& z4tx^~uCGP(kaubh$TWb?xj)p`;{p!|OQ*FRpsB%m#H_c$>wHL3qAodCr&N^YWX|Si zYazk8iV`Z;-|&90EolJIDHU)b%;Md>%?uctx59g;0~jb%WzsX&ak!qs-WiTR9HG5= zo47vkuKyJ@n1Ylih(G|6F@lsku9iJ+Qyr_wWPr%+eSLO*)%Hf>j~!8v#}; zTzc?Mi`?A615N0@2OlUlOCumuhBku)+pGKB8wNR7LoiJGNfdl25A{lmWGu-zWvbZa z;#dpgn&sQb3dIHKL9PtU5;Qmf4|#jsLJ~XjrP%bGU44Zio(PiYeHf=+G;1C*DoUcD zXdMY~p>I9yft6CRlsu*o+TtCGZQ>=9vF(0P0AVp<`qrN&G$kfx^OOLOEy+5^5FYC* zpnvcof-1<=LFW>c>Xq>F*ah%9k8&!Jy~Az0pl=Wr^e#BXS}sb{nL9Tr2O+TpDSSl40gg1oy*gCz=1=j-D1go$QYI5a4N(m5gTr4a~a$%BhLVOnG ziRm?{dy8fBD3Tuf$u$FGb@BJNm@1SrMNLwn0@(L_h(?rAIU%z5cy+ocgrY_na2|me zb;UM*O6B!SO$a2p;0gGhR+R_`hAxUYL$)|7%9km^R!hQaWvp?N1F`b z4`Fo7CQ33wFisMZ-1BtV-=|pNK30=(g8a;2g^~YQo()$9Qq|drMospbU28&wAbyB~ znsAM|V7Kb-++eYj(qR!#)?H)ljk;Mw)63)GC694R)vOg4r2=Jq{6vt%GlZ)#?+|Zg zGa8u6R-+Nb28-&~erLA3fUV07n~-{c0E)qePi4SFXgtwPn0UvcR((r^i0&G}}P1=-a323Mjg5D(oR^Pc~XJKf6NAG|52GbN` zWT&u9upmdB2yJb-wYIg@9ByPZMhF=d1QL{R0sm=MJR~;c2=Lm10sSBX-$}=4-PoTv zw*3?U7!s)>G8%EAJPcM%)f%YCV-;lTQXFZeUU76yNOq^*dzDR24@fGW1@pX(T<{!K zD26M>tNj|y4tXcA_Iutb zENsWQ;@{vDGkddk1w;BX3cr^Tat6X%S*9!R-hvEGZCPLg7*j%J%x{Pw3BoL37OK!;*HO>voaBQ0#iOB%EJ%K9PdFnzXfY*tMc&}r@}q-LL(1qBHh?5&31;!Ew;tzd zY#lg6*tD;KQ^|b*Ib{jGp-GNY#~kbw*=T$_UomDH2X04!gmIQe^}7Z_*)|idXAf@f z0-W19a$Qtr&;gK=Y)b{mZM`i2N^{Gx2!Cn6?HnFu@2z^piebZHb8N0st*#a+{N;kgDGoqQDy6lFw0 z@bEN`Cq+^Vvy8MtZSrmSyw7&0o?wxfbeE4MigAWxs%E8aV1IXa9j)IProa-lTSo5w z?(T9}eP!tH*sa+4Shb~*FFqfu=Vto@8qcQzTL96*;R2BlF(HW+qGF{PSAcmwYO83K zHvMWyVm>7j<;?EVP}=C!5dUowacCV)5R#xgE6>2Q4NZVG1y*O{*>aO{NhA?BBq@;k zEf;|f-ZUkyPB0T7(uWFp3&9IlHNbXR!6;8dAt@TB>}A;!{admx>C)UO%H%fWwh8&H zXg^rA25j1glL?8h%ZHIxzKfB&N709)5Nqg7tpj4`37Z6cS^m4@?Eo|SCnrjV-^MKr0E7x zN;Mrwk)K1oHGRDvS@>k5irZ+ZU!Qz~1BCr5^)82P*XKa%cX3G@Z@_&KO#sD9LqiwF zpQC9$9?PJhF85eteoVD|p*ZUQXwoP3e>{yQbmg&T!zYrO(s!oGBu1a9TgxfFekjL8U^KZJZ%V zV$Kqq&nsviWgL~yeDb{b)tlEmIlc=a;G>$mX9A062vh?n%HQ9fcCfLxhGX@M?X!K0r3iU|p9 zL&4#ZOZj7WW-b2%B<kAl%U^vQ>IV% z2I=aywpvMUYpc-Mz9%fUh6PB78lu9>k~lSICZ6uNb1Na3Y0>W3W+}JQq#G4I-Sm zbquL}LGYO3>$d*yU>>m$d?5>oJ&Ik<&LA46dIxB@KI3+BM_j~on9kO-$hcFe<}NG7 znKhQwovf)Aq(Kg@4x>EPOXPd1VV=FDQ>w~`rJTLzLsXQ86@_ehR8**nV2x)$V2r?Q zhGfy6MLZY&s2h%vC(whgRNzYxxTYfM`Tj$V&V6-0dxjlTi8j9B?k$UCvqvq1V7r@b z1i57f{=W&ar7&lMvNpt)uCR6J-4JG-;o4q)4~*Dw`*OZV!#zFv8f$}z2lNe`&ZO24 za$&CE(HjgicBUW?qf1lS>-hBWW0zY6l1!9cE zuyOx?|8H5iwdbxjJ)>60j8JJicp{&Iewj;S8iB0tHY{N3J(3&F+rT8Uu?=DwlZZy! zDWszB^W>)qVPzMqH_Ro6O=pd>1=uzX6wX6^=XIo)L*4%h)mp7NV=d);WmD*DTzZu` z~&0n3^`ZZ2-M3e**&#{VXr>0ei+-3BsCa|7Cs>Nt8>)QTqL}(3LBPX zVb=1iyYSlPxSsNysa~h#YgG3JSQFRgVv3S8na{gxLHCe@>}J3VK`Z&1_(Z`Kb<|xR zYvPlvg*OD$T742;+%a2*vykY>4H0&{fY#|f8!62!4E$mKYj(ng79GL2tzH|FWFRLim3;Bg?o{=yEH#RCH@D6^z`v z#=vjF@-<6q#tD!Ho;T1TmUZU~*GSJ+N;rG06B)xIC~x3zJeonV z-vFF1N)nKxfZwt{Pfo1`!`vJl5`^BI+*f2TmWCsa3+p7QTWDG~_JFlyz{jyU>@X(( zAN|H)vT%d*4Gyo6*(t7;0YJcI5wPkQX~J)r)k1m1xSBvZ{;Faf%*l{U@D1f~24Q%Y zR%S`Db+mMEtX9T~tQlkv4X80~8Fp-qAT{6+g^(zl&VIY$=14*8_`MgBx3~wR0|pxf zJ8zWnWNWLk_XJ}h;Ye!Ww{&K96_Yc&2C3wxaLC~>Lo%Z_AAFHO9556DUWgBi;hux_ z`v!Z+)ue=U%#xMHvLrR#$GFzuE$z-CezAGakY)<4elFv#`gI9(*StR4PWLvsfgnhn|$D$C7a(?3Lz=>Bbqh{{MRo@Jy?;pTF+jdYHNxeAp{vl~FS zJ@nJ@<;D5McSpscpu2reI%A7-)pys0;E~ees0IrR!UK}R?i-pV&4m`Xn8B`WhTz-M zqIAM*w|VSLF=dJ{%wmtQTRf8y;9?<$z;R1Wz(IG-S=t0Pj#J4i)nhJ1?h)f5aS+_% z;v(1}R>n8EF{Wa?%jPbEZc%U!wU$a1Q&i;}i@RDvn%1%@VN`;G_!Fk8>1fu8)TP2m zmtN(Nw(U%|;Vco((y&6{z^BDhE)t`!2vWlk7yWYIvG>r2OJl`3iD>=^CC1 z3?FPVp(DKJ_NR0-A}}I25ECSw*|32c4ib`L5Dj2Z1{=k+7NBlBb{pV`%D|}P_W+|m ziW2wm9`9~p%4-UHW+(CvXeAWFn!lk&|AIZP6k{|ZSmlDCTTrg`5;fCd5CI1v`hzh9 zu^FP%3>&3Z|0+gTnvmcIHh0Xp={2~>5wk$OQ8vx_uRY#gVi{T$)gBwWWAVE#Mkm3S z*P=U#4USt2@Y66n0G6PvxQjqtzXFR>Rx4+j^;chY_MC(?9FsVYhc7#Y7K%$^{J6o( zu$w2l;uF#*Y~3IGPhFrkUf zO=BB2M&Aif3kc3fNRUeH5>u*Mx|bc5vBOnIR&CLVCy!0-XhLujefaR9N2lY*29qG3 zPI*%J&O%_g<~8tLLfRW%$I@~*xLn-$v$s6_b=}8xQa4CBwGZ9TWhd`(oUItQ`l z2)687RX%@pUW);Fk9{}Z2gNLbsw4%*|M2&HK^F6d9aFg?|I>`4ZN|JQsjv;pnSDE$F za@{S$Vw_`vnIa@PFW>8R(ti^Y+;_fQ{n9O0w1w7m5z7l%V(+^58h1JH5kwWPaO%Pw zL47>wzbOJ6&0&sF>U>cfO%k#iqoC$KHxADSX z%O77k;GUSic5FXSQ7o{WXr1$xq^bVj&pl|zHkca6G06`wC(gW!tOI8RMVT{G+cR%^R8n}z&t0Y#y&VRI)^(WzZ&A8M{^4d|?zGq=!g zZx8K2V~wOGOCADSXm5A-9YAO!cftREgz%8x5I;K2L7WJ#sR^Wq$7NYV52CmryyR}- zCRVetf96zZis5LKYf*rF$Wm?%l-2Q`@3c&bBhsB>P9Yk*48sk@6$>iR)d*1yJH*dx z8n-A12y&^HCgZn7U*;lts){pJFQMr9-Yx=@_V)h_A{z5`RnAP++D>d4rT29++i>-4 zy=6!E5eUsK?3_6v&?VoTaX+nz3bM8b=i>Qrto#^21#kcx{cac;L zTu>r`ncgJ@pPF#7!`&Y8K)hyl@}x<&-P|waYa)g#4M}nTytmU=4F=RZZYCh2I!&Mm zk}->+IIuJ>FhK?*x4*Vx!w`uB%XpOrHm5M_7Eco*RmZWKV10Zk$ zIL;N9 zF;0mvi5ZekDI2!+X0nA*QQGElNYInB4;c}3s%5(LX)XUb6!X+qS}TxsA-K)YrwVmB z%ze_nxsd4f;oGock_;R&hE`+1PIdt{Q6CUE5#!Xldxg%8Q=(v%Xw8Y1jFuPN=T3E5 zS=FzAdYEmh#&R?ieFRl3XO zZ?BrMJmr~d@aGX87uf`}V;8hRIV%Y5HGCt9Ngipf2sKJ-GMrKLh z9|%EYrl%29G}|rEN}1uM^cvK`!l7LDES!OO1v23+3l!Lpi`t;HAhx^I$GxE4CYQJ{ zQ5v0Ej+^2`8QC75Tv}1qWo2>!A4a%}+*$=3DuG8M8oLDiM)7x9_?;3FI!W5fw#{DW zKdv~EWGu+oiKCTnw-IHT^;63PiM;cS9muf{5&6XO$L92<*; z>YB9?`~TrGgG1e|E#MVfTib0lAmr9~O=Ft&(A~L{J9nKoH%6bgUO-oLN_ZYzk7Qr? zg>qJC|F%l~lB9~WUi0aIsx%BfIW^P56ZzCoZeiRnB9UFyzv{U-*e&;3(vLNz{MCP7 z5wAw{EpYnR`S^5)S9&Ks*Gi}`Cy|cryR$9WX~P1`9aKt_{ua0w7v3$!ADK^ug1ih?a0!zb6b>c62X9(lwlCABPsHF7kV&5_Y~8le6)3#Mr`cG* zjp7~U4BtYQroy2&#-I)iXJ|+j5?pEY89j*8)`B7R%XWC&8Q7Ex#T7isNJA!m-CF}vM_8%|UKe;>giT$i9i`R5g5Yik*?=9Z zSX1Hc7Em^E*7pYA6g@3QVFpzeIOLQkWP9NRGAqxSIoCVBbC|a-c$_t1*ZOusb{+Z~ zSy|d{xDKsI@3}H7IG;{QLa{QL`M{vyc!G0jD7b|$+{QOdZa!<5I4K;GgOmC)U-{lr zLgQQl7JYU^k3g5{8Bl9IusvXnoX63V!@a{71o7H=2q(^*ItLEbuGI~Q=*w(^jWcEQ zZ7k&7b`Es$e?aldoo69~zPye*q!IbJ+SD^^*ueAG0Dnl*S&^9{`PxkC2f zZ#pF`F*7J~*2qAl<6C?*iZX()VZ|G^2ySLcZap$bU?FD4&C1l>z^dFuyJ&0Y1=>Pe z^QYT{gt+OH#w+hz&wZ{0opyqd1zp%rzI0A}MR{Z^te`CytPUwbr{3qd<|s48;ySdJ z7QQi7qlP@>iVKNw5bMGch#ZpMRl-#Zj2=EqSUjO=A_(jK!hSKnF(#aIA+#<(aF(UC zFub_yB(yl~WH)neMH1+rvYh7yu-u#QrN^<}b_#I9KxHM2Lc|Ry*f(S78f1Pr2BU!^ z5p1v~fFD+b+c$!NnIcria3rJW?wYd190o*FGUZyW6LdN?iO)7POqCoSh!HmVyS1T90k(wo}VBjK8w(0UQj(UDdRM-TCxr9QjZ9G!sNh z%GoQTCOn`<8|M&|K)%Qdx|+1t&RxUO`~Q&JQA;A(`^q4G041Z->iGzVpp=j+fP`_r9A@030>VxA`;3zN0an*Gj+MFD_-5ZMGHbyaVrf!r4*I7*^w5bL-?q)`Y#kUfL2f9yMcD*PWA?Jf zEvx6|il$m&)#dg6!IRv?tOeH})hy?CHD7-byLHuEZGA+F26a2-87kegSn?4I8*w<4 zXb&6{Vz{CcCKG(V^gH8kqo-FXL5F#e=wD{Z^;Yz)> zj5FinqWLFe*@Ck~mgQ=P=PJt;dUF2yDdHJ1*;l2N{lIU@__i=fZ-T7R#}XuA3Bg$u z#C!?fAA7sTyx zX~uU$m~Oz`v(M>?;~hX=$<-&2R03jTMm7C^HoITL+g@EEsX+2G06mEAixO54L)h=gNa^ocQwH zRMlIo78$uK3&H1DH_2tV=o!|~?1ogm09e{e^KrDou*+B6R7oei;n~5vcq>6#EW3Rx z^C4`4l(V;VehLEqvm(6%eshqQVdZ=&wFoy)iSddW;*9ZJF z=gI_vfQ-?D(A919^T#g3Q_?-^8dapbjk;8Rr;*(~(xdzI>*G?)?Go5TemE;k+Ptg2 z7c9jKo{%Le4JRZB7qh?JL{JQt~SVh!DM zCekFrvVl#5?~kAD?U(H1Mw3s?_cB&mXR|qS#K!8D+khOhHiFMj&vsyahb!ob3IDeF zMp7b!KoWCQ2`;zg<4Wm$xJ>;~ahw{`5d3uQfj)=raK{m^w68k zg$#T15uCJ`UWxI;w$`p9rxK2@2}^<$BsTGugM2%@32O=(nKGAtgxMrb0(r<-=5C@` zdMSbGV+a^|3SMIgwI(|$(yiK9WdFio-~X($glh7WYVL?77G>XWOARqEZA&xQ%l_9d z&@fA)iI0^CqxZ6KqXDDl6lYGIdHnI0ZZ6Vax<|isCrV}VXlJMF@NDCed-5O>WK22h z;VJ%&Gkhz1F`w=ztqGT^{L=mO_{roNrB2!u)E$ z+mzpg-b>!QsOF7w2V>H*u05Nvyx73R?(%k4Un4{}Wn-anJMF}UUQoq^ zIF~l4(Z(|M58I?YJc?t-X_`)h@7mnfC8_P$P7~+nw0~rUv16w_rk$o0@l$Vn#fpWb z&?visLPEI8b1GF5aIME6+qw(b3UPFvp24HZzA9rEgB^b1#vzi=W#4!te+W^V|Dq;N zw95j!J4{wco90wi_da92^L*skxX`4zGMqlqHwR^*J3BB+lLdfEY6e(K_w>r(>j-UcD1v%^rYqo zHF-qyBYk!ReZnSz?+jnY)O!r~a+zF9Z*kEhuKLSNLg2Y-lr~3mdlv#HHd&TstIc}* zY5Q&#>>MVxXhx>k7ti>-z37K?TtXPQ z6V(7mwJ_2$nlo%_h}2P*Le=q}TG=ShoKJ)gA7>hHi8g@mv?}}lDAJ2O)#^gv-+%Jq z6ik#|0DXk#a&b!yO@MP0{4lSz*UdScQeCQor2Qwi2onT}Nim+JLc6l#>YOaNtV{sf zEKMwgo03O3>9mns;FUp?QK{Iaztwu*4a220= 1.21.0-0' + catalog.cattle.io/namespace: longhorn-system + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: longhorn.io/v1beta1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: longhorn + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/upstream-version: 1.5.3 +apiVersion: v1 +appVersion: v1.5.3 +description: Longhorn is a distributed block storage system for Kubernetes. +home: https://github.com/longhorn/longhorn +icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/longhorn/icon/color/longhorn-icon-color.png +keywords: +- longhorn +- storage +- distributed +- block +- device +- iscsi +- nfs +kubeVersion: '>=1.21.0-0' +maintainers: +- email: maintainers@longhorn.io + name: Longhorn maintainers +name: longhorn +sources: +- https://github.com/longhorn/longhorn +- https://github.com/longhorn/longhorn-engine +- https://github.com/longhorn/longhorn-instance-manager +- https://github.com/longhorn/longhorn-share-manager +- https://github.com/longhorn/longhorn-manager +- https://github.com/longhorn/longhorn-ui +- https://github.com/longhorn/longhorn-tests +- https://github.com/longhorn/backing-image-manager +version: 102.3.1+up1.5.3 diff --git a/charts/longhorn/102.3.1+up1.5.3/README.md b/charts/longhorn/102.3.1+up1.5.3/README.md new file mode 100644 index 0000000000..60595a86b6 --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/README.md @@ -0,0 +1,49 @@ +# Longhorn Chart + +> **Important**: Please install the Longhorn chart in the `longhorn-system` namespace only. + +> **Warning**: Longhorn doesn't support downgrading from a higher version to a lower version. + +## Source Code + +Longhorn is 100% open source software. Project source code is spread across a number of repos: + +1. Longhorn Engine -- Core controller/replica logic https://github.com/longhorn/longhorn-engine +2. Longhorn Instance Manager -- Controller/replica instance lifecycle management https://github.com/longhorn/longhorn-instance-manager +3. Longhorn Share Manager -- NFS provisioner that exposes Longhorn volumes as ReadWriteMany volumes. https://github.com/longhorn/longhorn-share-manager +4. Backing Image Manager -- Backing image file lifecycle management. https://github.com/longhorn/backing-image-manager +5. Longhorn Manager -- Longhorn orchestration, includes CSI driver for Kubernetes https://github.com/longhorn/longhorn-manager +6. Longhorn UI -- Dashboard https://github.com/longhorn/longhorn-ui + +## Prerequisites + +1. A container runtime compatible with Kubernetes (Docker v1.13+, containerd v1.3.7+, etc.) +2. Kubernetes >= v1.21 +3. Make sure `bash`, `curl`, `findmnt`, `grep`, `awk` and `blkid` has been installed in all nodes of the Kubernetes cluster. +4. Make sure `open-iscsi` has been installed, and the `iscsid` daemon is running on all nodes of the Kubernetes cluster. For GKE, recommended Ubuntu as guest OS image since it contains `open-iscsi` already. + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `enablePSP` set to `false` if it has been previously set to `true`. + +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, you may have to clean up your Helm release secrets. +Upon setting `enablePSP` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Longhorn docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. + +## Uninstallation + +To prevent Longhorn from being accidentally uninstalled (which leads to data lost), we introduce a new setting, deleting-confirmation-flag. If this flag is **false**, the Longhorn uninstallation job will fail. Set this flag to **true** to allow Longhorn uninstallation. You can set this flag using setting page in Longhorn UI or `kubectl -n longhorn-system patch -p '{"value": "true"}' --type=merge lhs deleting-confirmation-flag` + +To prevent damage to the Kubernetes cluster, we recommend deleting all Kubernetes workloads using Longhorn volumes (PersistentVolume, PersistentVolumeClaim, StorageClass, Deployment, StatefulSet, DaemonSet, etc). + +From Rancher Cluster Explorer UI, navigate to Apps page, delete app `longhorn` then app `longhorn-crd` in Installed Apps tab. + + +--- +Please see [link](https://github.com/longhorn/longhorn) for more information. diff --git a/charts/longhorn/102.3.1+up1.5.3/app-readme.md b/charts/longhorn/102.3.1+up1.5.3/app-readme.md new file mode 100644 index 0000000000..321e5193c4 --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/app-readme.md @@ -0,0 +1,27 @@ +# Longhorn + +Longhorn is a lightweight, reliable and easy to use distributed block storage system for Kubernetes. Once deployed, users can leverage persistent volumes provided by Longhorn. + +Longhorn creates a dedicated storage controller for each volume and synchronously replicates the volume across multiple replicas stored on multiple nodes. The storage controller and replicas are themselves orchestrated using Kubernetes. Longhorn supports snapshots, backups and even allows you to schedule recurring snapshots and backups! + +**Important**: Please install Longhorn chart in `longhorn-system` namespace only. + +**Warning**: Longhorn doesn't support downgrading from a higher version to a lower version. + +[Chart Documentation](https://github.com/longhorn/longhorn/blob/master/chart/README.md) + + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `enablePSP` set to `false` if it has been previously set to `true`. + +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. + +Upon setting `enablePSP` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. \ No newline at end of file diff --git a/charts/longhorn/102.3.1+up1.5.3/questions.yaml b/charts/longhorn/102.3.1+up1.5.3/questions.yaml new file mode 100644 index 0000000000..11d3b2bdfe --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/questions.yaml @@ -0,0 +1,890 @@ +categories: +- storage +namespace: longhorn-system +questions: +- variable: image.defaultImage + default: "true" + description: "Use default Longhorn images" + label: Use Default Images + type: boolean + show_subquestion_if: false + group: "Longhorn Images" + subquestions: + - variable: image.longhorn.manager.repository + default: rancher/mirrored-longhornio-longhorn-manager + description: "Specify Longhorn Manager Image Repository" + type: string + label: Longhorn Manager Image Repository + group: "Longhorn Images Settings" + - variable: image.longhorn.manager.tag + default: v1.5.3 + description: "Specify Longhorn Manager Image Tag" + type: string + label: Longhorn Manager Image Tag + group: "Longhorn Images Settings" + - variable: image.longhorn.engine.repository + default: rancher/mirrored-longhornio-longhorn-engine + description: "Specify Longhorn Engine Image Repository" + type: string + label: Longhorn Engine Image Repository + group: "Longhorn Images Settings" + - variable: image.longhorn.engine.tag + default: v1.5.3 + description: "Specify Longhorn Engine Image Tag" + type: string + label: Longhorn Engine Image Tag + group: "Longhorn Images Settings" + - variable: image.longhorn.ui.repository + default: rancher/mirrored-longhornio-longhorn-ui + description: "Specify Longhorn UI Image Repository" + type: string + label: Longhorn UI Image Repository + group: "Longhorn Images Settings" + - variable: image.longhorn.ui.tag + default: v1.5.3 + description: "Specify Longhorn UI Image Tag" + type: string + label: Longhorn UI Image Tag + group: "Longhorn Images Settings" + - variable: image.longhorn.instanceManager.repository + default: rancher/mirrored-longhornio-longhorn-instance-manager + description: "Specify Longhorn Instance Manager Image Repository" + type: string + label: Longhorn Instance Manager Image Repository + group: "Longhorn Images Settings" + - variable: image.longhorn.instanceManager.tag + default: v1.5.3 + description: "Specify Longhorn Instance Manager Image Tag" + type: string + label: Longhorn Instance Manager Image Tag + group: "Longhorn Images Settings" + - variable: image.longhorn.shareManager.repository + default: rancher/mirrored-longhornio-longhorn-share-manager + description: "Specify Longhorn Share Manager Image Repository" + type: string + label: Longhorn Share Manager Image Repository + group: "Longhorn Images Settings" + - variable: image.longhorn.shareManager.tag + default: v1.5.3 + description: "Specify Longhorn Share Manager Image Tag" + type: string + label: Longhorn Share Manager Image Tag + group: "Longhorn Images Settings" + - variable: image.longhorn.backingImageManager.repository + default: rancher/mirrored-longhornio-backing-image-manager + description: "Specify Longhorn Backing Image Manager Image Repository" + type: string + label: Longhorn Backing Image Manager Image Repository + group: "Longhorn Images Settings" + - variable: image.longhorn.backingImageManager.tag + default: v1.5.3 + description: "Specify Longhorn Backing Image Manager Image Tag" + type: string + label: Longhorn Backing Image Manager Image Tag + group: "Longhorn Images Settings" + - variable: image.longhorn.supportBundleKit.repository + default: rancher/mirrored-longhornio-support-bundle-kit + description: "Specify Longhorn Support Bundle Manager Image Repository" + type: string + label: Longhorn Support Bundle Kit Image Repository + group: "Longhorn Images Settings" + - variable: image.longhorn.supportBundleKit.tag + default: v0.0.27 + description: "Specify Longhorn Support Bundle Manager Image Tag" + type: string + label: Longhorn Support Bundle Kit Image Tag + group: "Longhorn Images Settings" + - variable: image.csi.attacher.repository + default: rancher/mirrored-longhornio-csi-attacher + description: "Specify CSI attacher image repository. Leave blank to autodetect." + type: string + label: Longhorn CSI Attacher Image Repository + group: "Longhorn CSI Driver Images" + - variable: image.csi.attacher.tag + default: v4.2.0 + description: "Specify CSI attacher image tag. Leave blank to autodetect." + type: string + label: Longhorn CSI Attacher Image Tag + group: "Longhorn CSI Driver Images" + - variable: image.csi.provisioner.repository + default: rancher/mirrored-longhornio-csi-provisioner + description: "Specify CSI provisioner image repository. Leave blank to autodetect." + type: string + label: Longhorn CSI Provisioner Image Repository + group: "Longhorn CSI Driver Images" + - variable: image.csi.provisioner.tag + default: v3.4.1 + description: "Specify CSI provisioner image tag. Leave blank to autodetect." + type: string + label: Longhorn CSI Provisioner Image Tag + group: "Longhorn CSI Driver Images" + - variable: image.csi.nodeDriverRegistrar.repository + default: rancher/mirrored-longhornio-csi-node-driver-registrar + description: "Specify CSI Node Driver Registrar image repository. Leave blank to autodetect." + type: string + label: Longhorn CSI Node Driver Registrar Image Repository + group: "Longhorn CSI Driver Images" + - variable: image.csi.nodeDriverRegistrar.tag + default: v2.7.0 + description: "Specify CSI Node Driver Registrar image tag. Leave blank to autodetect." + type: string + label: Longhorn CSI Node Driver Registrar Image Tag + group: "Longhorn CSI Driver Images" + - variable: image.csi.resizer.repository + default: rancher/mirrored-longhornio-csi-resizer + description: "Specify CSI Driver Resizer image repository. Leave blank to autodetect." + type: string + label: Longhorn CSI Driver Resizer Image Repository + group: "Longhorn CSI Driver Images" + - variable: image.csi.resizer.tag + default: v1.7.0 + description: "Specify CSI Driver Resizer image tag. Leave blank to autodetect." + type: string + label: Longhorn CSI Driver Resizer Image Tag + group: "Longhorn CSI Driver Images" + - variable: image.csi.snapshotter.repository + default: rancher/mirrored-longhornio-csi-snapshotter + description: "Specify CSI Driver Snapshotter image repository. Leave blank to autodetect." + type: string + label: Longhorn CSI Driver Snapshotter Image Repository + group: "Longhorn CSI Driver Images" + - variable: image.csi.snapshotter.tag + default: v6.2.1 + description: "Specify CSI Driver Snapshotter image tag. Leave blank to autodetect." + type: string + label: Longhorn CSI Driver Snapshotter Image Tag + group: "Longhorn CSI Driver Images" + - variable: image.csi.livenessProbe.repository + default: rancher/mirrored-longhornio-livenessprobe + description: "Specify CSI liveness probe image repository. Leave blank to autodetect." + type: string + label: Longhorn CSI Liveness Probe Image Repository + group: "Longhorn CSI Driver Images" + - variable: image.csi.livenessProbe.tag + default: v2.9.0 + description: "Specify CSI liveness probe image tag. Leave blank to autodetect." + type: string + label: Longhorn CSI Liveness Probe Image Tag + group: "Longhorn CSI Driver Images" +- variable: privateRegistry.registryUrl + label: Private registry URL + description: "URL of private registry. Leave blank to apply system default registry." + group: "Private Registry Settings" + type: string + default: "" +- variable: privateRegistry.registrySecret + label: Private registry secret name + description: "If create a new private registry secret is true, create a Kubernetes secret with this name; else use the existing secret of this name. Use it to pull images from your private registry." + group: "Private Registry Settings" + type: string + default: "" +- variable: privateRegistry.createSecret + default: "true" + description: "Create a new private registry secret" + type: boolean + group: "Private Registry Settings" + label: Create Secret for Private Registry Settings + show_subquestion_if: true + subquestions: + - variable: privateRegistry.registryUser + label: Private registry user + description: "User used to authenticate to private registry." + type: string + default: "" + - variable: privateRegistry.registryPasswd + label: Private registry password + description: "Password used to authenticate to private registry." + type: password + default: "" +- variable: longhorn.default_setting + default: "false" + description: "Customize the default settings before installing Longhorn for the first time. This option will only work if the cluster hasn't installed Longhorn." + label: "Customize Default Settings" + type: boolean + show_subquestion_if: true + group: "Longhorn Default Settings" + subquestions: + - variable: csi.kubeletRootDir + default: + description: "Specify kubelet root-dir. Leave blank to autodetect." + type: string + label: Kubelet Root Directory + group: "Longhorn CSI Driver Settings" + - variable: csi.attacherReplicaCount + type: int + default: 3 + min: 1 + max: 10 + description: "Specify replica count of CSI Attacher. By default 3." + label: Longhorn CSI Attacher replica count + group: "Longhorn CSI Driver Settings" + - variable: csi.provisionerReplicaCount + type: int + default: 3 + min: 1 + max: 10 + description: "Specify replica count of CSI Provisioner. By default 3." + label: Longhorn CSI Provisioner replica count + group: "Longhorn CSI Driver Settings" + - variable: csi.resizerReplicaCount + type: int + default: 3 + min: 1 + max: 10 + description: "Specify replica count of CSI Resizer. By default 3." + label: Longhorn CSI Resizer replica count + group: "Longhorn CSI Driver Settings" + - variable: csi.snapshotterReplicaCount + type: int + default: 3 + min: 1 + max: 10 + description: "Specify replica count of CSI Snapshotter. By default 3." + label: Longhorn CSI Snapshotter replica count + group: "Longhorn CSI Driver Settings" + - variable: defaultSettings.backupTarget + label: Backup Target + description: "The endpoint used to access the backupstore. NFS and S3 are supported." + group: "Longhorn Default Settings" + type: string + default: + - variable: defaultSettings.backupTargetCredentialSecret + label: Backup Target Credential Secret + description: "The name of the Kubernetes secret associated with the backup target." + group: "Longhorn Default Settings" + type: string + default: + - variable: defaultSettings.allowRecurringJobWhileVolumeDetached + label: Allow Recurring Job While Volume Is Detached + description: 'If this setting is enabled, Longhorn will automatically attaches the volume and takes snapshot/backup when it is the time to do recurring snapshot/backup. +Note that the volume is not ready for workload during the period when the volume was automatically attached. Workload will have to wait until the recurring job finishes.' + group: "Longhorn Default Settings" + type: boolean + default: "false" + - variable: defaultSettings.createDefaultDiskLabeledNodes + label: Create Default Disk on Labeled Nodes + description: 'Create default Disk automatically only on Nodes with the label "node.longhorn.io/create-default-disk=true" if no other disks exist. If disabled, the default disk will be created on all new nodes when each node is first added.' + group: "Longhorn Default Settings" + type: boolean + default: "false" + - variable: defaultSettings.defaultDataPath + label: Default Data Path + description: 'Default path to use for storing data on a host. By default "/var/lib/longhorn/"' + group: "Longhorn Default Settings" + type: string + default: "/var/lib/longhorn/" + - variable: defaultSettings.defaultDataLocality + label: Default Data Locality + description: 'We say a Longhorn volume has data locality if there is a local replica of the volume on the same node as the pod which is using the volume. +This setting specifies the default data locality when a volume is created from the Longhorn UI. For Kubernetes configuration, update the `dataLocality` in the StorageClass +The available modes are: +- **disabled**. This is the default option. There may or may not be a replica on the same node as the attached volume (workload) +- **best-effort**. This option instructs Longhorn to try to keep a replica on the same node as the attached volume (workload). Longhorn will not stop the volume, even if it cannot keep a replica local to the attached volume (workload) due to environment limitation, e.g. not enough disk space, incompatible disk tags, etc.' + group: "Longhorn Default Settings" + type: enum + options: + - "disabled" + - "best-effort" + default: "disabled" + - variable: defaultSettings.replicaSoftAntiAffinity + label: Replica Node Level Soft Anti-Affinity + description: 'Allow scheduling on nodes with existing healthy replicas of the same volume. By default false.' + group: "Longhorn Default Settings" + type: boolean + default: "false" + - variable: defaultSettings.replicaAutoBalance + label: Replica Auto Balance + description: 'Enable this setting automatically rebalances replicas when discovered an available node. +The available global options are: +- **disabled**. This is the default option. No replica auto-balance will be done. +- **least-effort**. This option instructs Longhorn to balance replicas for minimal redundancy. +- **best-effort**. This option instructs Longhorn to balance replicas for even redundancy. +Longhorn also support individual volume setting. The setting can be specified in volume.spec.replicaAutoBalance, this overrules the global setting. +The available volume spec options are: +- **ignored**. This is the default option that instructs Longhorn to inherit from the global setting. +- **disabled**. This option instructs Longhorn no replica auto-balance should be done. +- **least-effort**. This option instructs Longhorn to balance replicas for minimal redundancy. +- **best-effort**. This option instructs Longhorn to balance replicas for even redundancy.' + group: "Longhorn Default Settings" + type: enum + options: + - "disabled" + - "least-effort" + - "best-effort" + default: "disabled" + - variable: defaultSettings.storageOverProvisioningPercentage + label: Storage Over Provisioning Percentage + description: "The over-provisioning percentage defines how much storage can be allocated relative to the hard drive's capacity. By default 200." + group: "Longhorn Default Settings" + type: int + min: 0 + default: 200 + - variable: defaultSettings.storageMinimalAvailablePercentage + label: Storage Minimal Available Percentage + description: "If the minimum available disk capacity exceeds the actual percentage of available disk capacity, the disk becomes unschedulable until more space is freed up. By default 25." + group: "Longhorn Default Settings" + type: int + min: 0 + max: 100 + default: 25 + - variable: defaultSettings.storageReservedPercentageForDefaultDisk + label: Storage Reserved Percentage For Default Disk + description: "The reserved percentage specifies the percentage of disk space that will not be allocated to the default disk on each new Longhorn node." + group: "Longhorn Default Settings" + type: int + min: 0 + max: 100 + default: 30 + - variable: defaultSettings.upgradeChecker + label: Enable Upgrade Checker + description: 'Upgrade Checker will check for new Longhorn version periodically. When there is a new version available, a notification will appear in the UI. By default true.' + group: "Longhorn Default Settings" + type: boolean + default: "true" + - variable: defaultSettings.defaultReplicaCount + label: Default Replica Count + description: "The default number of replicas when a volume is created from the Longhorn UI. For Kubernetes configuration, update the `numberOfReplicas` in the StorageClass. By default 3." + group: "Longhorn Default Settings" + type: int + min: 1 + max: 20 + default: 3 + - variable: defaultSettings.defaultLonghornStaticStorageClass + label: Default Longhorn Static StorageClass Name + description: "The 'storageClassName' is given to PVs and PVCs that are created for an existing Longhorn volume. The StorageClass name can also be used as a label, so it is possible to use a Longhorn StorageClass to bind a workload to an existing PV without creating a Kubernetes StorageClass object. By default 'longhorn-static'." + group: "Longhorn Default Settings" + type: string + default: "longhorn-static" + - variable: defaultSettings.backupstorePollInterval + label: Backupstore Poll Interval + description: "In seconds. The backupstore poll interval determines how often Longhorn checks the backupstore for new backups. Set to 0 to disable the polling. By default 300." + group: "Longhorn Default Settings" + type: int + min: 0 + default: 300 + - variable: defaultSettings.failedBackupTTL + label: Failed Backup Time to Live + description: "In minutes. This setting determines how long Longhorn will keep the backup resource that was failed. Set to 0 to disable the auto-deletion. +Failed backups will be checked and cleaned up during backupstore polling which is controlled by **Backupstore Poll Interval** setting. +Hence this value determines the minimal wait interval of the cleanup. And the actual cleanup interval is multiple of **Backupstore Poll Interval**. +Disabling **Backupstore Poll Interval** also means to disable failed backup auto-deletion." + group: "Longhorn Default Settings" + type: int + min: 0 + default: 1440 + - variable: defaultSettings.restoreVolumeRecurringJobs + label: Restore Volume Recurring Jobs + description: "Restore recurring jobs from the backup volume on the backup target and create recurring jobs if not exist during a backup restoration. +Longhorn also supports individual volume setting. The setting can be specified on Backup page when making a backup restoration, this overrules the global setting. +The available volume setting options are: +- **ignored**. This is the default option that instructs Longhorn to inherit from the global setting. +- **enabled**. This option instructs Longhorn to restore recurring jobs/groups from the backup target forcibly. +- **disabled**. This option instructs Longhorn no restoring recurring jobs/groups should be done." + group: "Longhorn Default Settings" + type: boolean + default: "false" + - variable: defaultSettings.recurringSuccessfulJobsHistoryLimit + label: Cronjob Successful Jobs History Limit + description: "This setting specifies how many successful backup or snapshot job histories should be retained. History will not be retained if the value is 0." + group: "Longhorn Default Settings" + type: int + min: 0 + default: 1 + - variable: defaultSettings.recurringFailedJobsHistoryLimit + label: Cronjob Failed Jobs History Limit + description: "This setting specifies how many failed backup or snapshot job histories should be retained. History will not be retained if the value is 0." + group: "Longhorn Default Settings" + type: int + min: 0 + default: 1 + - variable: defaultSettings.supportBundleFailedHistoryLimit + label: SupportBundle Failed History Limit + description: "This setting specifies how many failed support bundles can exist in the cluster. +The retained failed support bundle is for analysis purposes and needs to clean up manually. +Set this value to **0** to have Longhorn automatically purge all failed support bundles." + group: "Longhorn Default Settings" + type: int + min: 0 + default: 1 + - variable: defaultSettings.autoSalvage + label: Automatic salvage + description: "If enabled, volumes will be automatically salvaged when all the replicas become faulty e.g. due to network disconnection. Longhorn will try to figure out which replica(s) are usable, then use them for the volume. By default true." + group: "Longhorn Default Settings" + type: boolean + default: "true" + - variable: defaultSettings.autoDeletePodWhenVolumeDetachedUnexpectedly + label: Automatically Delete Workload Pod when The Volume Is Detached Unexpectedly + description: 'If enabled, Longhorn will automatically delete the workload pod that is managed by a controller (e.g. deployment, statefulset, daemonset, etc...) when Longhorn volume is detached unexpectedly (e.g. during Kubernetes upgrade, Docker reboot, or network disconnect). By deleting the pod, its controller restarts the pod and Kubernetes handles volume reattachment and remount. +If disabled, Longhorn will not delete the workload pod that is managed by a controller. You will have to manually restart the pod to reattach and remount the volume. +**Note:** This setting does not apply to the workload pods that do not have a controller. Longhorn never deletes them.' + group: "Longhorn Default Settings" + type: boolean + default: "true" + - variable: defaultSettings.disableSchedulingOnCordonedNode + label: Disable Scheduling On Cordoned Node + description: "Disable Longhorn manager to schedule replica on Kubernetes cordoned node. By default true." + group: "Longhorn Default Settings" + type: boolean + default: "true" + - variable: defaultSettings.replicaZoneSoftAntiAffinity + label: Replica Zone Level Soft Anti-Affinity + description: "Allow scheduling new Replicas of Volume to the Nodes in the same Zone as existing healthy Replicas. Nodes don't belong to any Zone will be treated as in the same Zone. Notice that Longhorn relies on label `topology.kubernetes.io/zone=` in the Kubernetes node object to identify the zone. By default true." + group: "Longhorn Default Settings" + type: boolean + default: "true" + - variable: defaultSettings.nodeDownPodDeletionPolicy + label: Pod Deletion Policy When Node is Down + description: "Defines the Longhorn action when a Volume is stuck with a StatefulSet/Deployment Pod on a node that is down. +- **do-nothing** is the default Kubernetes behavior of never force deleting StatefulSet/Deployment terminating pods. Since the pod on the node that is down isn't removed, Longhorn volumes are stuck on nodes that are down. +- **delete-statefulset-pod** Longhorn will force delete StatefulSet terminating pods on nodes that are down to release Longhorn volumes so that Kubernetes can spin up replacement pods. +- **delete-deployment-pod** Longhorn will force delete Deployment terminating pods on nodes that are down to release Longhorn volumes so that Kubernetes can spin up replacement pods. +- **delete-both-statefulset-and-deployment-pod** Longhorn will force delete StatefulSet/Deployment terminating pods on nodes that are down to release Longhorn volumes so that Kubernetes can spin up replacement pods." + group: "Longhorn Default Settings" + type: enum + options: + - "do-nothing" + - "delete-statefulset-pod" + - "delete-deployment-pod" + - "delete-both-statefulset-and-deployment-pod" + default: "do-nothing" + - variable: defaultSettings.nodeDrainPolicy + label: Node Drain Policy + description: "Define the policy to use when a node with the last healthy replica of a volume is drained. +- **block-if-contains-last-replica** Longhorn will block the drain when the node contains the last healthy replica of a volume. +- **allow-if-replica-is-stopped** Longhorn will allow the drain when the node contains the last healthy replica of a volume but the replica is stopped. WARNING: possible data loss if the node is removed after draining. Select this option if you want to drain the node and do in-place upgrade/maintenance. +- **always-allow** Longhorn will allow the drain even though the node contains the last healthy replica of a volume. WARNING: possible data loss if the node is removed after draining. Also possible data corruption if the last replica was running during the draining." + group: "Longhorn Default Settings" + type: enum + options: + - "block-if-contains-last-replica" + - "allow-if-replica-is-stopped" + - "always-allow" + default: "block-if-contains-last-replica" + - variable: defaultSettings.replicaReplenishmentWaitInterval + label: Replica Replenishment Wait Interval + description: "In seconds. The interval determines how long Longhorn will wait at least in order to reuse the existing data on a failed replica rather than directly creating a new replica for a degraded volume. +Warning: This option works only when there is a failed replica in the volume. And this option may block the rebuilding for a while in the case." + group: "Longhorn Default Settings" + type: int + min: 0 + default: 600 + - variable: defaultSettings.concurrentReplicaRebuildPerNodeLimit + label: Concurrent Replica Rebuild Per Node Limit + description: "This setting controls how many replicas on a node can be rebuilt simultaneously. +Typically, Longhorn can block the replica starting once the current rebuilding count on a node exceeds the limit. But when the value is 0, it means disabling the replica rebuilding. +WARNING: +- The old setting \"Disable Replica Rebuild\" is replaced by this setting. +- Different from relying on replica starting delay to limit the concurrent rebuilding, if the rebuilding is disabled, replica object replenishment will be directly skipped. +- When the value is 0, the eviction and data locality feature won't work. But this shouldn't have any impact to any current replica rebuild and backup restore." + group: "Longhorn Default Settings" + type: int + min: 0 + default: 5 + - variable: defaultSettings.concurrentVolumeBackupRestorePerNodeLimit + label: Concurrent Volume Backup Restore Per Node Limit + description: "This setting controls how many volumes on a node can restore the backup concurrently. +Longhorn blocks the backup restore once the restoring volume count exceeds the limit. +Set the value to **0** to disable backup restore." + group: "Longhorn Default Settings" + type: int + min: 0 + default: 5 + - variable: defaultSettings.disableRevisionCounter + label: Disable Revision Counter + description: "This setting is only for volumes created by UI. By default, this is false meaning there will be a reivision counter file to track every write to the volume. During salvage recovering Longhorn will pick the replica with largest reivision counter as candidate to recover the whole volume. If revision counter is disabled, Longhorn will not track every write to the volume. During the salvage recovering, Longhorn will use the 'volume-head-xxx.img' file last modification time and file size to pick the replica candidate to recover the whole volume." + group: "Longhorn Default Settings" + type: boolean + default: "false" + - variable: defaultSettings.systemManagedPodsImagePullPolicy + label: System Managed Pod Image Pull Policy + description: "This setting defines the Image Pull Policy of Longhorn system managed pods, e.g. instance manager, engine image, CSI driver, etc. The new Image Pull Policy will only apply after the system managed pods restart." + group: "Longhorn Default Settings" + type: enum + options: + - "if-not-present" + - "always" + - "never" + default: "if-not-present" + - variable: defaultSettings.allowVolumeCreationWithDegradedAvailability + label: Allow Volume Creation with Degraded Availability + description: "This setting allows user to create and attach a volume that doesn't have all the replicas scheduled at the time of creation." + group: "Longhorn Default Settings" + type: boolean + default: "true" + - variable: defaultSettings.autoCleanupSystemGeneratedSnapshot + label: Automatically Cleanup System Generated Snapshot + description: "This setting enables Longhorn to automatically cleanup the system generated snapshot after replica rebuild is done." + group: "Longhorn Default Settings" + type: boolean + default: "true" + - variable: defaultSettings.concurrentAutomaticEngineUpgradePerNodeLimit + label: Concurrent Automatic Engine Upgrade Per Node Limit + description: "This setting controls how Longhorn automatically upgrades volumes' engines to the new default engine image after upgrading Longhorn manager. The value of this setting specifies the maximum number of engines per node that are allowed to upgrade to the default engine image at the same time. If the value is 0, Longhorn will not automatically upgrade volumes' engines to default version." + group: "Longhorn Default Settings" + type: int + min: 0 + default: 0 + - variable: defaultSettings.backingImageCleanupWaitInterval + label: Backing Image Cleanup Wait Interval + description: "This interval in minutes determines how long Longhorn will wait before cleaning up the backing image file when there is no replica in the disk using it." + group: "Longhorn Default Settings" + type: int + min: 0 + default: 60 + - variable: defaultSettings.backingImageRecoveryWaitInterval + label: Backing Image Recovery Wait Interval + description: "This interval in seconds determines how long Longhorn will wait before re-downloading the backing image file when all disk files of this backing image become failed or unknown. + WARNING: + - This recovery only works for the backing image of which the creation type is \"download\". + - File state \"unknown\" means the related manager pods on the pod is not running or the node itself is down/disconnected." + group: "Longhorn Default Settings" + type: int + min: 0 + default: 300 + - variable: defaultSettings.guaranteedInstanceManagerCPU + label: Guaranteed Instance Manager CPU + description: "This integer value indicates how many percentage of the total allocatable CPU on each node will be reserved for each instance manager Pod. For example, 10 means 10% of the total CPU on a node will be allocated to each instance manager pod on this node. This will help maintain engine and replica stability during high node workload. + In order to prevent unexpected volume instance (engine/replica) crash as well as guarantee a relative acceptable IO performance, you can use the following formula to calculate a value for this setting: + `Guaranteed Instance Manager CPU = The estimated max Longhorn volume engine and replica count on a node * 0.1 / The total allocatable CPUs on the node * 100` + The result of above calculation doesn't mean that's the maximum CPU resources the Longhorn workloads require. To fully exploit the Longhorn volume I/O performance, you can allocate/guarantee more CPU resources via this setting. + If it's hard to estimate the usage now, you can leave it with the default value, which is 12%. Then you can tune it when there is no running workload using Longhorn volumes. + WARNING: + - Value 0 means unsetting CPU requests for instance manager pods. + - Considering the possible new instance manager pods in the further system upgrade, this integer value is range from 0 to 40. + - One more set of instance manager pods may need to be deployed when the Longhorn system is upgraded. If current available CPUs of the nodes are not enough for the new instance manager pods, you need to detach the volumes using the oldest instance manager pods so that Longhorn can clean up the old pods automatically and release the CPU resources. And the new pods with the latest instance manager image will be launched then. + - This global setting will be ignored for a node if the field \"InstanceManagerCPURequest\" on the node is set. + - After this setting is changed, all instance manager pods using this global setting on all the nodes will be automatically restarted. In other words, DO NOT CHANGE THIS SETTING WITH ATTACHED VOLUMES." + group: "Longhorn Default Settings" + type: int + min: 0 + max: 40 + default: 12 + - variable: defaultSettings.logLevel + label: Log Level + description: "The log level Panic, Fatal, Error, Warn, Info, Debug, Trace used in longhorn manager. By default Debug." + group: "Longhorn Default Settings" + type: string + default: "Info" +- variable: defaultSettings.kubernetesClusterAutoscalerEnabled + label: Kubernetes Cluster Autoscaler Enabled (Experimental) + description: "Enabling this setting will notify Longhorn that the cluster is using Kubernetes Cluster Autoscaler. + Longhorn prevents data loss by only allowing the Cluster Autoscaler to scale down a node that met all conditions: + - No volume attached to the node. + - Is not the last node containing the replica of any volume. + - Is not running backing image components pod. + - Is not running share manager components pod." + group: "Longhorn Default Settings" + type: boolean + default: false +- variable: defaultSettings.orphanAutoDeletion + label: Orphaned Data Cleanup + description: "This setting allows Longhorn to delete the orphan resource and its corresponding orphaned data automatically like stale replicas. Orphan resources on down or unknown nodes will not be cleaned up automatically." + group: "Longhorn Default Settings" + type: boolean + default: false +- variable: defaultSettings.storageNetwork + label: Storage Network + description: "Longhorn uses the storage network for in-cluster data traffic. Leave this blank to use the Kubernetes cluster network. + To segregate the storage network, input the pre-existing NetworkAttachmentDefinition in \"/\" format. + WARNING: + - The cluster must have pre-existing Multus installed, and NetworkAttachmentDefinition IPs are reachable between nodes. + - DO NOT CHANGE THIS SETTING WITH ATTACHED VOLUMES. Longhorn will try to block this setting update when there are attached volumes. + - When applying the setting, Longhorn will restart all manager, instance-manager, and backing-image-manager pods." + group: "Longhorn Default Settings" + type: string + default: +- variable: defaultSettings.deletingConfirmationFlag + label: Deleting Confirmation Flag + description: "This flag is designed to prevent Longhorn from being accidentally uninstalled which will lead to data lost. + Set this flag to **true** to allow Longhorn uninstallation. + If this flag **false**, Longhorn uninstallation job will fail. " + group: "Longhorn Default Settings" + type: boolean + default: "false" +- variable: defaultSettings.engineReplicaTimeout + label: Timeout between Engine and Replica + description: "In seconds. The setting specifies the timeout between the engine and replica(s), and the value should be between 8 to 30 seconds. The default value is 8 seconds." + group: "Longhorn Default Settings" + type: int + default: "8" +- variable: defaultSettings.snapshotDataIntegrity + label: Snapshot Data Integrity + description: "This setting allows users to enable or disable snapshot hashing and data integrity checking. + Available options are + - **disabled**: Disable snapshot disk file hashing and data integrity checking. + - **enabled**: Enables periodic snapshot disk file hashing and data integrity checking. To detect the filesystem-unaware corruption caused by bit rot or other issues in snapshot disk files, Longhorn system periodically hashes files and finds corrupted ones. Hence, the system performance will be impacted during the periodical checking. + - **fast-check**: Enable snapshot disk file hashing and fast data integrity checking. Longhorn system only hashes snapshot disk files if their are not hashed or the modification time are changed. In this mode, filesystem-unaware corruption cannot be detected, but the impact on system performance can be minimized." + group: "Longhorn Default Settings" + type: string + default: "disabled" +- variable: defaultSettings.snapshotDataIntegrityImmediateCheckAfterSnapshotCreation + label: Immediate Snapshot Data Integrity Check After Creating a Snapshot + description: "Hashing snapshot disk files impacts the performance of the system. The immediate snapshot hashing and checking can be disabled to minimize the impact after creating a snapshot." + group: "Longhorn Default Settings" + type: boolean + default: "false" +- variable: defaultSettings.snapshotDataIntegrityCronjob + label: Snapshot Data Integrity Check CronJob + description: "Unix-cron string format. The setting specifies when Longhorn checks the data integrity of snapshot disk files. + Warning: Hashing snapshot disk files impacts the performance of the system. It is recommended to run data integrity checks during off-peak times and to reduce the frequency of checks." + group: "Longhorn Default Settings" + type: string + default: "0 0 */7 * *" +- variable: defaultSettings.removeSnapshotsDuringFilesystemTrim + label: Remove Snapshots During Filesystem Trim + description: "This setting allows Longhorn filesystem trim feature to automatically mark the latest snapshot and its ancestors as removed and stops at the snapshot containing multiple children.\n\n + Since Longhorn filesystem trim feature can be applied to the volume head and the followed continuous removed or system snapshots only.\n\n + Notice that trying to trim a removed files from a valid snapshot will do nothing but the filesystem will discard this kind of in-memory trimmable file info.\n\n + Later on if you mark the snapshot as removed and want to retry the trim, you may need to unmount and remount the filesystem so that the filesystem can recollect the trimmable file info." + group: "Longhorn Default Settings" + type: boolean + default: "false" +- variable: defaultSettings.fastReplicaRebuildEnabled + label: Fast Replica Rebuild Enabled + description: "This feature supports the fast replica rebuilding. It relies on the checksum of snapshot disk files, so setting the snapshot-data-integrity to **enable** or **fast-check** is a prerequisite." + group: "Longhorn Default Settings" + type: boolean + default: false +- variable: defaultSettings.replicaFileSyncHttpClientTimeout + label: Timeout of HTTP Client to Replica File Sync Server + description: "In seconds. The setting specifies the HTTP client timeout to the file sync server." + group: "Longhorn Default Settings" + type: int + default: "30" +- variable: defaultSettings.backupCompressionMethod + label: Backup Compression Method + description: "This setting allows users to specify backup compression method. + Available options are + - **none**: Disable the compression method. Suitable for multimedia data such as encoded images and videos. + - **lz4**: Fast compression method. Suitable for flat files. + - **gzip**: A bit of higher compression ratio but relatively slow." + group: "Longhorn Default Settings" + type: string + default: "lz4" +- variable: defaultSettings.backupConcurrentLimit + label: Backup Concurrent Limit Per Backup + description: "This setting controls how many worker threads per backup concurrently." + group: "Longhorn Default Settings" + type: int + min: 1 + default: 2 +- variable: defaultSettings.restoreConcurrentLimit + label: Restore Concurrent Limit Per Backup + description: "This setting controls how many worker threads per restore concurrently." + group: "Longhorn Default Settings" + type: int + min: 1 + default: 2 +- variable: defaultSettings.v2DataEngine + label: V2 Data Engine + description: "This allows users to activate v2 data engine based on SPDK. Currently, it is in the preview phase and should not be utilized in a production environment. + WARNING: + - DO NOT CHANGE THIS SETTING WITH ATTACHED VOLUMES. Longhorn will block this setting update when there are attached volumes. + - When applying the setting, Longhorn will restart all instance-manager pods. + - When the V2 Data Engine is enabled, each instance-manager pod utilizes 1 CPU core. This high CPU usage is attributed to the spdk_tgt process running within each instance-manager pod. The spdk_tgt process is responsible for handling input/output (IO) operations and requires intensive polling. As a result, it consumes 100% of a dedicated CPU core to efficiently manage and process the IO requests, ensuring optimal performance and responsiveness for storage operations." + group: "Longhorn V2 Data Engine (Preview Feature) Settings" + type: boolean + default: false +- variable: defaultSettings.offlineReplicaRebuilding + label: Offline Replica Rebuilding + description: "This setting allows users to enable the offline replica rebuilding for volumes using v2 data engine." + group: "Longhorn V2 Data Engine (Preview Feature) Settings" + required: true + type: enum + options: + - "enabled" + - "disabled" + default: "enabled" +- variable: persistence.defaultClass + default: "true" + description: "Set as default StorageClass for Longhorn" + label: Default Storage Class + group: "Longhorn Storage Class Settings" + required: true + type: boolean +- variable: persistence.reclaimPolicy + label: Storage Class Retain Policy + description: "Define reclaim policy (Retain or Delete)" + group: "Longhorn Storage Class Settings" + required: true + type: enum + options: + - "Delete" + - "Retain" + default: "Delete" +- variable: persistence.defaultClassReplicaCount + description: "Set replica count for Longhorn StorageClass" + label: Default Storage Class Replica Count + group: "Longhorn Storage Class Settings" + type: int + min: 1 + max: 10 + default: 3 +- variable: persistence.defaultDataLocality + description: "Set data locality for Longhorn StorageClass" + label: Default Storage Class Data Locality + group: "Longhorn Storage Class Settings" + type: enum + options: + - "disabled" + - "best-effort" + default: "disabled" +- variable: persistence.recurringJobSelector.enable + description: "Enable recurring job selector for Longhorn StorageClass" + group: "Longhorn Storage Class Settings" + label: Enable Storage Class Recurring Job Selector + type: boolean + default: false + show_subquestion_if: true + subquestions: + - variable: persistence.recurringJobSelector.jobList + description: 'Recurring job selector list for Longhorn StorageClass. Please be careful of quotes of input. e.g., [{"name":"backup", "isGroup":true}]' + label: Storage Class Recurring Job Selector List + group: "Longhorn Storage Class Settings" + type: string + default: +- variable: persistence.defaultNodeSelector.enable + description: "Enable Node selector for Longhorn StorageClass" + group: "Longhorn Storage Class Settings" + label: Enable Storage Class Node Selector + type: boolean + default: false + show_subquestion_if: true + subquestions: + - variable: persistence.defaultNodeSelector.selector + label: Storage Class Node Selector + description: 'We use NodeSelector when we want to bind PVC via StorageClass into desired mountpoint on the nodes tagged with its value' + group: "Longhorn Storage Class Settings" + type: string + default: +- variable: persistence.backingImage.enable + description: "Set backing image for Longhorn StorageClass" + group: "Longhorn Storage Class Settings" + label: Default Storage Class Backing Image + type: boolean + default: false + show_subquestion_if: true + subquestions: + - variable: persistence.backingImage.name + description: 'Specify a backing image that will be used by Longhorn volumes in Longhorn StorageClass. If not exists, the backing image data source type and backing image data source parameters should be specified so that Longhorn will create the backing image before using it.' + label: Storage Class Backing Image Name + group: "Longhorn Storage Class Settings" + type: string + default: + - variable: persistence.backingImage.expectedChecksum + description: 'Specify the expected SHA512 checksum of the selected backing image in Longhorn StorageClass. + WARNING: + - If the backing image name is not specified, setting this field is meaningless. + - It is not recommended to set this field if the data source type is \"export-from-volume\".' + label: Storage Class Backing Image Expected SHA512 Checksum + group: "Longhorn Storage Class Settings" + type: string + default: + - variable: persistence.backingImage.dataSourceType + description: 'Specify the data source type for the backing image used in Longhorn StorageClass. + If the backing image does not exists, Longhorn will use this field to create a backing image. Otherwise, Longhorn will use it to verify the selected backing image. + WARNING: + - If the backing image name is not specified, setting this field is meaningless. + - As for backing image creation with data source type \"upload\", it is recommended to do it via UI rather than StorageClass here. Uploading requires file data sending to the Longhorn backend after the object creation, which is complicated if you want to handle it manually.' + label: Storage Class Backing Image Data Source Type + group: "Longhorn Storage Class Settings" + type: enum + options: + - "" + - "download" + - "upload" + - "export-from-volume" + default: "" + - variable: persistence.backingImage.dataSourceParameters + description: "Specify the data source parameters for the backing image used in Longhorn StorageClass. + If the backing image does not exists, Longhorn will use this field to create a backing image. Otherwise, Longhorn will use it to verify the selected backing image. + This option accepts a json string of a map. e.g., '{\"url\":\"https://backing-image-example.s3-region.amazonaws.com/test-backing-image\"}'. + WARNING: + - If the backing image name is not specified, setting this field is meaningless. + - Be careful of the quotes here." + label: Storage Class Backing Image Data Source Parameters + group: "Longhorn Storage Class Settings" + type: string + default: +- variable: persistence.removeSnapshotsDuringFilesystemTrim + description: "Allow automatically removing snapshots during filesystem trim for Longhorn StorageClass" + label: Default Storage Class Remove Snapshots During Filesystem Trim + group: "Longhorn Storage Class Settings" + type: enum + options: + - "ignored" + - "enabled" + - "disabled" + default: "ignored" +- variable: ingress.enabled + default: "false" + description: "Expose app using Layer 7 Load Balancer - ingress" + type: boolean + group: "Services and Load Balancing" + label: Expose app using Layer 7 Load Balancer + show_subquestion_if: true + subquestions: + - variable: ingress.host + default: "xip.io" + description: "layer 7 Load Balancer hostname" + type: hostname + required: true + label: Layer 7 Load Balancer Hostname + - variable: ingress.path + default: "/" + description: "If ingress is enabled you can set the default ingress path" + type: string + required: true + label: Ingress Path +- variable: service.ui.type + default: "Rancher-Proxy" + description: "Define Longhorn UI service type" + type: enum + options: + - "ClusterIP" + - "NodePort" + - "LoadBalancer" + - "Rancher-Proxy" + label: Longhorn UI Service + show_if: "ingress.enabled=false" + group: "Services and Load Balancing" + show_subquestion_if: "NodePort" + subquestions: + - variable: service.ui.nodePort + default: "" + description: "NodePort port number(to set explicitly, choose port between 30000-32767)" + type: int + min: 30000 + max: 32767 + show_if: "service.ui.type=NodePort||service.ui.type=LoadBalancer" + label: UI Service NodePort number +- variable: enablePSP + default: "false" + description: "Setup a pod security policy for Longhorn workloads." + label: Pod Security Policy + type: boolean + group: "Other Settings" +- variable: global.cattle.windowsCluster.enabled + default: "false" + description: "Enable this to allow Longhorn to run on the Rancher deployed Windows cluster." + label: Rancher Windows Cluster + type: boolean + group: "Other Settings" +- variable: networkPolicies.enabled + description: "Enable NetworkPolicies to limit access to the longhorn pods. + Warning: The Rancher Proxy will not work if this feature is enabled and a custom NetworkPolicy must be added." + group: "Other Settings" + label: Network Policies + default: "false" + type: boolean + subquestions: + - variable: networkPolicies.type + label: Network Policies for Ingress + description: "Create the policy to allow access for the ingress, select the distribution." + show_if: "networkPolicies.enabled=true&&ingress.enabled=true" + type: enum + default: "rke2" + options: + - "rke1" + - "rke2" + - "k3s" diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/NOTES.txt b/charts/longhorn/102.3.1+up1.5.3/templates/NOTES.txt new file mode 100644 index 0000000000..cca7cd77b9 --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/NOTES.txt @@ -0,0 +1,5 @@ +Longhorn is now installed on the cluster! + +Please wait a few minutes for other Longhorn components such as CSI deployments, Engine Images, and Instance Managers to be initialized. + +Visit our documentation at https://longhorn.io/docs/ diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/_helpers.tpl b/charts/longhorn/102.3.1+up1.5.3/templates/_helpers.tpl new file mode 100644 index 0000000000..3fbc2ac02f --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/_helpers.tpl @@ -0,0 +1,66 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "longhorn.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "longhorn.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + + +{{- define "longhorn.managerIP" -}} +{{- $fullname := (include "longhorn.fullname" .) -}} +{{- printf "http://%s-backend:9500" $fullname | trunc 63 | trimSuffix "-" -}} +{{- end -}} + + +{{- define "secret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.privateRegistry.registryUrl (printf "%s:%s" .Values.privateRegistry.registryUser .Values.privateRegistry.registryPasswd | b64enc) | b64enc }} +{{- end }} + +{{- /* +longhorn.labels generates the standard Helm labels. +*/ -}} +{{- define "longhorn.labels" -}} +app.kubernetes.io/name: {{ template "longhorn.name" . }} +helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} + + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{- define "registry_url" -}} +{{- if .Values.privateRegistry.registryUrl -}} +{{- printf "%s/" .Values.privateRegistry.registryUrl -}} +{{- else -}} +{{ include "system_default_registry" . }} +{{- end -}} +{{- end -}} + +{{- /* + define the longhorn release namespace +*/ -}} +{{- define "release_namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/clusterrole.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/clusterrole.yaml new file mode 100644 index 0000000000..e652a34033 --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/clusterrole.yaml @@ -0,0 +1,61 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: longhorn-role + labels: {{- include "longhorn.labels" . | nindent 4 }} +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - "*" +- apiGroups: [""] + resources: ["pods", "events", "persistentvolumes", "persistentvolumeclaims","persistentvolumeclaims/status", "nodes", "proxy/nodes", "pods/log", "secrets", "services", "endpoints", "configmaps", "serviceaccounts"] + verbs: ["*"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list"] +- apiGroups: ["apps"] + resources: ["daemonsets", "statefulsets", "deployments"] + verbs: ["*"] +- apiGroups: ["batch"] + resources: ["jobs", "cronjobs"] + verbs: ["*"] +- apiGroups: ["policy"] + resources: ["poddisruptionbudgets", "podsecuritypolicies"] + verbs: ["*"] +- apiGroups: ["scheduling.k8s.io"] + resources: ["priorityclasses"] + verbs: ["watch", "list"] +- apiGroups: ["storage.k8s.io"] + resources: ["storageclasses", "volumeattachments", "volumeattachments/status", "csinodes", "csidrivers"] + verbs: ["*"] +- apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses", "volumesnapshots", "volumesnapshotcontents", "volumesnapshotcontents/status"] + verbs: ["*"] +- apiGroups: ["longhorn.io"] + resources: ["volumes", "volumes/status", "engines", "engines/status", "replicas", "replicas/status", "settings", + "engineimages", "engineimages/status", "nodes", "nodes/status", "instancemanagers", "instancemanagers/status", + "sharemanagers", "sharemanagers/status", "backingimages", "backingimages/status", + "backingimagemanagers", "backingimagemanagers/status", "backingimagedatasources", "backingimagedatasources/status", + "backuptargets", "backuptargets/status", "backupvolumes", "backupvolumes/status", "backups", "backups/status", + "recurringjobs", "recurringjobs/status", "orphans", "orphans/status", "snapshots", "snapshots/status", + "supportbundles", "supportbundles/status", "systembackups", "systembackups/status", "systemrestores", "systemrestores/status", + "volumeattachments", "volumeattachments/status"] + verbs: ["*"] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["*"] +- apiGroups: ["metrics.k8s.io"] + resources: ["pods", "nodes"] + verbs: ["get", "list"] +- apiGroups: ["apiregistration.k8s.io"] + resources: ["apiservices"] + verbs: ["list", "watch"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + verbs: ["get", "list", "create", "patch", "delete"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["roles", "rolebindings", "clusterrolebindings", "clusterroles"] + verbs: ["*"] diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/clusterrolebinding.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..8ab944b238 --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/clusterrolebinding.yaml @@ -0,0 +1,27 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: longhorn-bind + labels: {{- include "longhorn.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: longhorn-role +subjects: +- kind: ServiceAccount + name: longhorn-service-account + namespace: {{ include "release_namespace" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: longhorn-support-bundle + labels: {{- include "longhorn.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: longhorn-support-bundle + namespace: {{ include "release_namespace" . }} diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/daemonset-sa.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/daemonset-sa.yaml new file mode 100644 index 0000000000..f361d27340 --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/daemonset-sa.yaml @@ -0,0 +1,151 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: {{- include "longhorn.labels" . | nindent 4 }} + app: longhorn-manager + name: longhorn-manager + namespace: {{ include "release_namespace" . }} +spec: + selector: + matchLabels: + app: longhorn-manager + template: + metadata: + labels: {{- include "longhorn.labels" . | nindent 8 }} + app: longhorn-manager + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + containers: + - name: longhorn-manager + image: {{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + privileged: true + command: + - longhorn-manager + - -d + {{- if eq .Values.longhornManager.log.format "json" }} + - -j + {{- end }} + - daemon + - --engine-image + - "{{ template "registry_url" . }}{{ .Values.image.longhorn.engine.repository }}:{{ .Values.image.longhorn.engine.tag }}" + - --instance-manager-image + - "{{ template "registry_url" . }}{{ .Values.image.longhorn.instanceManager.repository }}:{{ .Values.image.longhorn.instanceManager.tag }}" + - --share-manager-image + - "{{ template "registry_url" . }}{{ .Values.image.longhorn.shareManager.repository }}:{{ .Values.image.longhorn.shareManager.tag }}" + - --backing-image-manager-image + - "{{ template "registry_url" . }}{{ .Values.image.longhorn.backingImageManager.repository }}:{{ .Values.image.longhorn.backingImageManager.tag }}" + - --support-bundle-manager-image + - "{{ template "registry_url" . }}{{ .Values.image.longhorn.supportBundleKit.repository }}:{{ .Values.image.longhorn.supportBundleKit.tag }}" + - --manager-image + - "{{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }}" + - --service-account + - longhorn-service-account + ports: + - containerPort: 9500 + name: manager + - containerPort: 9501 + name: conversion-wh + - containerPort: 9502 + name: admission-wh + - containerPort: 9503 + name: recov-backend + readinessProbe: + httpGet: + path: /v1/healthz + port: 9501 + scheme: HTTPS + volumeMounts: + - name: dev + mountPath: /host/dev/ + - name: proc + mountPath: /host/proc/ + - name: longhorn + mountPath: /var/lib/longhorn/ + mountPropagation: Bidirectional + - name: longhorn-grpc-tls + mountPath: /tls-files/ + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumes: + - name: dev + hostPath: + path: /dev/ + - name: proc + hostPath: + path: /proc/ + - name: longhorn + hostPath: + path: /var/lib/longhorn/ + - name: longhorn-grpc-tls + secret: + secretName: longhorn-grpc-tls + optional: true + {{- if .Values.privateRegistry.registrySecret }} + imagePullSecrets: + - name: {{ .Values.privateRegistry.registrySecret }} + {{- end }} + {{- if .Values.longhornManager.priorityClass }} + priorityClassName: {{ .Values.longhornManager.priorityClass | quote }} + {{- end }} + {{- if or .Values.longhornManager.tolerations .Values.global.cattle.windowsCluster.enabled }} + tolerations: + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.tolerations }} +{{ toYaml .Values.global.cattle.windowsCluster.tolerations | indent 6 }} + {{- end }} + {{- if .Values.longhornManager.tolerations }} +{{ toYaml .Values.longhornManager.tolerations | indent 6 }} + {{- end }} + {{- end }} + {{- if or .Values.longhornManager.nodeSelector .Values.global.cattle.windowsCluster.enabled }} + nodeSelector: + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.nodeSelector }} +{{ toYaml .Values.global.cattle.windowsCluster.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.longhornManager.nodeSelector }} +{{ toYaml .Values.longhornManager.nodeSelector | indent 8 }} + {{- end }} + {{- end }} + serviceAccountName: longhorn-service-account + updateStrategy: + rollingUpdate: + maxUnavailable: "100%" +--- +apiVersion: v1 +kind: Service +metadata: + labels: {{- include "longhorn.labels" . | nindent 4 }} + app: longhorn-manager + name: longhorn-backend + namespace: {{ include "release_namespace" . }} + {{- if .Values.longhornManager.serviceAnnotations }} + annotations: +{{ toYaml .Values.longhornManager.serviceAnnotations | indent 4 }} + {{- end }} +spec: + type: {{ .Values.service.manager.type }} + sessionAffinity: ClientIP + selector: + app: longhorn-manager + ports: + - name: manager + port: 9500 + targetPort: manager + {{- if .Values.service.manager.nodePort }} + nodePort: {{ .Values.service.manager.nodePort }} + {{- end }} diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/default-setting.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/default-setting.yaml new file mode 100644 index 0000000000..ac38ba958a --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/default-setting.yaml @@ -0,0 +1,83 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: longhorn-default-setting + namespace: {{ include "release_namespace" . }} + labels: {{- include "longhorn.labels" . | nindent 4 }} +data: + default-setting.yaml: |- + {{ if not (kindIs "invalid" .Values.defaultSettings.backupTarget) }}backup-target: {{ .Values.defaultSettings.backupTarget }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.backupTargetCredentialSecret) }}backup-target-credential-secret: {{ .Values.defaultSettings.backupTargetCredentialSecret }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.allowRecurringJobWhileVolumeDetached) }}allow-recurring-job-while-volume-detached: {{ .Values.defaultSettings.allowRecurringJobWhileVolumeDetached }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.createDefaultDiskLabeledNodes) }}create-default-disk-labeled-nodes: {{ .Values.defaultSettings.createDefaultDiskLabeledNodes }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.defaultDataPath) }}default-data-path: {{ .Values.defaultSettings.defaultDataPath }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.replicaSoftAntiAffinity) }}replica-soft-anti-affinity: {{ .Values.defaultSettings.replicaSoftAntiAffinity }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.replicaAutoBalance) }}replica-auto-balance: {{ .Values.defaultSettings.replicaAutoBalance }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.storageOverProvisioningPercentage) }}storage-over-provisioning-percentage: {{ .Values.defaultSettings.storageOverProvisioningPercentage }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.storageMinimalAvailablePercentage) }}storage-minimal-available-percentage: {{ .Values.defaultSettings.storageMinimalAvailablePercentage }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.storageReservedPercentageForDefaultDisk) }}storage-reserved-percentage-for-default-disk: {{ .Values.defaultSettings.storageReservedPercentageForDefaultDisk }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.upgradeChecker) }}upgrade-checker: {{ .Values.defaultSettings.upgradeChecker }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.defaultReplicaCount) }}default-replica-count: {{ .Values.defaultSettings.defaultReplicaCount }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.defaultDataLocality) }}default-data-locality: {{ .Values.defaultSettings.defaultDataLocality }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.defaultLonghornStaticStorageClass) }}default-longhorn-static-storage-class: {{ .Values.defaultSettings.defaultLonghornStaticStorageClass }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.backupstorePollInterval) }}backupstore-poll-interval: {{ .Values.defaultSettings.backupstorePollInterval }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.failedBackupTTL) }}failed-backup-ttl: {{ .Values.defaultSettings.failedBackupTTL }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.restoreVolumeRecurringJobs) }}restore-volume-recurring-jobs: {{ .Values.defaultSettings.restoreVolumeRecurringJobs }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.recurringSuccessfulJobsHistoryLimit) }}recurring-successful-jobs-history-limit: {{ .Values.defaultSettings.recurringSuccessfulJobsHistoryLimit }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.recurringFailedJobsHistoryLimit) }}recurring-failed-jobs-history-limit: {{ .Values.defaultSettings.recurringFailedJobsHistoryLimit }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.supportBundleFailedHistoryLimit) }}support-bundle-failed-history-limit: {{ .Values.defaultSettings.supportBundleFailedHistoryLimit }}{{ end }} + {{- if or (not (kindIs "invalid" .Values.defaultSettings.taintToleration)) (.Values.global.cattle.windowsCluster.enabled) }} + taint-toleration: {{ $windowsDefaultSettingTaintToleration := list }}{{ $defaultSettingTaintToleration := list -}} + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.defaultSetting.taintToleration -}} + {{- $windowsDefaultSettingTaintToleration = .Values.global.cattle.windowsCluster.defaultSetting.taintToleration -}} + {{- end -}} + {{- if not (kindIs "invalid" .Values.defaultSettings.taintToleration) -}} + {{- $defaultSettingTaintToleration = .Values.defaultSettings.taintToleration -}} + {{- end -}} + {{- $taintToleration := list $windowsDefaultSettingTaintToleration $defaultSettingTaintToleration }}{{ join ";" (compact $taintToleration) -}} + {{- end }} + {{- if or (not (kindIs "invalid" .Values.defaultSettings.systemManagedComponentsNodeSelector)) (.Values.global.cattle.windowsCluster.enabled) }} + system-managed-components-node-selector: {{ $windowsDefaultSettingNodeSelector := list }}{{ $defaultSettingNodeSelector := list -}} + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.defaultSetting.systemManagedComponentsNodeSelector -}} + {{ $windowsDefaultSettingNodeSelector = .Values.global.cattle.windowsCluster.defaultSetting.systemManagedComponentsNodeSelector -}} + {{- end -}} + {{- if not (kindIs "invalid" .Values.defaultSettings.systemManagedComponentsNodeSelector) -}} + {{- $defaultSettingNodeSelector = .Values.defaultSettings.systemManagedComponentsNodeSelector -}} + {{- end -}} + {{- $nodeSelector := list $windowsDefaultSettingNodeSelector $defaultSettingNodeSelector }}{{ join ";" (compact $nodeSelector) -}} + {{- end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.priorityClass) }}priority-class: {{ .Values.defaultSettings.priorityClass }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.autoSalvage) }}auto-salvage: {{ .Values.defaultSettings.autoSalvage }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.autoDeletePodWhenVolumeDetachedUnexpectedly) }}auto-delete-pod-when-volume-detached-unexpectedly: {{ .Values.defaultSettings.autoDeletePodWhenVolumeDetachedUnexpectedly }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.disableSchedulingOnCordonedNode) }}disable-scheduling-on-cordoned-node: {{ .Values.defaultSettings.disableSchedulingOnCordonedNode }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.replicaZoneSoftAntiAffinity) }}replica-zone-soft-anti-affinity: {{ .Values.defaultSettings.replicaZoneSoftAntiAffinity }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.nodeDownPodDeletionPolicy) }}node-down-pod-deletion-policy: {{ .Values.defaultSettings.nodeDownPodDeletionPolicy }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.nodeDrainPolicy) }}node-drain-policy: {{ .Values.defaultSettings.nodeDrainPolicy }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.replicaReplenishmentWaitInterval) }}replica-replenishment-wait-interval: {{ .Values.defaultSettings.replicaReplenishmentWaitInterval }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.concurrentReplicaRebuildPerNodeLimit) }}concurrent-replica-rebuild-per-node-limit: {{ .Values.defaultSettings.concurrentReplicaRebuildPerNodeLimit }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.concurrentVolumeBackupRestorePerNodeLimit) }}concurrent-volume-backup-restore-per-node-limit: {{ .Values.defaultSettings.concurrentVolumeBackupRestorePerNodeLimit }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.disableRevisionCounter) }}disable-revision-counter: {{ .Values.defaultSettings.disableRevisionCounter }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.systemManagedPodsImagePullPolicy) }}system-managed-pods-image-pull-policy: {{ .Values.defaultSettings.systemManagedPodsImagePullPolicy }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.allowVolumeCreationWithDegradedAvailability) }}allow-volume-creation-with-degraded-availability: {{ .Values.defaultSettings.allowVolumeCreationWithDegradedAvailability }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.autoCleanupSystemGeneratedSnapshot) }}auto-cleanup-system-generated-snapshot: {{ .Values.defaultSettings.autoCleanupSystemGeneratedSnapshot }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.concurrentAutomaticEngineUpgradePerNodeLimit) }}concurrent-automatic-engine-upgrade-per-node-limit: {{ .Values.defaultSettings.concurrentAutomaticEngineUpgradePerNodeLimit }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.backingImageCleanupWaitInterval) }}backing-image-cleanup-wait-interval: {{ .Values.defaultSettings.backingImageCleanupWaitInterval }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.backingImageRecoveryWaitInterval) }}backing-image-recovery-wait-interval: {{ .Values.defaultSettings.backingImageRecoveryWaitInterval }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.guaranteedInstanceManagerCPU) }}guaranteed-instance-manager-cpu: {{ .Values.defaultSettings.guaranteedInstanceManagerCPU }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.kubernetesClusterAutoscalerEnabled) }}kubernetes-cluster-autoscaler-enabled: {{ .Values.defaultSettings.kubernetesClusterAutoscalerEnabled }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.orphanAutoDeletion) }}orphan-auto-deletion: {{ .Values.defaultSettings.orphanAutoDeletion }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.storageNetwork) }}storage-network: {{ .Values.defaultSettings.storageNetwork }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.deletingConfirmationFlag) }}deleting-confirmation-flag: {{ .Values.defaultSettings.deletingConfirmationFlag }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.engineReplicaTimeout) }}engine-replica-timeout: {{ .Values.defaultSettings.engineReplicaTimeout }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.snapshotDataIntegrity) }}snapshot-data-integrity: {{ .Values.defaultSettings.snapshotDataIntegrity }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.snapshotDataIntegrityImmediateCheckAfterSnapshotCreation) }}snapshot-data-integrity-immediate-check-after-snapshot-creation: {{ .Values.defaultSettings.snapshotDataIntegrityImmediateCheckAfterSnapshotCreation }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.snapshotDataIntegrityCronjob) }}snapshot-data-integrity-cronjob: {{ .Values.defaultSettings.snapshotDataIntegrityCronjob }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.removeSnapshotsDuringFilesystemTrim) }}remove-snapshots-during-filesystem-trim: {{ .Values.defaultSettings.removeSnapshotsDuringFilesystemTrim }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.fastReplicaRebuildEnabled) }}fast-replica-rebuild-enabled: {{ .Values.defaultSettings.fastReplicaRebuildEnabled }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.replicaFileSyncHttpClientTimeout) }}replica-file-sync-http-client-timeout: {{ .Values.defaultSettings.replicaFileSyncHttpClientTimeout }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.logLevel) }}log-level: {{ .Values.defaultSettings.logLevel }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.backupCompressionMethod) }}backup-compression-method: {{ .Values.defaultSettings.backupCompressionMethod }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.backupConcurrentLimit) }}backup-concurrent-limit: {{ .Values.defaultSettings.backupConcurrentLimit }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.restoreConcurrentLimit) }}restore-concurrent-limit: {{ .Values.defaultSettings.restoreConcurrentLimit }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.v2DataEngine) }}v2-data-engine: {{ .Values.defaultSettings.v2DataEngine }}{{ end }} + {{ if not (kindIs "invalid" .Values.defaultSettings.offlineReplicaRebuilding) }}offline-replica-rebuilding: {{ .Values.defaultSettings.offlineReplicaRebuilding }}{{ end }} diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/deployment-driver.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/deployment-driver.yaml new file mode 100644 index 0000000000..f162fbf791 --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/deployment-driver.yaml @@ -0,0 +1,118 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: longhorn-driver-deployer + namespace: {{ include "release_namespace" . }} + labels: {{- include "longhorn.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + app: longhorn-driver-deployer + template: + metadata: + labels: {{- include "longhorn.labels" . | nindent 8 }} + app: longhorn-driver-deployer + spec: + initContainers: + - name: wait-longhorn-manager + image: {{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }} + command: ['sh', '-c', 'while [ $(curl -m 1 -s -o /dev/null -w "%{http_code}" http://longhorn-backend:9500/v1) != "200" ]; do echo waiting; sleep 2; done'] + containers: + - name: longhorn-driver-deployer + image: {{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - longhorn-manager + - -d + - deploy-driver + - --manager-image + - "{{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }}" + - --manager-url + - http://longhorn-backend:9500/v1 + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + {{- if .Values.csi.kubeletRootDir }} + - name: KUBELET_ROOT_DIR + value: {{ .Values.csi.kubeletRootDir }} + {{- end }} + {{- if and .Values.image.csi.attacher.repository .Values.image.csi.attacher.tag }} + - name: CSI_ATTACHER_IMAGE + value: "{{ template "registry_url" . }}{{ .Values.image.csi.attacher.repository }}:{{ .Values.image.csi.attacher.tag }}" + {{- end }} + {{- if and .Values.image.csi.provisioner.repository .Values.image.csi.provisioner.tag }} + - name: CSI_PROVISIONER_IMAGE + value: "{{ template "registry_url" . }}{{ .Values.image.csi.provisioner.repository }}:{{ .Values.image.csi.provisioner.tag }}" + {{- end }} + {{- if and .Values.image.csi.nodeDriverRegistrar.repository .Values.image.csi.nodeDriverRegistrar.tag }} + - name: CSI_NODE_DRIVER_REGISTRAR_IMAGE + value: "{{ template "registry_url" . }}{{ .Values.image.csi.nodeDriverRegistrar.repository }}:{{ .Values.image.csi.nodeDriverRegistrar.tag }}" + {{- end }} + {{- if and .Values.image.csi.resizer.repository .Values.image.csi.resizer.tag }} + - name: CSI_RESIZER_IMAGE + value: "{{ template "registry_url" . }}{{ .Values.image.csi.resizer.repository }}:{{ .Values.image.csi.resizer.tag }}" + {{- end }} + {{- if and .Values.image.csi.snapshotter.repository .Values.image.csi.snapshotter.tag }} + - name: CSI_SNAPSHOTTER_IMAGE + value: "{{ template "registry_url" . }}{{ .Values.image.csi.snapshotter.repository }}:{{ .Values.image.csi.snapshotter.tag }}" + {{- end }} + {{- if and .Values.image.csi.livenessProbe.repository .Values.image.csi.livenessProbe.tag }} + - name: CSI_LIVENESS_PROBE_IMAGE + value: "{{ template "registry_url" . }}{{ .Values.image.csi.livenessProbe.repository }}:{{ .Values.image.csi.livenessProbe.tag }}" + {{- end }} + {{- if .Values.csi.attacherReplicaCount }} + - name: CSI_ATTACHER_REPLICA_COUNT + value: {{ .Values.csi.attacherReplicaCount | quote }} + {{- end }} + {{- if .Values.csi.provisionerReplicaCount }} + - name: CSI_PROVISIONER_REPLICA_COUNT + value: {{ .Values.csi.provisionerReplicaCount | quote }} + {{- end }} + {{- if .Values.csi.resizerReplicaCount }} + - name: CSI_RESIZER_REPLICA_COUNT + value: {{ .Values.csi.resizerReplicaCount | quote }} + {{- end }} + {{- if .Values.csi.snapshotterReplicaCount }} + - name: CSI_SNAPSHOTTER_REPLICA_COUNT + value: {{ .Values.csi.snapshotterReplicaCount | quote }} + {{- end }} + + {{- if .Values.privateRegistry.registrySecret }} + imagePullSecrets: + - name: {{ .Values.privateRegistry.registrySecret }} + {{- end }} + {{- if .Values.longhornDriver.priorityClass }} + priorityClassName: {{ .Values.longhornDriver.priorityClass | quote }} + {{- end }} + {{- if or .Values.longhornDriver.tolerations .Values.global.cattle.windowsCluster.enabled }} + tolerations: + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.tolerations }} +{{ toYaml .Values.global.cattle.windowsCluster.tolerations | indent 6 }} + {{- end }} + {{- if .Values.longhornDriver.tolerations }} +{{ toYaml .Values.longhornDriver.tolerations | indent 6 }} + {{- end }} + {{- end }} + {{- if or .Values.longhornDriver.nodeSelector .Values.global.cattle.windowsCluster.enabled }} + nodeSelector: + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.nodeSelector }} +{{ toYaml .Values.global.cattle.windowsCluster.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.longhornDriver.nodeSelector }} +{{ toYaml .Values.longhornDriver.nodeSelector | indent 8 }} + {{- end }} + {{- end }} + serviceAccountName: longhorn-service-account + securityContext: + runAsUser: 0 diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/deployment-ui.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/deployment-ui.yaml new file mode 100644 index 0000000000..6bad5cd4ed --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/deployment-ui.yaml @@ -0,0 +1,114 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: {{- include "longhorn.labels" . | nindent 4 }} + app: longhorn-ui + name: longhorn-ui + namespace: {{ include "release_namespace" . }} +spec: + replicas: {{ .Values.longhornUI.replicas }} + selector: + matchLabels: + app: longhorn-ui + template: + metadata: + labels: {{- include "longhorn.labels" . | nindent 8 }} + app: longhorn-ui + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - longhorn-ui + topologyKey: kubernetes.io/hostname + containers: + - name: longhorn-ui + image: {{ template "registry_url" . }}{{ .Values.image.longhorn.ui.repository }}:{{ .Values.image.longhorn.ui.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - name : nginx-cache + mountPath: /var/cache/nginx/ + - name : nginx-config + mountPath: /var/config/nginx/ + - name: var-run + mountPath: /var/run/ + ports: + - containerPort: 8000 + name: http + env: + - name: LONGHORN_MANAGER_IP + value: "http://longhorn-backend:9500" + - name: LONGHORN_UI_PORT + value: "8000" + volumes: + - emptyDir: {} + name: nginx-cache + - emptyDir: {} + name: nginx-config + - emptyDir: {} + name: var-run + {{- if .Values.privateRegistry.registrySecret }} + imagePullSecrets: + - name: {{ .Values.privateRegistry.registrySecret }} + {{- end }} + {{- if .Values.longhornUI.priorityClass }} + priorityClassName: {{ .Values.longhornUI.priorityClass | quote }} + {{- end }} + {{- if or .Values.longhornUI.tolerations .Values.global.cattle.windowsCluster.enabled }} + tolerations: + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.tolerations }} +{{ toYaml .Values.global.cattle.windowsCluster.tolerations | indent 6 }} + {{- end }} + {{- if .Values.longhornUI.tolerations }} +{{ toYaml .Values.longhornUI.tolerations | indent 6 }} + {{- end }} + {{- end }} + {{- if or .Values.longhornUI.nodeSelector .Values.global.cattle.windowsCluster.enabled }} + nodeSelector: + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.nodeSelector }} +{{ toYaml .Values.global.cattle.windowsCluster.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.longhornUI.nodeSelector }} +{{ toYaml .Values.longhornUI.nodeSelector | indent 8 }} + {{- end }} + {{- end }} +--- +kind: Service +apiVersion: v1 +metadata: + labels: {{- include "longhorn.labels" . | nindent 4 }} + app: longhorn-ui + {{- if eq .Values.service.ui.type "Rancher-Proxy" }} + kubernetes.io/cluster-service: "true" + {{- end }} + name: longhorn-frontend + namespace: {{ include "release_namespace" . }} +spec: + {{- if eq .Values.service.ui.type "Rancher-Proxy" }} + type: ClusterIP + {{- else }} + type: {{ .Values.service.ui.type }} + {{- end }} + {{- if and .Values.service.ui.loadBalancerIP (eq .Values.service.ui.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.service.ui.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.service.ui.type "LoadBalancer") .Values.service.ui.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml .Values.service.ui.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + selector: + app: longhorn-ui + ports: + - name: http + port: 80 + targetPort: http + {{- if .Values.service.ui.nodePort }} + nodePort: {{ .Values.service.ui.nodePort }} + {{- else }} + nodePort: null + {{- end }} diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/ingress.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/ingress.yaml new file mode 100644 index 0000000000..ee47f8b8d9 --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/ingress.yaml @@ -0,0 +1,48 @@ +{{- if .Values.ingress.enabled }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else -}} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: longhorn-ingress + namespace: {{ include "release_namespace" . }} + labels: {{- include "longhorn.labels" . | nindent 4 }} + app: longhorn-ingress + annotations: + {{- if .Values.ingress.secureBackends }} + ingress.kubernetes.io/secure-backends: "true" + {{- end }} + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + {{- if and .Values.ingress.ingressClassName (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.ingressClassName }} + {{- end }} + rules: + - host: {{ .Values.ingress.host }} + http: + paths: + - path: {{ default "" .Values.ingress.path }} + {{- if (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: ImplementationSpecific + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: longhorn-frontend + port: + number: 80 + {{- else }} + serviceName: longhorn-frontend + servicePort: 80 + {{- end }} +{{- if .Values.ingress.tls }} + tls: + - hosts: + - {{ .Values.ingress.host }} + secretName: {{ .Values.ingress.tlsSecret }} +{{- end }} +{{- end }} diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/network-policies/backing-image-data-source-network-policy.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/network-policies/backing-image-data-source-network-policy.yaml new file mode 100644 index 0000000000..cc91054baf --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/network-policies/backing-image-data-source-network-policy.yaml @@ -0,0 +1,27 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: backing-image-data-source + namespace: longhorn-system +spec: + podSelector: + matchLabels: + longhorn.io/component: backing-image-data-source + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: longhorn-manager + - podSelector: + matchLabels: + longhorn.io/component: instance-manager + - podSelector: + matchLabels: + longhorn.io/component: backing-image-manager + - podSelector: + matchLabels: + longhorn.io/component: backing-image-data-source +{{- end }} diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/network-policies/backing-image-manager-network-policy.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/network-policies/backing-image-manager-network-policy.yaml new file mode 100644 index 0000000000..ebc288f4b3 --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/network-policies/backing-image-manager-network-policy.yaml @@ -0,0 +1,27 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: backing-image-manager + namespace: longhorn-system +spec: + podSelector: + matchLabels: + longhorn.io/component: backing-image-manager + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: longhorn-manager + - podSelector: + matchLabels: + longhorn.io/component: instance-manager + - podSelector: + matchLabels: + longhorn.io/component: backing-image-manager + - podSelector: + matchLabels: + longhorn.io/component: backing-image-data-source +{{- end }} diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/network-policies/instance-manager-networking.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/network-policies/instance-manager-networking.yaml new file mode 100644 index 0000000000..6f03c6eb3f --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/network-policies/instance-manager-networking.yaml @@ -0,0 +1,27 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: instance-manager + namespace: longhorn-system +spec: + podSelector: + matchLabels: + longhorn.io/component: instance-manager + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: longhorn-manager + - podSelector: + matchLabels: + longhorn.io/component: instance-manager + - podSelector: + matchLabels: + longhorn.io/component: backing-image-manager + - podSelector: + matchLabels: + longhorn.io/component: backing-image-data-source +{{- end }} diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/network-policies/manager-network-policy.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/network-policies/manager-network-policy.yaml new file mode 100644 index 0000000000..c9d763fbe3 --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/network-policies/manager-network-policy.yaml @@ -0,0 +1,35 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: longhorn-manager + namespace: longhorn-system +spec: + podSelector: + matchLabels: + app: longhorn-manager + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: longhorn-manager + - podSelector: + matchLabels: + app: longhorn-ui + - podSelector: + matchLabels: + app: longhorn-csi-plugin + - podSelector: + matchLabels: + longhorn.io/managed-by: longhorn-manager + matchExpressions: + - { key: recurring-job.longhorn.io, operator: Exists } + - podSelector: + matchExpressions: + - { key: longhorn.io/job-task, operator: Exists } + - podSelector: + matchLabels: + app: longhorn-driver-deployer +{{- end }} diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/network-policies/recovery-backend-network-policy.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/network-policies/recovery-backend-network-policy.yaml new file mode 100644 index 0000000000..cebe4854a9 --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/network-policies/recovery-backend-network-policy.yaml @@ -0,0 +1,17 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: longhorn-recovery-backend + namespace: longhorn-system +spec: + podSelector: + matchLabels: + app: longhorn-manager + policyTypes: + - Ingress + ingress: + - ports: + - protocol: TCP + port: 9503 +{{- end }} diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/network-policies/ui-frontend-network-policy.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/network-policies/ui-frontend-network-policy.yaml new file mode 100644 index 0000000000..04c8beb38c --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/network-policies/ui-frontend-network-policy.yaml @@ -0,0 +1,46 @@ +{{- if and .Values.networkPolicies.enabled .Values.ingress.enabled (not (eq .Values.networkPolicies.type "")) }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: longhorn-ui-frontend + namespace: longhorn-system +spec: + podSelector: + matchLabels: + app: longhorn-ui + policyTypes: + - Ingress + ingress: + - from: + {{- if eq .Values.networkPolicies.type "rke1"}} + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: ingress-nginx + podSelector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + {{- else if eq .Values.networkPolicies.type "rke2" }} + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: rke2-ingress-nginx + app.kubernetes.io/name: rke2-ingress-nginx + {{- else if eq .Values.networkPolicies.type "k3s" }} + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + app.kubernetes.io/name: traefik + ports: + - port: 8000 + protocol: TCP + - port: 80 + protocol: TCP + {{- end }} +{{- end }} diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/network-policies/webhook-network-policy.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/network-policies/webhook-network-policy.yaml new file mode 100644 index 0000000000..c9790f6a20 --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/network-policies/webhook-network-policy.yaml @@ -0,0 +1,33 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: longhorn-conversion-webhook + namespace: longhorn-system +spec: + podSelector: + matchLabels: + app: longhorn-manager + policyTypes: + - Ingress + ingress: + - ports: + - protocol: TCP + port: 9501 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: longhorn-admission-webhook + namespace: longhorn-system +spec: + podSelector: + matchLabels: + app: longhorn-manager + policyTypes: + - Ingress + ingress: + - ports: + - protocol: TCP + port: 9502 +{{- end }} diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/postupgrade-job.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/postupgrade-job.yaml new file mode 100644 index 0000000000..bb25a54d4e --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/postupgrade-job.yaml @@ -0,0 +1,56 @@ +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + name: longhorn-post-upgrade + namespace: {{ include "release_namespace" . }} + labels: {{- include "longhorn.labels" . | nindent 4 }} +spec: + activeDeadlineSeconds: 900 + backoffLimit: 1 + template: + metadata: + name: longhorn-post-upgrade + labels: {{- include "longhorn.labels" . | nindent 8 }} + spec: + containers: + - name: longhorn-post-upgrade + image: {{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - longhorn-manager + - post-upgrade + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + {{- if .Values.privateRegistry.registrySecret }} + imagePullSecrets: + - name: {{ .Values.privateRegistry.registrySecret }} + {{- end }} + {{- if .Values.longhornManager.priorityClass }} + priorityClassName: {{ .Values.longhornManager.priorityClass | quote }} + {{- end }} + serviceAccountName: longhorn-service-account + {{- if or .Values.longhornManager.tolerations .Values.global.cattle.windowsCluster.enabled }} + tolerations: + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.tolerations }} +{{ toYaml .Values.global.cattle.windowsCluster.tolerations | indent 6 }} + {{- end }} + {{- if .Values.longhornManager.tolerations }} +{{ toYaml .Values.longhornManager.tolerations | indent 6 }} + {{- end }} + {{- end }} + {{- if or .Values.longhornManager.nodeSelector .Values.global.cattle.windowsCluster.enabled }} + nodeSelector: + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.nodeSelector }} +{{ toYaml .Values.global.cattle.windowsCluster.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.longhornManager.nodeSelector }} +{{ toYaml .Values.longhornManager.nodeSelector | indent 8 }} + {{- end }} + {{- end }} diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/preupgrade-job.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/preupgrade-job.yaml new file mode 100644 index 0000000000..357e6d7795 --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/preupgrade-job.yaml @@ -0,0 +1,58 @@ +{{- if .Values.helmPreUpgradeCheckerJob.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed + name: longhorn-pre-upgrade + namespace: {{ include "release_namespace" . }} + labels: {{- include "longhorn.labels" . | nindent 4 }} +spec: + activeDeadlineSeconds: 900 + backoffLimit: 1 + template: + metadata: + name: longhorn-pre-upgrade + labels: {{- include "longhorn.labels" . | nindent 8 }} + spec: + containers: + - name: longhorn-pre-upgrade + image: {{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - longhorn-manager + - pre-upgrade + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + {{- if .Values.privateRegistry.registrySecret }} + imagePullSecrets: + - name: {{ .Values.privateRegistry.registrySecret }} + {{- end }} + {{- if .Values.longhornManager.priorityClass }} + priorityClassName: {{ .Values.longhornManager.priorityClass | quote }} + {{- end }} + serviceAccountName: longhorn-service-account + {{- if or .Values.longhornManager.tolerations .Values.global.cattle.windowsCluster.enabled }} + tolerations: + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.tolerations }} +{{ toYaml .Values.global.cattle.windowsCluster.tolerations | indent 6 }} + {{- end }} + {{- if .Values.longhornManager.tolerations }} +{{ toYaml .Values.longhornManager.tolerations | indent 6 }} + {{- end }} + {{- end }} + {{- if or .Values.longhornManager.nodeSelector .Values.global.cattle.windowsCluster.enabled }} + nodeSelector: + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.nodeSelector }} +{{ toYaml .Values.global.cattle.windowsCluster.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.longhornManager.nodeSelector }} +{{ toYaml .Values.longhornManager.nodeSelector | indent 8 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/psp.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/psp.yaml new file mode 100644 index 0000000000..a2dfc05bef --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/psp.yaml @@ -0,0 +1,66 @@ +{{- if .Values.enablePSP }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: longhorn-psp + labels: {{- include "longhorn.labels" . | nindent 4 }} +spec: + privileged: true + allowPrivilegeEscalation: true + requiredDropCapabilities: + - NET_RAW + allowedCapabilities: + - SYS_ADMIN + hostNetwork: false + hostIPC: false + hostPID: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + fsGroup: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - configMap + - downwardAPI + - emptyDir + - secret + - projected + - hostPath +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: longhorn-psp-role + labels: {{- include "longhorn.labels" . | nindent 4 }} + namespace: {{ include "release_namespace" . }} +rules: +- apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - longhorn-psp +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: longhorn-psp-binding + labels: {{- include "longhorn.labels" . | nindent 4 }} + namespace: {{ include "release_namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: longhorn-psp-role +subjects: +- kind: ServiceAccount + name: longhorn-service-account + namespace: {{ include "release_namespace" . }} +- kind: ServiceAccount + name: default + namespace: {{ include "release_namespace" . }} +{{- end }} diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/registry-secret.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/registry-secret.yaml new file mode 100644 index 0000000000..3c6b1dc510 --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/registry-secret.yaml @@ -0,0 +1,13 @@ +{{- if .Values.privateRegistry.createSecret }} +{{- if .Values.privateRegistry.registrySecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.privateRegistry.registrySecret }} + namespace: {{ include "release_namespace" . }} + labels: {{- include "longhorn.labels" . | nindent 4 }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ template "secret" . }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/serviceaccount.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/serviceaccount.yaml new file mode 100644 index 0000000000..a563d68ca8 --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/serviceaccount.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: longhorn-service-account + namespace: {{ include "release_namespace" . }} + labels: {{- include "longhorn.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: longhorn-support-bundle + namespace: {{ include "release_namespace" . }} + labels: {{- include "longhorn.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} \ No newline at end of file diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/services.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/services.yaml new file mode 100644 index 0000000000..7da9d1892f --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/services.yaml @@ -0,0 +1,74 @@ +apiVersion: v1 +kind: Service +metadata: + labels: {{- include "longhorn.labels" . | nindent 4 }} + app: longhorn-conversion-webhook + name: longhorn-conversion-webhook + namespace: {{ include "release_namespace" . }} +spec: + type: ClusterIP + sessionAffinity: ClientIP + selector: + app: longhorn-manager + ports: + - name: conversion-webhook + port: 9501 + targetPort: conversion-wh +--- +apiVersion: v1 +kind: Service +metadata: + labels: {{- include "longhorn.labels" . | nindent 4 }} + app: longhorn-admission-webhook + name: longhorn-admission-webhook + namespace: {{ include "release_namespace" . }} +spec: + type: ClusterIP + sessionAffinity: ClientIP + selector: + app: longhorn-manager + ports: + - name: admission-webhook + port: 9502 + targetPort: admission-wh +--- +apiVersion: v1 +kind: Service +metadata: + labels: {{- include "longhorn.labels" . | nindent 4 }} + app: longhorn-recovery-backend + name: longhorn-recovery-backend + namespace: {{ include "release_namespace" . }} +spec: + type: ClusterIP + sessionAffinity: ClientIP + selector: + app: longhorn-manager + ports: + - name: recovery-backend + port: 9503 + targetPort: recov-backend +--- +apiVersion: v1 +kind: Service +metadata: + labels: {{- include "longhorn.labels" . | nindent 4 }} + name: longhorn-engine-manager + namespace: {{ include "release_namespace" . }} +spec: + clusterIP: None + selector: + longhorn.io/component: instance-manager + longhorn.io/instance-manager-type: engine +--- +apiVersion: v1 +kind: Service +metadata: + labels: {{- include "longhorn.labels" . | nindent 4 }} + name: longhorn-replica-manager + namespace: {{ include "release_namespace" . }} +spec: + clusterIP: None + selector: + longhorn.io/component: instance-manager + longhorn.io/instance-manager-type: replica diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/storageclass.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/storageclass.yaml new file mode 100644 index 0000000000..68325177e8 --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/storageclass.yaml @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: longhorn-storageclass + namespace: {{ include "release_namespace" . }} + labels: {{- include "longhorn.labels" . | nindent 4 }} +data: + storageclass.yaml: | + kind: StorageClass + apiVersion: storage.k8s.io/v1 + metadata: + name: longhorn + annotations: + storageclass.kubernetes.io/is-default-class: {{ .Values.persistence.defaultClass | quote }} + provisioner: driver.longhorn.io + allowVolumeExpansion: true + reclaimPolicy: "{{ .Values.persistence.reclaimPolicy }}" + volumeBindingMode: Immediate + parameters: + numberOfReplicas: "{{ .Values.persistence.defaultClassReplicaCount }}" + staleReplicaTimeout: "30" + fromBackup: "" + {{- if .Values.persistence.defaultFsType }} + fsType: "{{ .Values.persistence.defaultFsType }}" + {{- end }} + {{- if .Values.persistence.defaultMkfsParams }} + mkfsParams: "{{ .Values.persistence.defaultMkfsParams }}" + {{- end }} + {{- if .Values.persistence.migratable }} + migratable: "{{ .Values.persistence.migratable }}" + {{- end }} + {{- if .Values.persistence.backingImage.enable }} + backingImage: {{ .Values.persistence.backingImage.name }} + backingImageDataSourceType: {{ .Values.persistence.backingImage.dataSourceType }} + backingImageDataSourceParameters: {{ .Values.persistence.backingImage.dataSourceParameters }} + backingImageChecksum: {{ .Values.persistence.backingImage.expectedChecksum }} + {{- end }} + {{- if .Values.persistence.recurringJobSelector.enable }} + recurringJobSelector: '{{ .Values.persistence.recurringJobSelector.jobList }}' + {{- end }} + dataLocality: {{ .Values.persistence.defaultDataLocality | quote }} + {{- if .Values.persistence.defaultNodeSelector.enable }} + nodeSelector: "{{ .Values.persistence.defaultNodeSelector.selector }}" + {{- end }} diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/tls-secrets.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/tls-secrets.yaml new file mode 100644 index 0000000000..74c43426de --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/tls-secrets.yaml @@ -0,0 +1,16 @@ +{{- if .Values.ingress.enabled }} +{{- range .Values.ingress.secrets }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .name }} + namespace: {{ include "release_namespace" $ }} + labels: {{- include "longhorn.labels" $ | nindent 4 }} + app: longhorn +type: kubernetes.io/tls +data: + tls.crt: {{ .certificate | b64enc }} + tls.key: {{ .key | b64enc }} +--- +{{- end }} +{{- end }} diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/uninstall-job.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/uninstall-job.yaml new file mode 100644 index 0000000000..968f420616 --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/uninstall-job.yaml @@ -0,0 +1,57 @@ +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + name: longhorn-uninstall + namespace: {{ include "release_namespace" . }} + labels: {{- include "longhorn.labels" . | nindent 4 }} +spec: + activeDeadlineSeconds: 900 + backoffLimit: 1 + template: + metadata: + name: longhorn-uninstall + labels: {{- include "longhorn.labels" . | nindent 8 }} + spec: + containers: + - name: longhorn-uninstall + image: {{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - longhorn-manager + - uninstall + - --force + env: + - name: LONGHORN_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: Never + {{- if .Values.privateRegistry.registrySecret }} + imagePullSecrets: + - name: {{ .Values.privateRegistry.registrySecret }} + {{- end }} + {{- if .Values.longhornManager.priorityClass }} + priorityClassName: {{ .Values.longhornManager.priorityClass | quote }} + {{- end }} + serviceAccountName: longhorn-service-account + {{- if or .Values.longhornManager.tolerations .Values.global.cattle.windowsCluster.enabled }} + tolerations: + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.tolerations }} +{{ toYaml .Values.global.cattle.windowsCluster.tolerations | indent 6 }} + {{- end }} + {{- if .Values.longhornManager.tolerations }} +{{ toYaml .Values.longhornManager.tolerations | indent 6 }} + {{- end }} + {{- end }} + {{- if or .Values.longhornManager.nodeSelector .Values.global.cattle.windowsCluster.enabled }} + nodeSelector: + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.nodeSelector }} +{{ toYaml .Values.global.cattle.windowsCluster.nodeSelector | indent 8 }} + {{- end }} + {{- if or .Values.longhornManager.nodeSelector }} +{{ toYaml .Values.longhornManager.nodeSelector | indent 8 }} + {{- end }} + {{- end }} diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/userroles.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/userroles.yaml new file mode 100644 index 0000000000..f9a8d7a582 --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/userroles.yaml @@ -0,0 +1,53 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: "longhorn-admin" + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: +- apiGroups: [ "longhorn.io" ] + resources: ["volumes", "volumes/status", "engines", "engines/status", "replicas", "replicas/status", "settings", + "engineimages", "engineimages/status", "nodes", "nodes/status", "instancemanagers", "instancemanagers/status", + "sharemanagers", "sharemanagers/status", "backingimages", "backingimages/status", + "backingimagemanagers", "backingimagemanagers/status", "backingimagedatasources", "backingimagedatasources/status", + "backuptargets", "backuptargets/status", "backupvolumes", "backupvolumes/status", "backups", "backups/status", + "recurringjobs", "recurringjobs/status", "orphans", "orphans/status", "snapshots", "snapshots/status", + "supportbundles", "supportbundles/status", "systembackups", "systembackups/status", "systemrestores", "systemrestores/status", + "volumeattachments", "volumeattachments/status"] + verbs: [ "*" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: "longhorn-edit" + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: [ "longhorn.io" ] + resources: ["volumes", "volumes/status", "engines", "engines/status", "replicas", "replicas/status", "settings", + "engineimages", "engineimages/status", "nodes", "nodes/status", "instancemanagers", "instancemanagers/status", + "sharemanagers", "sharemanagers/status", "backingimages", "backingimages/status", + "backingimagemanagers", "backingimagemanagers/status", "backingimagedatasources", "backingimagedatasources/status", + "backuptargets", "backuptargets/status", "backupvolumes", "backupvolumes/status", "backups", "backups/status", + "recurringjobs", "recurringjobs/status", "orphans", "orphans/status", "snapshots", "snapshots/status", + "supportbundles", "supportbundles/status", "systembackups", "systembackups/status", "systemrestores", "systemrestores/status", + "volumeattachments", "volumeattachments/status"] + verbs: [ "*" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: "longhorn-view" + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: [ "longhorn.io" ] + resources: ["volumes", "volumes/status", "engines", "engines/status", "replicas", "replicas/status", "settings", + "engineimages", "engineimages/status", "nodes", "nodes/status", "instancemanagers", "instancemanagers/status", + "sharemanagers", "sharemanagers/status", "backingimages", "backingimages/status", + "backingimagemanagers", "backingimagemanagers/status", "backingimagedatasources", "backingimagedatasources/status", + "backuptargets", "backuptargets/status", "backupvolumes", "backupvolumes/status", "backups", "backups/status", + "recurringjobs", "recurringjobs/status", "orphans", "orphans/status", "snapshots", "snapshots/status", + "supportbundles", "supportbundles/status", "systembackups", "systembackups/status", "systemrestores", "systemrestores/status", + "volumeattachments", "volumeattachments/status"] + verbs: [ "get", "list", "watch" ] \ No newline at end of file diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/validate-install-crd.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/validate-install-crd.yaml new file mode 100644 index 0000000000..8168d3383f --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/validate-install-crd.yaml @@ -0,0 +1,34 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "longhorn.io/v1beta1/BackingImageDataSource" false -}} +# {{- set $found "longhorn.io/v1beta1/BackingImageManager" false -}} +# {{- set $found "longhorn.io/v1beta1/BackingImage" false -}} +# {{- set $found "longhorn.io/v1beta1/Backup" false -}} +# {{- set $found "longhorn.io/v1beta1/BackupTarget" false -}} +# {{- set $found "longhorn.io/v1beta1/BackupVolume" false -}} +# {{- set $found "longhorn.io/v1beta1/EngineImage" false -}} +# {{- set $found "longhorn.io/v1beta1/Engine" false -}} +# {{- set $found "longhorn.io/v1beta1/InstanceManager" false -}} +# {{- set $found "longhorn.io/v1beta1/Node" false -}} +# {{- set $found "longhorn.io/v1beta2/Orphan" false -}} +# {{- set $found "longhorn.io/v1beta1/RecurringJob" false -}} +# {{- set $found "longhorn.io/v1beta1/Replica" false -}} +# {{- set $found "longhorn.io/v1beta1/Setting" false -}} +# {{- set $found "longhorn.io/v1beta1/ShareManager" false -}} +# {{- set $found "longhorn.io/v1beta2/Snapshot" false -}} +# {{- set $found "longhorn.io/v1beta2/SupportBundle" false -}} +# {{- set $found "longhorn.io/v1beta2/SystemBackup" false -}} +# {{- set $found "longhorn.io/v1beta2/SystemRestore" false -}} +# {{- set $found "longhorn.io/v1beta1/Volume" false -}} +# {{- set $found "longhorn.io/v1beta2/VolumeAttachment" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/longhorn/102.3.1+up1.5.3/templates/validate-psp-install.yaml b/charts/longhorn/102.3.1+up1.5.3/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..0df98e3657 --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.enablePSP }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} \ No newline at end of file diff --git a/charts/longhorn/102.3.1+up1.5.3/values.yaml b/charts/longhorn/102.3.1+up1.5.3/values.yaml new file mode 100644 index 0000000000..ea3f006df3 --- /dev/null +++ b/charts/longhorn/102.3.1+up1.5.3/values.yaml @@ -0,0 +1,296 @@ +# Default values for longhorn. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +global: + cattle: + systemDefaultRegistry: "" + windowsCluster: + # Enable this to allow Longhorn to run on the Rancher deployed Windows cluster + enabled: false + # Tolerate Linux node taint + tolerations: + - key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" + # Select Linux nodes + nodeSelector: + kubernetes.io/os: "linux" + # Recognize toleration and node selector for Longhorn run-time created components + defaultSetting: + taintToleration: cattle.io/os=linux:NoSchedule + systemManagedComponentsNodeSelector: kubernetes.io/os:linux + +networkPolicies: + enabled: false + # Available types: k3s, rke2, rke1 + type: "k3s" + +image: + longhorn: + engine: + repository: rancher/mirrored-longhornio-longhorn-engine + tag: v1.5.3 + manager: + repository: rancher/mirrored-longhornio-longhorn-manager + tag: v1.5.3 + ui: + repository: rancher/mirrored-longhornio-longhorn-ui + tag: v1.5.3 + instanceManager: + repository: rancher/mirrored-longhornio-longhorn-instance-manager + tag: v1.5.3 + shareManager: + repository: rancher/mirrored-longhornio-longhorn-share-manager + tag: v1.5.3 + backingImageManager: + repository: rancher/mirrored-longhornio-backing-image-manager + tag: v1.5.3 + supportBundleKit: + repository: rancher/mirrored-longhornio-support-bundle-kit + tag: v0.0.27 + csi: + attacher: + repository: rancher/mirrored-longhornio-csi-attacher + tag: v4.2.0 + provisioner: + repository: rancher/mirrored-longhornio-csi-provisioner + tag: v3.4.1 + nodeDriverRegistrar: + repository: rancher/mirrored-longhornio-csi-node-driver-registrar + tag: v2.7.0 + resizer: + repository: rancher/mirrored-longhornio-csi-resizer + tag: v1.7.0 + snapshotter: + repository: rancher/mirrored-longhornio-csi-snapshotter + tag: v6.2.1 + livenessProbe: + repository: rancher/mirrored-longhornio-livenessprobe + tag: v2.9.0 + pullPolicy: IfNotPresent + +service: + ui: + type: ClusterIP + nodePort: null + manager: + type: ClusterIP + nodePort: "" + loadBalancerIP: "" + loadBalancerSourceRanges: "" + +persistence: + defaultClass: true + defaultFsType: ext4 + defaultMkfsParams: "" + defaultClassReplicaCount: 3 + defaultDataLocality: disabled # best-effort otherwise + reclaimPolicy: Delete + migratable: false + recurringJobSelector: + enable: false + jobList: [] + backingImage: + enable: false + name: ~ + dataSourceType: ~ + dataSourceParameters: ~ + expectedChecksum: ~ + defaultNodeSelector: + enable: false # disable by default + selector: "" + removeSnapshotsDuringFilesystemTrim: ignored # "enabled" or "disabled" otherwise + +helmPreUpgradeCheckerJob: + enabled: true + +csi: + kubeletRootDir: ~ + attacherReplicaCount: ~ + provisionerReplicaCount: ~ + resizerReplicaCount: ~ + snapshotterReplicaCount: ~ + +defaultSettings: + backupTarget: ~ + backupTargetCredentialSecret: ~ + allowRecurringJobWhileVolumeDetached: ~ + createDefaultDiskLabeledNodes: ~ + defaultDataPath: ~ + defaultDataLocality: ~ + replicaSoftAntiAffinity: ~ + replicaAutoBalance: ~ + storageOverProvisioningPercentage: ~ + storageMinimalAvailablePercentage: ~ + storageReservedPercentageForDefaultDisk: ~ + upgradeChecker: ~ + defaultReplicaCount: ~ + defaultLonghornStaticStorageClass: ~ + backupstorePollInterval: ~ + failedBackupTTL: ~ + restoreVolumeRecurringJobs: ~ + recurringSuccessfulJobsHistoryLimit: ~ + recurringFailedJobsHistoryLimit: ~ + supportBundleFailedHistoryLimit: ~ + taintToleration: ~ + systemManagedComponentsNodeSelector: ~ + priorityClass: ~ + autoSalvage: ~ + autoDeletePodWhenVolumeDetachedUnexpectedly: ~ + disableSchedulingOnCordonedNode: ~ + replicaZoneSoftAntiAffinity: ~ + nodeDownPodDeletionPolicy: ~ + nodeDrainPolicy: ~ + replicaReplenishmentWaitInterval: ~ + concurrentReplicaRebuildPerNodeLimit: ~ + concurrentVolumeBackupRestorePerNodeLimit: ~ + disableRevisionCounter: ~ + systemManagedPodsImagePullPolicy: ~ + allowVolumeCreationWithDegradedAvailability: ~ + autoCleanupSystemGeneratedSnapshot: ~ + concurrentAutomaticEngineUpgradePerNodeLimit: ~ + backingImageCleanupWaitInterval: ~ + backingImageRecoveryWaitInterval: ~ + guaranteedInstanceManagerCPU: ~ + kubernetesClusterAutoscalerEnabled: ~ + orphanAutoDeletion: ~ + storageNetwork: ~ + deletingConfirmationFlag: ~ + engineReplicaTimeout: ~ + snapshotDataIntegrity: ~ + snapshotDataIntegrityImmediateCheckAfterSnapshotCreation: ~ + snapshotDataIntegrityCronjob: ~ + removeSnapshotsDuringFilesystemTrim: ~ + fastReplicaRebuildEnabled: ~ + replicaFileSyncHttpClientTimeout: ~ + logLevel: ~ + backupCompressionMethod: ~ + backupConcurrentLimit: ~ + restoreConcurrentLimit: ~ + v2DataEngine: ~ + offlineReplicaRebuilding: ~ +privateRegistry: + createSecret: ~ + registryUrl: ~ + registryUser: ~ + registryPasswd: ~ + registrySecret: ~ + +longhornManager: + log: + ## Allowed values are `plain` or `json`. + format: plain + priorityClass: ~ + tolerations: [] + ## If you want to set tolerations for Longhorn Manager DaemonSet, delete the `[]` in the line above + ## and uncomment this example block + # - key: "key" + # operator: "Equal" + # value: "value" + # effect: "NoSchedule" + nodeSelector: {} + ## If you want to set node selector for Longhorn Manager DaemonSet, delete the `{}` in the line above + ## and uncomment this example block + # label-key1: "label-value1" + # label-key2: "label-value2" + serviceAnnotations: {} + ## If you want to set annotations for the Longhorn Manager service, delete the `{}` in the line above + ## and uncomment this example block + # annotation-key1: "annotation-value1" + # annotation-key2: "annotation-value2" + +longhornDriver: + priorityClass: ~ + tolerations: [] + ## If you want to set tolerations for Longhorn Driver Deployer Deployment, delete the `[]` in the line above + ## and uncomment this example block + # - key: "key" + # operator: "Equal" + # value: "value" + # effect: "NoSchedule" + nodeSelector: {} + ## If you want to set node selector for Longhorn Driver Deployer Deployment, delete the `{}` in the line above + ## and uncomment this example block + # label-key1: "label-value1" + # label-key2: "label-value2" + +longhornUI: + replicas: 2 + priorityClass: ~ + tolerations: [] + ## If you want to set tolerations for Longhorn UI Deployment, delete the `[]` in the line above + ## and uncomment this example block + # - key: "key" + # operator: "Equal" + # value: "value" + # effect: "NoSchedule" + nodeSelector: {} + ## If you want to set node selector for Longhorn UI Deployment, delete the `{}` in the line above + ## and uncomment this example block + # label-key1: "label-value1" + # label-key2: "label-value2" + +ingress: + ## Set to true to enable ingress record generation + enabled: false + + ## Add ingressClassName to the Ingress + ## Can replace the kubernetes.io/ingress.class annotation on v1.18+ + ingressClassName: ~ + + host: sslip.io + + ## Set this to true in order to enable TLS on the ingress record + tls: false + + ## Enable this in order to enable that the backend service will be connected at port 443 + secureBackends: false + + ## If TLS is set to true, you must declare what secret will store the key/certificate for TLS + tlsSecret: longhorn.local-tls + + ## If ingress is enabled you can set the default ingress path + ## then you can access the UI by using the following full path {{host}}+{{path}} + path: / + + ## Ingress annotations done as key:value pairs + ## If you're using kube-lego, you will want to add: + ## kubernetes.io/tls-acme: true + ## + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/annotations.md + ## + ## If tls is set to true, annotation ingress.kubernetes.io/secure-backends: "true" will automatically be set + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: true + + secrets: + ## If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## -----BEGIN RSA PRIVATE KEY----- + ## + ## name should line up with a tlsSecret set further up + ## If you're using kube-lego, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + # - name: longhorn.local-tls + # key: + # certificate: + +# For Kubernetes < v1.25, if your cluster enables Pod Security Policy admission controller, +# set this to `true` to ship longhorn-psp which allow privileged Longhorn pods to start +enablePSP: false + +## Specify override namespace, specifically this is useful for using longhorn as sub-chart +## and its release namespace is not the `longhorn-system` +namespaceOverride: "" + +# Annotations to add to the Longhorn Manager DaemonSet Pods. Optional. +annotations: {} + +serviceAccount: + # Annotations to add to the service account + annotations: {} diff --git a/index.yaml b/index.yaml index 8f21d2cfc2..8dbf023473 100755 --- a/index.yaml +++ b/index.yaml @@ -2742,6 +2742,50 @@ entries: urls: - assets/longhorn/longhorn-103.0.0+up1.3.3.tgz version: 103.0.0+up1.3.3 + - annotations: + catalog.cattle.io/auto-install: longhorn-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Longhorn + catalog.cattle.io/kube-version: '>= 1.21.0-0' + catalog.cattle.io/namespace: longhorn-system + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: longhorn.io/v1beta1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: longhorn + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/upstream-version: 1.5.3 + apiVersion: v1 + appVersion: v1.5.3 + created: "2023-12-04T13:12:13.736443-03:00" + description: Longhorn is a distributed block storage system for Kubernetes. + digest: 6ad73914d214be56d71fde1220c0e93f1bc1a03035b8811ca315ad59859c016c + home: https://github.com/longhorn/longhorn + icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/longhorn/icon/color/longhorn-icon-color.png + keywords: + - longhorn + - storage + - distributed + - block + - device + - iscsi + - nfs + kubeVersion: '>=1.21.0-0' + maintainers: + - email: maintainers@longhorn.io + name: Longhorn maintainers + name: longhorn + sources: + - https://github.com/longhorn/longhorn + - https://github.com/longhorn/longhorn-engine + - https://github.com/longhorn/longhorn-instance-manager + - https://github.com/longhorn/longhorn-share-manager + - https://github.com/longhorn/longhorn-manager + - https://github.com/longhorn/longhorn-ui + - https://github.com/longhorn/longhorn-tests + - https://github.com/longhorn/backing-image-manager + urls: + - assets/longhorn/longhorn-102.3.1+up1.5.3.tgz + version: 102.3.1+up1.5.3 - annotations: catalog.cattle.io/auto-install: longhorn-crd=match catalog.cattle.io/certified: rancher diff --git a/release.yaml b/release.yaml index ce5eb2d87d..134da6012d 100644 --- a/release.yaml +++ b/release.yaml @@ -4,3 +4,5 @@ neuvector-crd: - 102.0.6+up2.6.6 neuvector-monitor: - 102.0.6+up2.6.6 +longhorn: + - 102.3.1+up1.5.3 From 7488f4b3b5d4c73abb9adae0c32380e725c63c9b Mon Sep 17 00:00:00 2001 From: Lucas Lopes Date: Mon, 4 Dec 2023 13:12:50 -0300 Subject: [PATCH 06/10] make forward-port longhorn-crd 102.3.1+up1.5.3 --- .../longhorn-crd-102.3.1+up1.5.3.tgz | Bin 0 -> 11245 bytes .../longhorn-crd/102.3.1+up1.5.3/Chart.yaml | 11 + charts/longhorn-crd/102.3.1+up1.5.3/README.md | 2 + .../102.3.1+up1.5.3/templates/_helpers.tpl | 66 + .../102.3.1+up1.5.3/templates/crds.yaml | 3672 +++++++++++++++++ index.yaml | 15 + release.yaml | 2 + 7 files changed, 3768 insertions(+) create mode 100644 assets/longhorn-crd/longhorn-crd-102.3.1+up1.5.3.tgz create mode 100644 charts/longhorn-crd/102.3.1+up1.5.3/Chart.yaml create mode 100644 charts/longhorn-crd/102.3.1+up1.5.3/README.md create mode 100644 charts/longhorn-crd/102.3.1+up1.5.3/templates/_helpers.tpl create mode 100644 charts/longhorn-crd/102.3.1+up1.5.3/templates/crds.yaml diff --git a/assets/longhorn-crd/longhorn-crd-102.3.1+up1.5.3.tgz b/assets/longhorn-crd/longhorn-crd-102.3.1+up1.5.3.tgz new file mode 100644 index 0000000000000000000000000000000000000000..7c2c6d7c869593b79d48bfd0a8882eea0973ecf1 GIT binary patch literal 11245 zcmVDc zVQyr3R8em|NM&qo0PKBxbKEwTum9GkKxyxkli74j@+)^#mD*J#`>u9vkE&%mRX3AL zp-FT%A~whYz?S7qzWWv)Bta4&33j(EJK#T3lXx7w&f|9ufFvc$RZ7VuqVduB3Q|73 zgX`qcE}!G$^vR>+lc&$WfBFa<@01G1 zlQRzKqvNgXYBuf*c_1Mvha9JbogM%XK@O92IgKFa37X>cC_M6JnI zIF1oH1&5sG=+K&kz%^nSjL<14XC1p^9IdU%DM}DzXd<#1IU*V#zzlytl;M<|g3ZYR z%rfKW^!fDZL5x^LamMAlOTsuz5(fARf%Dk~1B;ZFB~A}4HSoI(odTF;365m%9Bhgj zPL7{UpH5HyJSqji=*j@Z$!E0ko2vMJBD=LJ3M|LON9FBSAk`Th5!zk&^3p8|$BSl|SSssF=TbW5~Cr{J$gfBbPEQXRbfm_ZWDMI=@XNEh<| zND7Suoo)hRw7>*`!*YFz#D`!~eTI3$!Bh#Gx1yx!2bkoD$&`QJAWCtJz`p>eIf=lF zr}AICzRnj5{1F^Zs=^S7<^PJnbBZ8G0G4$u@+7$f|IA?`Iha__lJx1pPe_$6({oXW zXa)mw6v3P!z|u7W|C7%VC5R)Y8oaY#HW9Ietdjr6gr-0h9ZjiA!t~O4dLn5!2FKk@aC#X;cTpESuhx>!1+hr{MSBK_M+#OMNPcTcKn?! zX|bd)#eGHQS*d1#?wKcbnqT!A{+|nOGmiNsuVo@@f0SQajJiKXZIo&=Ri^J8HGlc<(ElPDvz-}&o%-LiljCQ{-#7HX z=g+=>7WBXScuZ3YW*B|sh=^Zodh>r3BRn~{!6ZHf=Q-o)dWKk<(+FLN^?;>iv_>4p zkV9cVHq1!?qLgr&CJCaGB_fi^&U2i^h}O95=6L%3^jO$|LWjdCd571Cak$P-0m+l( z0BFf281e+P^^8JhO~Jna!6Zh6gJ*&j2qMZ!t`(S5a41YvCCP;9fyolDg;0SUs`jyI zSu{=$gf1uAv!rRBRi>i&q>9n4RXz2iD)Ca3cmX-QmL)1mFysHzk?1vMTqewtoWjIO zolL`4Ddlgg+9x1c&2g+hVzSH=NL@u70KlSDSh*!@i4OqKBO*(j02s$|jA3#mxHqEb zX_Bu=Szpb}ekY89oKn&Cj0?p;TL@VigPbXCIiu+YOBpJ@XwrbBO7ZOzw1 zsw8QQTy4L_Ndo2wWE5qPq8OyaL6Ios@}fq~+cfrSI%YT9(;-TE|Gq)VMg66P8l#wk zdrVs^zgFhivfjA37-;o*b23L9o~W50tf~vL$l2B9ho{%I*Pz}b_SFb51Gg(g z5qMoF35=%{u|}tv(K<|yJhMMp5h6G<$QVr9CH|BY%P#2(i=uQk!sBbjnXFAIJw zMjGm@sufjdidUjPW-qVbfud^F;i_+|q^#;@(M6an5LGE9TN9-q5@#tUTwx~(mfSL* zuQ3%hll7Mr#M#;I*2>0E|qBq$@bl$LTHr0S;V%1N^ zheDuM&&Nq+fK6m~(hZvAF3~Aiz=Y{n z`MjKm1qGTO@cSR*#HX@qN&`Lyf{m79v=E&rwlHl6gU)jt*BEIxV-5n{TcBH-%}G@gyh^L4gPg#22YR3|NlW8H#EPAw~=f_EeK@+ib)=-;T~6b)8%UZ?1U<_n_KY_a0BqL`PTeMX!ezz(& zUVdrt{hO-kLrm|Yr-IoX%E7GUpf^)N(YMD+|ii{t*% zI>-@)VX~Z|1)_*VJ?-iw%L**3ryE`#T!Y=WFtDX|C(fYE9h`3)DE_`&CS%+m0oD(& zzLY_BJYT8emAqh_LXMVqr{E_vU#01de0!_@FNRR5j^`;^;AJ(fnA#p@&a>vm@3OMV ztxhRc)r=zaai1zLZ{CLoa_fR`L*x$ka4)%8= zae%nD2u-)JSA}hF8+KmA!Y*79#$q@f%>5pMy8$Ku!DuD11!pICMtVPJ$T!HCAY+1z z>FDNtVZ7Uby94pO(Q(S3Es%HbagSekDDf_!d-s#;r6ozYaBc^GrzxclBF`tm$fmSOx5kL@4fVu#~?tU8Ak9+aFr> z?+$Uzvu-;$&w>FQ4B%h@HxmbtHHf+(>h4+8Z3p}YQ5QsA5Ow#1_2$_KlsC@?Vr$wW z-4B@3Vt4us>U2>tdPVKj2Wc@yT$`qDx#_CN4$s_?Xr|_(;Hv}b63koh4LySa&50~U zju1ublp|-03)n|Y@`)h@s%H>5wPVCL&&FZBgJ+;hT*_#l0o9^Lq2yqJ31%xTLA}N~ zO4ovM31RXE@l|TU&}u}SSLwxaU!`q`zN0ooX-Wq)Q>H7xU?FS?;P9s4!UGqOm4XMm z=*Oe4reZXpZ>7Se7V8S~GL9h6z%68jCU%SUZm!zG1su{P;`h0JOP9dCjahB(F*W%j zm?UEMm1m+Ovcv>|lt{=>d`c<6M94Jxt3V}pILuCv-M#_w@2Et2`9vMe;^!^7{u;U&4!GfMmtGAltG#p1_H zvAo4U?-lZK=tW~rlM&PV{p__@Ey}HJI-Li0zRLKx8GPhD6sjCO(FWJM#UxV&c(rnD ztFDKwQ(cMYDh+PMuga~c^qsH;h`n+qg0@UK(OGP8H%QJqjgm(9V=Y^_P|$ljS)p+_G6d;bpx2A{wm$InM@IIUVa=+ zN0ugu!V@=TDNPzgn#+2U3h7nDKN!%yBr%q^+1;)XUr8vgNfKrNZXlLwxlrRtYU>;Y zLYE0^be%QcDx%B-LVNq=%k%iYD|@dK4A<=on0Ua%118=`9NfP_cn0D5B?`}NeaJz0 z2H_cmXKy#}-l41(-YB;+;FUSry%Is`+bd7GVoKT<1oBbJ_V%s^j^%5BA+V)!orO5B;@=^%^SnC`N z;DxiZZEA;WLfG%=Fp$u0%4R4^Y0NY!kO>(`!0qbJt_?o_z_+R-Nk_kmHmh-BJKhRTB$m|$#h!Y0jJk7PssrSW%_^e(37BBk{{e#~}8sg1=rDAf!Gm$&VUUz(>>v#@a6y`!R4uY?)-9nh}1 z(NuElCR7WJ@9r{GP$)9B=^IDF_8S2qrSPutZTmnEBM9K(1$x|nfP-e+UU3e=!}nEr z_>`M>`|X1ts-5UfSC#tYa8>F0)r_#Ysy6CV!&OyoeBYm|%I4E|0xOYq7s3|14|MI4 zhv`?Hdq0vA-D>Urcy0T%9VxvaQv+xljlem`_@W#|YX0|PUAlb%>k3#`z`7cVgQF;j zt{}SZ-%S%lR}fu6boF-g?%gzM;f-_CSPlhq$u5LU&o)QdCIWLTuOzBmLoPKY_(;BXABkGr9rw@__>lJ4zS8JW zf%1esQhVGZ^->Ow?UowjOUvzK4yhUwi`NM?@2D|y?cV8hZ5kC?o|xx!@8k5T*A4mQ zs&D%%f#2rqIijL@B`Z@G;|^~wMT>Kxjn`Zb!Cs_d;?>e{8%} z6qI)@JiyC=jCJA0^voU!kY0fF0;JbW9K2CMrUjYyKrSN+GA+ooAk*&MO=T=QPcM~) zJ9Vu?;J$Qyjmc|7mVz0b3=3af2s=c=4v|J)+YXTmQQn5NnT3ohK?vDb(hD}0hN^^7*_W7~ zr|UJgIR84vg`_jIxW**%6C@;!(FMwq^lpvFF7D^D?^wL=3%Uve&9CPjhd6ef%GW)> z!M*ggyO*}ve4|uNRa3+L;qZKPI6c&thR3(%46eI>B3o?t83-nk{E3)pD>FUw!9~s^}_O6LoWj zflD-U>~gY(*&9f2t_jS}R}hmKTBjQnza%4Q$+IPeF^XrOe|Wp@OX($eDlh!~& zy03~FT8Lfr4a&W}SIwF?O44Gg?r#=tHwT2uI@`@CVs@US1e0ZV2`(=c*vX9iYNt{N z{^%hn1b;N25d0B>KN@+h!5;>A=NAd5GTxV3y9M*q`0y_E*Q!)+le<8NyfRq;U%&j8 zVd+ZFUVhA=+|cW1>H@4$M@G!&GQb1=+)I(ilBN zaY+^TeE9H3selN2F8~qA2$U zgbP?R=pFf1aQMqAstzs@kP%DFn2CB?0Y) zaj(B^6WMMH{Hj9S8(&+o?oC3}?63sA@_Q2;K|9 zdm(tQo;ZZ32MIKsjIT%njgJ)%5-3QZAb~zx_;_RadB%|!Ymzp2ch`ah?jvvgr`7>gkC3&+ypeBU~)EFJDH}k9TL| z>n-w+J9lGj9755*Dx`Lg&~|$z56=q*?#UR`;_B%Fa0eFB3leunH4SOFJ5t1pQtjG$ z!<>$#!38Clakr0Ra4}g*`AggWkLoeva-O!g&@}7oaz+&uUUO)Rx7b&eg&N>o)YghE zF-X1@cRJs|&>`xIb{kko&kEU-AE01sI*uXmHP1oD3ZY=K?f!h`0 zE2Or`Nf(*)x4^jAabD-s+iVcRrTC<%A5L$KZJkp2tSw5c_gpGVVXV`A->p^1}~W z+I{RNbm@zwdL z-#(levzt9);=Q!>Q>Y%a!4a1xv-3>4p+!l%y)$>`VJlKwm?5o4ILa9Ub@s!Y94?)( zx%1qjfek5=*bX&OkC+bEzpvE~O z=U4A_L4H9;cDGDdOq+EgIHy2o=edS`Y^0iGZr0OPy zHbEyu+`doh=we^$=@I2aT<8NCntFD_*3>h|$?C)6I!W9qqw{J&57V_b#%~p_XbB4>`WeKXLGWuOBd-k$3)^A76zjF$9Hl7AsTi-{()l(<>8vQ{ztefcG&Mi94AffvPBWGM z*058}Y`eEsuMuae-Iy#(%SHAO_-Ta*V2F#ihcQ~fJmH5bF}TG^BA5t_VUX;hlMI@sRwBOKl4?eS$wUGv^kQpEnR>^b;|xBNGUih z5U)c=?Hsb3x83 zdU-1Jk?ILK*f$7erS$3?5GurQos^mRs*TXv`XwdBt?HunLdnkwnBM^eqm}Bl-}Iug zbVZRlx~um{>%EPZ9Y*dpr&@+0ytvaQzhFj=2Gl;PI$oQvI&qir+hRpNQStWmR?RErGX5nq0Y}_wsu9k-7n(4d~84NDW$pTsWWiY ztkAA~_f1ciicDTZr!Dw~k@gPNzs~Udoi<@|rYpO?9%r>70>oEq)nQp&EUgOGbS$JTgV`dk7sYtjyYStzT8J$7^-! zk%YxLAv+8uwA2}6cH>v4$kC|t0(-$6?VD(Zb#!CXuo(Cn8MaFY2Ldm8+~vI*p5uNg z^3>@t-rV0YCfoQZ%29V2`6@v$?}K?C%=<>-;Ft)qHOSVlTefb4q6gU;WNVPE_XVBH z#pI2ex9_6sI3+CNc;nnsX+Q30$c+>(Xl`?2d)dBkpaVh`)nl@}^u9GvjLQY4DB>x- zd+U4HlInH;8{w1`^v-f+J&vp+le(PHzgJW~@9tPYoY*%LcVt>Y8Vj}KY#|{gi;Jc! zGlB_U-Fa4-q|1?~dX2bbk}3pjhB&=DPjlPdC0!6bMH?(+n#_vmg+6T6k8B2$jXa8O zRHJjUhS?iPZ-l0HzJi#{&^q0q_$3)ZiwdUjo?9y0HU4DD*1g4l50JRx!6VRcA2uBJ z9rY0u_8m2!u`5)is~wm!pznM(eQtfybA5~pmf%Ayv%9}NB>#wNgFp3a zK}3r4hPFXN%-!q;5~5$XQIMieHv&Rn*2F-nO7`JbRi|%h9aXGLT^*Ps(Rv|AE$V58 zqG^r2Xdi?5s#ifS##){FC03{8auZDCEjJY@w?d(UH^{b~MepM<=1+~H^Y({6x{CYi z8Nl_!9m>o91v{H-(Iq*XTxI&~2LRnCRViX+8Sm2ftWN5z`MMnoGHHcC7Uy?`>KIJ>$GR!^{cg4HwH>d{N7-{L8i_iNjkG#vrq@=%x}Q;+_s zd9P{Q5OnK42B$0h?=zg<#LSZ!TY1J`xu+ykPv7x@>d6$mlj{VdM6O1>Ugul}e8UAt zwA3x9V5TMEaCN`!4F$?0+BU65Tb{*?9b$Ekp0q0z-7wq6udXoT6;5J`EP?EPQ_en} zx0yetF!u|9rZlzeiR%hN-sh?t-vet%Z}k43dkBt(6uEayIrdu>%B&xGhORkohmj*# zd&lMF3{h!X_;r6k555-kAkVUt@_A0;1Z@Q&sDgf!1vPO5^IIECsFC1A6y{aQ2Bu)< zy^p{ORUa^j*^k2wGnOOpe)igdS;+6zXMNU#csa0=GcczZEzFliBe79T>%fgFd9CV; z*84BQoHZwAhf}XM>P@y6%-dkz2J_a}yfs&zr&q5nYPy$Vv+{0hZ6IUp?Je;XTzY_W zr^)cEXOM1ft$y%zrx`^HL`9FAzAnQHroChyC!D$r&b9zC3mRc{)+Um-!*k4B3Onih z2nsvtn@`wD|7Y4s@7^lEzzMP+1K)KJ4o=Xn4gVowF7H|vPd(i0=V|;2O zFlPNu0EW$*;ER!MPuPnJ1Jm&crP8KLb;2+8?>eHR_HGCSQ?J~FboK%G)N3o|pj4-v zwJHx@e8y`vYdF`V?!-{siV*J_Ik%7jc1I!<3)Yot%Qk1cBj{WddM)!b=zHD%&?0h2 z@QyL*JJ6k4Qv6#dew^ta~AX(g&}yT%`#fb}g4=l7(Adul-Es zF7G13iwQ~jL{E;x@4z8UZs8qMR|m!V=*0G&L1O`%(GZB)-TnxOe~$+Mq>rEgfHa=~ zfc%*Nknu+e7Aox!n82+vx7$=8B|;WY46S-ldzYA>r|UHyL=_agwq&mbc(KGBM6!%F zZQ~JsQ^_7c+ct{+m@XaPumUa`ic-l=uYprucP5V5FI3#iV8x8u+k{Lp>qXk&-9c@0 z)vKP3&7kS%?4~uoyJ;P8t*;8#(vfi616z8Vh85Y;-yG0ZL4q6GYTlYx%ePl>OV_b$ zfa&4I+L+_ii^dea65yBs#{@X0Q!);OV~R~~WAGT0^L8&qNsgiFcq=Y~*#Jy5av>*# zta}HcC(MO(YzMp)9Xk?v@$1_Fz4Q?jpqJ(opqBu>H1gV@m;17THN*2Wf~A@;ERs^I z6m_xke)f8wR(DN_5BI=-Zc}$(2CZ@z*)7@P7&*;dUg<;Rio@WPg;3cjj8n+b^6nJ; zgyyR>Rd<%&s{e}-R2uDhN)~uoO-4}-j%u@0kyp}QRW`XbO0UvN8&>pB)jbp?2r~3* z`B`+3?iBT8(wscnoE+&wkE(jiWGUsR;BU{5i+lL0R5P@}==OtQHv@fTUu9cXzfT6^ z1IBS36)>P)wh#e5hE6D8(?9~s9kTo0Thw#d#`Ym5G@a*+6U5lSDys~&dS}hogW_AF z6^io&#fEY=jEag0{rtErwDqygF8I;L)im%Fi7`MI7Ts`Kmi46Bo6201{u2#8T%jK z{O43u_QMa4wJa6ZzKbAf0)puy;(BJ^qouJF*E? zr8sgpMjX*KCa5^0Sl1;q5|IngD%%1KaS2zD{0X`$~;5D-o|A4-|2i8i)PoPZm`e-&*fbe^gl0Kj zAcvQNe^W1QaHl+R0v3W1$x~Xr+Q4B_2#R-jjndqCN~hx-OR|R98%S@i3Czw{5EJL2 zqMuhdjEyzZ2Bmk9nU_tej|~u;nj9Y-M>G#9z#atB zo3kT6C&cgd5ftM0noo$|3-No6ywws>Iw`VPOs2xlH>3v}BvN))UqSWpxd}pv=+eif>bTlcX?qP5{u| zi)noHlP+RlCpxtaFhJvwY0}u;+(C^l%js&gM@dB|?u4wOuy-BOVqjsN{2ui4e9+1F zJIfafdjwKkWwY^vo{Sf0Nnvc?lHRok+W{Aj1qgLuT`o1o6}%L}m$nLD>fo~N5T+2s zv|SKWM`zmunL6~ub}&=Vvh=u>(8@~tm#AE(Wu|vHx60Y=}{_Lci%X zrwgMm9&FJHtu24ILLirDW4RL)n{0Xt-WM)@yjUPAdPGc(@|Tge1pcItQhPajn$c-+ zx#BULEomTGrnD*fL6@;OfTj#mxE3~hhn+ioE)TA@8IzHz@{Ou0$}~1y>wumncNn$Z zKAUFK5!gB4_8ju5FT z=%LbewKnKfq0}=m)BtCaZbHVZnvPGF*DVOy1|r*Gf{s}AI)B#UA%cY zUB|nv5jfs08TKb< z9MVU}Ti4ZW+!ylv8!%_U!5NrA5()kmtsvzJ8Nh^bm?TP+pU*DzCWiT4 Date: Mon, 4 Dec 2023 13:13:46 -0300 Subject: [PATCH 07/10] make forward-port fleet 102.2.1+up0.8.1 --- assets/fleet/fleet-102.2.1+up0.8.1.tgz | Bin 0 -> 5232 bytes charts/fleet/102.2.1+up0.8.1/Chart.yaml | 22 ++++ charts/fleet/102.2.1+up0.8.1/README.md | 30 +++++ .../102.2.1+up0.8.1/charts/gitjob/.helmignore | 23 ++++ .../102.2.1+up0.8.1/charts/gitjob/Chart.yaml | 5 + .../charts/gitjob/templates/_helpers.tpl | 7 ++ .../charts/gitjob/templates/clusterrole.yaml | 38 ++++++ .../gitjob/templates/clusterrolebinding.yaml | 12 ++ .../charts/gitjob/templates/deployment.yaml | 51 ++++++++ .../charts/gitjob/templates/leases.yaml | 23 ++++ .../charts/gitjob/templates/service.yaml | 12 ++ .../gitjob/templates/serviceaccount.yaml | 4 + .../102.2.1+up0.8.1/charts/gitjob/values.yaml | 31 +++++ .../102.2.1+up0.8.1/templates/_helpers.tpl | 22 ++++ .../102.2.1+up0.8.1/templates/configmap.yaml | 25 ++++ .../102.2.1+up0.8.1/templates/deployment.yaml | 102 ++++++++++++++++ .../job_cleanup_clusterregistrations.yaml | 29 +++++ .../fleet/102.2.1+up0.8.1/templates/rbac.yaml | 114 ++++++++++++++++++ .../templates/serviceaccount.yaml | 12 ++ charts/fleet/102.2.1+up0.8.1/values.yaml | 83 +++++++++++++ index.yaml | 26 ++++ release.yaml | 2 + 22 files changed, 673 insertions(+) create mode 100644 assets/fleet/fleet-102.2.1+up0.8.1.tgz create mode 100644 charts/fleet/102.2.1+up0.8.1/Chart.yaml create mode 100644 charts/fleet/102.2.1+up0.8.1/README.md create mode 100644 charts/fleet/102.2.1+up0.8.1/charts/gitjob/.helmignore create mode 100644 charts/fleet/102.2.1+up0.8.1/charts/gitjob/Chart.yaml create mode 100644 charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/_helpers.tpl create mode 100644 charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/clusterrole.yaml create mode 100644 charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/clusterrolebinding.yaml create mode 100644 charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/deployment.yaml create mode 100644 charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/leases.yaml create mode 100644 charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/service.yaml create mode 100644 charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/serviceaccount.yaml create mode 100644 charts/fleet/102.2.1+up0.8.1/charts/gitjob/values.yaml create mode 100644 charts/fleet/102.2.1+up0.8.1/templates/_helpers.tpl create mode 100644 charts/fleet/102.2.1+up0.8.1/templates/configmap.yaml create mode 100644 charts/fleet/102.2.1+up0.8.1/templates/deployment.yaml create mode 100644 charts/fleet/102.2.1+up0.8.1/templates/job_cleanup_clusterregistrations.yaml create mode 100644 charts/fleet/102.2.1+up0.8.1/templates/rbac.yaml create mode 100644 charts/fleet/102.2.1+up0.8.1/templates/serviceaccount.yaml create mode 100644 charts/fleet/102.2.1+up0.8.1/values.yaml diff --git a/assets/fleet/fleet-102.2.1+up0.8.1.tgz b/assets/fleet/fleet-102.2.1+up0.8.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..04a65ba0fba68c77be28b96531ad28fdf1faf5f0 GIT binary patch literal 5232 zcmV-$6p!m4iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PH<$bK5wQ^O?V*Prj?nn|iX-6{tT|#s;X>1Xp)O18K z9)Kh~nxJf~hM!WDG(oNj8$e6T3|oyACp3huwA; zzK34eKQMp3Xl%+!f+{5u4!~u$-5AwOX-pcM2sHpkdG@KXG)0+Et=dJc?HkHtaif}R zOEIM}s`hv)2N1DLX_P9oIFzbQdxWJE(rbj_saz#MKRoc`?}x9J4__ifqOfhq;HNhr zDg7x2HSGr^O^eTN_$urLF{a343Xzi`!#DtNfX7sS6vF^O zVk#8XLe2&-q6`O}PS}Zz_)#5SDMl4ZnmTwt8jRpA;be>w+VGm{_o)J+;UXdo0~(oH z6RlG<=y*V(Cx~TVrBJI56Jwz|j;d-p4$8wV$kyxj!+zNN_bhe8{Mu`C9m&c6DPb9^ zFQouh$p77gZnrM~_jYzR@_!wPCS;6*+QRhf$E}wDK$GzRrfyLH*d}KgV`qZVXf}X1 zqjy4|NmR&n5Rfr){bnWDwypQMz_;K>A#*Va630|&Y1J3#2|}6;8I9n>`6-Bz&G}O{ zM9ER3g2S^npioXxLXs&BLj;8yCMYr3f|E}qNg2*%3A&6h63JkHcX!8##S7c~!};j| zTCLUCU;@Y^5n~K?h2=;c9ey@?Z$`jyqydvu&wy&63W!o!f-&d`Rdq<0rx&J*qGOIR z3}-;#1{s5EE^as+9ftGa93AGPIfOX#_$w_bAHzsUn1~w?BaIyFlqpaXk+IlLt<*qZ zf<)>e67A;xXoAr-f1aS8poE#o;D&GwS^!~8+!Qp-Qo(D46rfU! z=xAmLMkO#ZM5e-kj=7L{8hU@Vbn zxFIt$04?d*s4v0+rv|Q`5Dl?F#b0QMNTv`7Fd@>=O*I$VPJWCdk}*5ky}i6EQ^(Wm zg#VmjhR4XrYyiD}SDEn|4*sk98>CWvnt7fIw%n)V??I>YeWp+vHTc7SeV-DgZiI|~ z7<`{e_QT+NGqFDyP?1Oy0t!hMep^Vufm~q*K zV0sR?ICB{Ej6G)l>%7|Tb?1K`^sUhrc00ZPcJDvT*DLqAza6S+v>p0khfG9-1;J1V zZDu_+lE#}H12AS{0I&s@6NJLNE1@<-Fjj43rU+voJhoU`pam!9H61ge#26^|_Kdd| zog8zxEcSO}xxoOo_1xmI3+kTE2;T-ea;x0Jv}@ZI=e(fB5<}H?@NSM?t7Rb^+J$PD zS{xh0$s6;aX;P+2Y}wwjYaPE3E)5!XsVWOpa5ObX8DldjrooML8>m*sCLGamE=~-M zO`oPD7B^gJi6klPT?>~IldTOq^9jJp$TZ3QOl!sZA$fZIC*@zk#)QwEw)BcBZA1w*sY;9H45XH;TE zuG?+R{&#_|W%q3G*T308oJlGq)w3f;lrl`est4ncc^+XO}YYX06Yo0JTI{N@=D#fVEA0eDc zVYUOx3g$>KLoSR>ElqhQGR0<=i4>V)Y^121f!RNb*uX#JGoxW?3{%0f1Z&(E5pGtO z-)qI&mczY%hanmTlo{zY5lWvCJqfm=G&?hB4uUQ4{S2VB-&HM>;W{}g_hBnS0l|Md z<{UsrCuzryJI~j%6bEojrDcoRdwFD~Q4l0_EKB?GMfG;Xknk+^)P1V`=j?xtNy>;u z)w!A=OU({cr_Z((Smpoe?$`Z4yZZ;-js3rlbbH%2nuT(NmJ^d#UeR26Gi=s^_T61z zD$)^zKe?@<6STP_p;5pV%~DCZ9zpBhRHyYQ0LT;;AFVk)$m4~-gWKEA%izz>b?yZl;3SzY#m?};nxa^XsHFESu$ZIA@Y}A`EfsKtGO)$=wle2mv6qX?d zFFPK;oXEDYZPi2xxEoU&uF>eFva89cJiB=q__ihkMW9)PoK-jXy(P?MNwGAKN`{scg9Esd2XgS^;r&H(;lP43&k**UF7$=(`3 z>-H9Mw!265gm8D)+RlN^eM_GQ;r2FHJ97x(+%bufv3%A#74WPM+E3P&v901GuDJoRk zRd?^p8dqzTAk0a7gTsjs*XI}^ZQ`)S^73?#sh(uR59g<65=Zn?wP~&J?yhB<-Tfv` zN`9TGuK!D(f@d=TR_On|gPpy){@?9y^#58?S^twXRh_~Jn7hFrVg;xaqk(nRc}JI( z4EBrsncdsw5F5h1rzCL+(c~Qs5Xj}L>6B-N6f4>tB?(Pa0wJm(Z8A7>s71g8D z4;Pmw=T|51{`-{sObk4>lI~lqoFdDU33Eej>QWPr9rJ>;c)Cq*Kapj3+80 z%pDH+)025ki6nl{+3Z{h{Uc@QxUV?7%u|}fiWfmdBqc-2sJ54|pp;@M(rQi{4o^?- zqpds9cxw;J%T3#mn7p&%6r%#xv2{830dl1Qs6QH61YONvz}sQ17WH`*QG1$tOx@wz zgYj&aaWD*{#a~Fm7R6h`X%PGaIOQ>N4ZZFhXlVdJ&P;MjBRq^ELy>p)iHX`V;w?}f zu`FKZ%MD97yn;msei@uAt`D$M;~!9mRhfy(k>nEGD(>!8=#?Gsjo6hdtUzwTuBacC z7B!pBM(5k#h0?hYF3)U(Agsx%r6NRT{7}6U+=zvmFt9}*6v_egy4`Ly|FslZ>I+J! zJiz|1@BcoE;Z@{L7_YnqSH6z(s5^qI&j0r6=YRcv_uyc&|650@t&REVbGZEI*|1i- z-LBjd9-5ureDnB6F=gjiZlnXWCdiUdO*#`Hu3H00h0^(r^lkT*rDI8A zT&&)Xk)g(RnmcQ4rplrS(cT0Y;z&qr+iZIwhzee8W*@yLb$6Yso6*k@^%4zJ>f9Q9 zhtr~{X-n&f>&aTTa@XZ0UvA8nY*~NkyJ*a=v}Na1mg9=TuMYdEO7gk18NiT4*J3m} zr3uvo=zXSGUR$cme>o)4bKe7BA^&&wdj0zSkKS%?BmdWt$}-%}J<0S$NcxMrmv#M0 zx$u+xWY8-G!SEqoL76cZAwp7WZ4|q7+ddp*9)@DC`zevh2z`wgFU{_GigH-WSb$Rt zlX)x{d#|w8vhdw0`{|`Oanf5o5~w?4auAD?_J;slIyH-Z{rXX1+Wu)~+)gZdV=(Yy7uwekR}lze5& z7{dv@2T8&;t?V+=Uv7<;dU^CLS6q>+*Zu!ftM1{cZvR#F-1At1E9}4SPOpCdcfY^8 zyRrY)ks9xR)z-=bMD?R&2*VJHk{IW~MTrg0ha_W~rVQtg7}(ICKTn8l zVVnME5WLJ)IUpZXj)OT+GWTwIpf(7T@VFGfYQph zStG*p37XSz9t&&Gk>sWvW%ifDx2M~VAKY^a+wiAMX_3%ha2tf7-wYy=4E@d_4`tR9 zi5S8;j){yJDwP*FGj!X={}o25jq{3UoFp_NjLkr2lG_+dEvlUxD%lKb2^#xI+nf)I z=(ZYsS|t=5nu(C8GN!lv#2DHj|7e;nnWAmWC{$_W(afPjvY6_8^4$ojtnvIC(>Ts- z2w)J{*hxDYkEve_W-dvY@&&GMJQwBFl}IdBHhQx3_J$#a%7*^c3)2%qETYUls$%EH z^o(3f!ssuSx|S$^jYR}EI8;>Q-@eTQ8=W(y^mfK~p${!Y8;xjcs~~u7gVN1>jBFrx zEcgoz6Ea1hI&@RDV>)TWU>iOC%?{N$HZ_}w4~{{HvB2mk6Yc9Gw4>?3mXf#*YZ*IUiV zoxNe&wEf#8IfyoIioPvkYTND*!M&&A;(*)j8$$K`o=2m9^(u)0@$nCGZ4#$61#%s6}$Lj^;koSri3 z#XfhSg32R6)1@7JZDRZeQ`7o??$>};o&Wdtck1iEf3UY%|LaI@%9p*=Q#{+1KhjfM zuz|*FE%>tLuC$$L%2Wl&&cS1zYWVFuY*IPK4gi(~>v7Y?6MCA>Mug&tCR7y?q|G8g-Sn2=m*Zn^SyZw#*x0dv4d;j5U)AOG# z-M{`zR|lS84z9HS>hC}HyF2~O`@d^R&w5tv%|(AMZOoC%$+Ww$*Roedow-ptqjtqF z%qG%B&J>5$zQmqjH^W>GE*0?-aK_|&G5;K6`Rm3Y`I!Fv6`yAu!Te6gX9KO@vs&7T zuc=xKIUS{m&U`_w>(-YBeH~as!q%U#%$FWh{ zbIfzz`0)y6e!ItRd7JO|EId74yUzoQ7kc2gXFuM*{-5VHh!yLneIjtQ~Tt=y9WW;FgcxmoJXK^7saTi9a$B&Tz_v?Rm`TwaWfvfEQ{oX;{|J&c&y#KV8 z^gJ;u4|Du9#G5R4NI2G8=5~1g=#zX1&k%F+gk8$o=l}lo?@g;G3V>DXzrVkD{_!&yFV2&e=jCC3np5p?N|Bx6sE!e=ATk%5eYVc%cHYgwG%l;eda6Ls@3g8 z#rpr+^!l}>2d)1nMgy%{|J{T7{=e7l^*8H(9qDoLIA2R!ZPIh6ru83AkR|Rd=V$3- z)%xFC`2E+t{_e*Azm~KGXGCk1?)NR+q{GbwISez(jI9hQiLS{Q?eC7+SO%4)R`G+H zAY(9QV(5H+l#jPTA|skk(f;&JDWC8-*aD7Y7n$&FYTuB?*zL#v<+~8xyYL#@(x3z> z+MnmZFbIz?t}e8&KZSQBl0F5GtDpe4UsqWZ+9r{5y{6%)`zj?-F+%f;;pK8iG zb3j89U1zENHBuG44Ao5J@@aFhL1z{?MG4O+s q#z;D@x)dLSaH=8^W9Mtn?Ivx~CT-Gv>Hh)%0RR7W9P(EHegFVOa#J?| literal 0 HcmV?d00001 diff --git a/charts/fleet/102.2.1+up0.8.1/Chart.yaml b/charts/fleet/102.2.1+up0.8.1/Chart.yaml new file mode 100644 index 0000000000..c5800e6d68 --- /dev/null +++ b/charts/fleet/102.2.1+up0.8.1/Chart.yaml @@ -0,0 +1,22 @@ +annotations: + catalog.cattle.io/auto-install: fleet-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/experimental: "true" + catalog.cattle.io/hidden: "true" + catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.27.0-0' + catalog.cattle.io/namespace: cattle-fleet-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: clusters.fleet.cattle.io/v1alpha1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: fleet +apiVersion: v2 +appVersion: 0.8.1 +dependencies: +- condition: gitops.enabled + name: gitjob + repository: file://./charts/gitjob +description: Fleet Manager - GitOps at Scale +icon: https://charts.rancher.io/assets/logos/fleet.svg +name: fleet +version: 102.2.1+up0.8.1 diff --git a/charts/fleet/102.2.1+up0.8.1/README.md b/charts/fleet/102.2.1+up0.8.1/README.md new file mode 100644 index 0000000000..2f2a4c302a --- /dev/null +++ b/charts/fleet/102.2.1+up0.8.1/README.md @@ -0,0 +1,30 @@ +# Fleet Helm Chart + +Fleet is GitOps at scale. Fleet is designed to manage multiple clusters. + +## What is Fleet? + +* Cluster engine: Fleet is a container management and deployment engine designed to offer users more control on the local cluster and constant monitoring through GitOps. Fleet focuses not only on the ability to scale, but it also gives users a high degree of control and visibility to monitor exactly what is installed on the cluster. + +* Deployment management: Fleet can manage deployments from git of raw Kubernetes YAML, Helm charts, Kustomize, or any combination of the three. Regardless of the source, all resources are dynamically turned into Helm charts, and Helm is used as the engine to deploy all resources in the cluster. As a result, users can enjoy a high degree of control, consistency, and auditability of their clusters. + +## Introduction + +This chart deploys Fleet on a Kubernetes cluster. It also deploys some of its dependencies as subcharts. + +The documentation is centralized in the [doc website](https://fleet.rancher.io/). + +## Prerequisites + +Get helm if you don't have it. Helm 3 is just a CLI. + + +## Install Fleet + +Install the Fleet Helm charts (there are two because we separate out CRDs for ultimate flexibility.): + +``` +$ helm repo add fleet https://rancher.github.io/fleet-helm-charts/ +$ helm -n cattle-fleet-system install --create-namespace --wait fleet-crd fleet/fleet-crd +$ helm -n cattle-fleet-system install --create-namespace --wait fleet fleet/fleet +``` \ No newline at end of file diff --git a/charts/fleet/102.2.1+up0.8.1/charts/gitjob/.helmignore b/charts/fleet/102.2.1+up0.8.1/charts/gitjob/.helmignore new file mode 100644 index 0000000000..691fa13d6a --- /dev/null +++ b/charts/fleet/102.2.1+up0.8.1/charts/gitjob/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ \ No newline at end of file diff --git a/charts/fleet/102.2.1+up0.8.1/charts/gitjob/Chart.yaml b/charts/fleet/102.2.1+up0.8.1/charts/gitjob/Chart.yaml new file mode 100644 index 0000000000..d419f22cb5 --- /dev/null +++ b/charts/fleet/102.2.1+up0.8.1/charts/gitjob/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v2 +appVersion: 0.1.76-security1 +description: Controller that run jobs based on git events +name: gitjob +version: 0.1.76-security1 diff --git a/charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/_helpers.tpl b/charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/_helpers.tpl new file mode 100644 index 0000000000..f652b5643d --- /dev/null +++ b/charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/_helpers.tpl @@ -0,0 +1,7 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/clusterrole.yaml b/charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/clusterrole.yaml new file mode 100644 index 0000000000..bcad90164f --- /dev/null +++ b/charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/clusterrole.yaml @@ -0,0 +1,38 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gitjob +rules: + - apiGroups: + - "batch" + resources: + - 'jobs' + verbs: + - '*' + - apiGroups: + - "" + resources: + - 'pods' + verbs: + - 'list' + - 'get' + - 'watch' + - apiGroups: + - "" + resources: + - 'secrets' + verbs: + - '*' + - apiGroups: + - "" + resources: + - 'configmaps' + verbs: + - '*' + - apiGroups: + - "gitjob.cattle.io" + resources: + - "gitjobs" + - "gitjobs/status" + verbs: + - "*" \ No newline at end of file diff --git a/charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/clusterrolebinding.yaml b/charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..0bf07c4ef8 --- /dev/null +++ b/charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gitjob-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gitjob +subjects: + - kind: ServiceAccount + name: gitjob + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/deployment.yaml b/charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/deployment.yaml new file mode 100644 index 0000000000..e7bbe5f20a --- /dev/null +++ b/charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/deployment.yaml @@ -0,0 +1,51 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gitjob +spec: + selector: + matchLabels: + app: "gitjob" + template: + metadata: + labels: + app: "gitjob" + spec: + serviceAccountName: gitjob + containers: + - image: "{{ template "system_default_registry" . }}{{ .Values.gitjob.repository }}:{{ .Values.gitjob.tag }}" + name: gitjob + args: + {{- if .Values.debug }} + - --debug + {{- end }} + - --tekton-image + - "{{ template "system_default_registry" . }}{{ .Values.tekton.repository }}:{{ .Values.tekton.tag }}" + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.proxy }} + - name: HTTP_PROXY + value: {{ .Values.proxy }} + - name: HTTPS_PROXY + value: {{ .Values.proxy }} + - name: NO_PROXY + value: {{ .Values.noProxy }} + {{- end }} + {{- if .Values.debug }} + - name: CATTLE_DEV_MODE + value: "true" + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: "{{.Values.priorityClassName}}" + {{- end }} diff --git a/charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/leases.yaml b/charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/leases.yaml new file mode 100644 index 0000000000..51f9339509 --- /dev/null +++ b/charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/leases.yaml @@ -0,0 +1,23 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gitjob +rules: + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "*" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gitjob +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: gitjob +subjects: + - kind: ServiceAccount + name: gitjob diff --git a/charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/service.yaml b/charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/service.yaml new file mode 100644 index 0000000000..bf57c1b55c --- /dev/null +++ b/charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: gitjob +spec: + ports: + - name: http-80 + port: 80 + protocol: TCP + targetPort: 8080 + selector: + app: "gitjob" \ No newline at end of file diff --git a/charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/serviceaccount.yaml b/charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/serviceaccount.yaml new file mode 100644 index 0000000000..5f8aecb045 --- /dev/null +++ b/charts/fleet/102.2.1+up0.8.1/charts/gitjob/templates/serviceaccount.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gitjob diff --git a/charts/fleet/102.2.1+up0.8.1/charts/gitjob/values.yaml b/charts/fleet/102.2.1+up0.8.1/charts/gitjob/values.yaml new file mode 100644 index 0000000000..c8b68a906f --- /dev/null +++ b/charts/fleet/102.2.1+up0.8.1/charts/gitjob/values.yaml @@ -0,0 +1,31 @@ +gitjob: + repository: rancher/gitjob + tag: v0.1.76-security1 + +tekton: + repository: rancher/tekton-utils + tag: v0.1.37 + +global: + cattle: + systemDefaultRegistry: "" + +# http[s] proxy server +# proxy: http://@:: + +# comma separated list of domains or ip addresses that will not use the proxy +noProxy: 127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local + +nodeSelector: + kubernetes.io/os: linux + +tolerations: + - key: cattle.io/os + operator: "Equal" + value: "linux" + effect: NoSchedule + +# PriorityClassName assigned to deployment. +priorityClassName: "" + +debug: false diff --git a/charts/fleet/102.2.1+up0.8.1/templates/_helpers.tpl b/charts/fleet/102.2.1+up0.8.1/templates/_helpers.tpl new file mode 100644 index 0000000000..6cd96c3ace --- /dev/null +++ b/charts/fleet/102.2.1+up0.8.1/templates/_helpers.tpl @@ -0,0 +1,22 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/charts/fleet/102.2.1+up0.8.1/templates/configmap.yaml b/charts/fleet/102.2.1+up0.8.1/templates/configmap.yaml new file mode 100644 index 0000000000..07f1b5924d --- /dev/null +++ b/charts/fleet/102.2.1+up0.8.1/templates/configmap.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: fleet-controller +data: + config: | + { + "systemDefaultRegistry": "{{ template "system_default_registry" . }}", + "agentImage": "{{ template "system_default_registry" . }}{{.Values.agentImage.repository}}:{{.Values.agentImage.tag}}", + "agentImagePullPolicy": "{{ .Values.agentImage.imagePullPolicy }}", + "apiServerURL": "{{.Values.apiServerURL}}", + "apiServerCA": "{{b64enc .Values.apiServerCA}}", + "agentCheckinInterval": "{{.Values.agentCheckinInterval}}", + "ignoreClusterRegistrationLabels": {{.Values.ignoreClusterRegistrationLabels}}, + "bootstrap": { + "paths": "{{.Values.bootstrap.paths}}", + "repo": "{{.Values.bootstrap.repo}}", + "secret": "{{.Values.bootstrap.secret}}", + "branch": "{{.Values.bootstrap.branch}}", + "namespace": "{{.Values.bootstrap.namespace}}", + "agentNamespace": "{{.Values.bootstrap.agentNamespace}}", + }, + "webhookReceiverURL": "{{.Values.webhookReceiverURL}}", + "githubURLPrefix": "{{.Values.githubURLPrefix}}" + } diff --git a/charts/fleet/102.2.1+up0.8.1/templates/deployment.yaml b/charts/fleet/102.2.1+up0.8.1/templates/deployment.yaml new file mode 100644 index 0000000000..164340c444 --- /dev/null +++ b/charts/fleet/102.2.1+up0.8.1/templates/deployment.yaml @@ -0,0 +1,102 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: fleet-controller +spec: + selector: + matchLabels: + app: fleet-controller + template: + metadata: + labels: + app: fleet-controller + spec: + containers: + - env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: FLEET_PROPAGATE_DEBUG_SETTINGS_TO_AGENTS + value: {{ quote .Values.propagateDebugSettingsToAgents }} + {{- if .Values.clusterEnqueueDelay }} + - name: FLEET_CLUSTER_ENQUEUE_DELAY + value: {{ .Values.clusterEnqueueDelay }} + {{- end }} + {{- if .Values.proxy }} + - name: HTTP_PROXY + value: {{ .Values.proxy }} + - name: HTTPS_PROXY + value: {{ .Values.proxy }} + - name: NO_PROXY + value: {{ .Values.noProxy }} + {{- end }} + {{- if .Values.cpuPprof }} + - name: FLEET_CPU_PPROF_DIR + value: /tmp/pprof/ + {{- end }} + {{- if .Values.cpuPprof }} + - name: FLEET_CPU_PPROF_PERIOD + value: {{ quote .Values.cpuPprof.period }} + {{- end }} + {{- if .Values.debug }} + - name: CATTLE_DEV_MODE + value: "true" + {{- end }} + image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}' + name: fleet-controller + imagePullPolicy: "{{ .Values.image.imagePullPolicy }}" + command: + - fleetcontroller + {{- if not .Values.gitops.enabled }} + - --disable-gitops + {{- end }} + {{- if not .Values.bootstrap.enabled }} + - --disable-bootstrap + {{- end }} + {{- if .Values.debug }} + - --debug + - --debug-level + - {{ quote .Values.debugLevel }} + {{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + capabilities: + drop: + - ALL + {{- end }} + volumeMounts: + - mountPath: /tmp + name: tmp + {{- if .Values.cpuPprof }} + - mountPath: /tmp/pprof + name: pprof + {{- end }} + volumes: + - name: tmp + emptyDir: {} + {{- if .Values.cpuPprof }} + - name: pprof {{ toYaml .Values.cpuPprof.volumeConfiguration | nindent 10 }} + {{- end }} + + serviceAccountName: fleet-controller + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: "{{.Values.priorityClassName}}" + {{- end }} + +{{- if not .Values.debug }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} diff --git a/charts/fleet/102.2.1+up0.8.1/templates/job_cleanup_clusterregistrations.yaml b/charts/fleet/102.2.1+up0.8.1/templates/job_cleanup_clusterregistrations.yaml new file mode 100644 index 0000000000..fa59cc575f --- /dev/null +++ b/charts/fleet/102.2.1+up0.8.1/templates/job_cleanup_clusterregistrations.yaml @@ -0,0 +1,29 @@ +{{- if .Values.migrations.clusterRegistrationCleanup }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: fleet-cleanup-clusterregistrations + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + template: + metadata: + labels: + app: fleet-job + spec: + serviceAccountName: fleet-controller + restartPolicy: Never + containers: + - name: cleanup + image: "{{ template "system_default_registry" . }}{{.Values.agentImage.repository}}:{{.Values.agentImage.tag}}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + command: + - fleet + args: + - cleanup + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + backoffLimit: 1 +{{- end }} diff --git a/charts/fleet/102.2.1+up0.8.1/templates/rbac.yaml b/charts/fleet/102.2.1+up0.8.1/templates/rbac.yaml new file mode 100644 index 0000000000..361d68c08b --- /dev/null +++ b/charts/fleet/102.2.1+up0.8.1/templates/rbac.yaml @@ -0,0 +1,114 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: fleet-controller +rules: +- apiGroups: + - gitjob.cattle.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - fleet.cattle.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - "" + resources: + - namespaces + - serviceaccounts + verbs: + - '*' +- apiGroups: + - "" + resources: + - secrets + - configmaps + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + - roles + - rolebindings + verbs: + - '*' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: fleet-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: fleet-controller +subjects: +- kind: ServiceAccount + name: fleet-controller + namespace: {{.Release.Namespace}} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: fleet-controller +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - '*' +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - '*' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: fleet-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: fleet-controller +subjects: +- kind: ServiceAccount + name: fleet-controller + +{{- if .Values.bootstrap.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: fleet-controller-bootstrap +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: fleet-controller-bootstrap +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: fleet-controller-bootstrap +subjects: +- kind: ServiceAccount + name: fleet-controller-bootstrap + namespace: {{.Release.Namespace}} +{{- end }} diff --git a/charts/fleet/102.2.1+up0.8.1/templates/serviceaccount.yaml b/charts/fleet/102.2.1+up0.8.1/templates/serviceaccount.yaml new file mode 100644 index 0000000000..ba27c748d7 --- /dev/null +++ b/charts/fleet/102.2.1+up0.8.1/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: fleet-controller + +{{- if .Values.bootstrap.enabled }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: fleet-controller-bootstrap +{{- end }} diff --git a/charts/fleet/102.2.1+up0.8.1/values.yaml b/charts/fleet/102.2.1+up0.8.1/values.yaml new file mode 100644 index 0000000000..672a59d0f4 --- /dev/null +++ b/charts/fleet/102.2.1+up0.8.1/values.yaml @@ -0,0 +1,83 @@ +image: + repository: rancher/fleet + tag: v0.8.1 + imagePullPolicy: IfNotPresent + +agentImage: + repository: rancher/fleet-agent + tag: v0.8.1 + imagePullPolicy: IfNotPresent + +# For cluster registration the public URL of the Kubernetes API server must be set here +# Example: https://example.com:6443 +apiServerURL: "" + +# For cluster registration the pem encoded value of the CA of the Kubernetes API server must be set here +# If left empty it is assumed this Kubernetes API TLS is signed by a well known CA. +apiServerCA: "" + +# A duration string for how often agents should report a heartbeat +agentCheckinInterval: "15m" + +# Whether you want to allow cluster upon registration to specify their labels. +ignoreClusterRegistrationLabels: false + +# Counts from gitrepo are out of sync with bundleDeployment state. +# Just retry in a number of seconds as there is no great way to trigger an event that doesn't cause a loop. +# If not set default is 15 seconds. +# clusterEnqueueDelay: 120s + +# http[s] proxy server +# proxy: http://@:: + +# comma separated list of domains or ip addresses that will not use the proxy +noProxy: 127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local + +bootstrap: + enabled: true + # The namespace that will be autocreated and the local cluster will be registered in + namespace: fleet-local + # The namespace where the fleet agent for the local cluster will be ran, if empty + # this will default to cattle-fleet-system + agentNamespace: "" + # A repo to add at install time that will deploy to the local cluster. This allows + # one to fully bootstrap fleet, its configuration and all its downstream clusters + # in one shot. + repo: "" + secret: "" + branch: master + paths: "" + + +global: + cattle: + systemDefaultRegistry: "" + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] + +## PriorityClassName assigned to deployment. +priorityClassName: "" + +gitops: + enabled: true + +debug: false +debugLevel: 0 +propagateDebugSettingsToAgents: true + +## Optional CPU pprof configuration. Profiles are collected continuously and saved every period +## Any valid volume configuration can be provided, the example below uses hostPath +#cpuPprof: +# period: "60s" +# volumeConfiguration: +# hostPath: +# path: /tmp/pprof +# type: DirectoryOrCreate + +migrations: + clusterRegistrationCleanup: true diff --git a/index.yaml b/index.yaml index 357d4c588a..caf001d3b4 100755 --- a/index.yaml +++ b/index.yaml @@ -611,6 +611,32 @@ entries: urls: - assets/fleet/fleet-103.1.0+up0.9.0.tgz version: 103.1.0+up0.9.0 + - annotations: + catalog.cattle.io/auto-install: fleet-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/experimental: "true" + catalog.cattle.io/hidden: "true" + catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.27.0-0' + catalog.cattle.io/namespace: cattle-fleet-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: clusters.fleet.cattle.io/v1alpha1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: fleet + apiVersion: v2 + appVersion: 0.8.1 + created: "2023-12-04T13:13:18.369065-03:00" + dependencies: + - condition: gitops.enabled + name: gitjob + repository: file://./charts/gitjob + description: Fleet Manager - GitOps at Scale + digest: caa36338fba7e25713036091cf29b8132601ac24a273514a632d66b461204420 + icon: https://charts.rancher.io/assets/logos/fleet.svg + name: fleet + urls: + - assets/fleet/fleet-102.2.1+up0.8.1.tgz + version: 102.2.1+up0.8.1 - annotations: catalog.cattle.io/auto-install: fleet-crd=match catalog.cattle.io/certified: rancher diff --git a/release.yaml b/release.yaml index b0d94ccf4d..dbe15a7729 100644 --- a/release.yaml +++ b/release.yaml @@ -8,3 +8,5 @@ longhorn: - 102.3.1+up1.5.3 longhorn-crd: - 102.3.1+up1.5.3 +fleet: + - 102.2.1+up0.8.1 From 3751acf074b5aec9258ea6c06aa775d0afaa654c Mon Sep 17 00:00:00 2001 From: Lucas Lopes Date: Mon, 4 Dec 2023 13:14:11 -0300 Subject: [PATCH 08/10] make forward-port fleet-crd 102.2.1+up0.8.1 --- .../fleet-crd/fleet-crd-102.2.1+up0.8.1.tgz | Bin 0 -> 23147 bytes charts/fleet-crd/102.2.1+up0.8.1/Chart.yaml | 13 + charts/fleet-crd/102.2.1+up0.8.1/README.md | 5 + .../102.2.1+up0.8.1/templates/crds.yaml | 3444 ++++++++ .../templates/gitjobs-crds.yaml | 7510 +++++++++++++++++ charts/fleet-crd/102.2.1+up0.8.1/values.yaml | 1 + index.yaml | 17 + release.yaml | 2 + 8 files changed, 10992 insertions(+) create mode 100644 assets/fleet-crd/fleet-crd-102.2.1+up0.8.1.tgz create mode 100644 charts/fleet-crd/102.2.1+up0.8.1/Chart.yaml create mode 100644 charts/fleet-crd/102.2.1+up0.8.1/README.md create mode 100644 charts/fleet-crd/102.2.1+up0.8.1/templates/crds.yaml create mode 100644 charts/fleet-crd/102.2.1+up0.8.1/templates/gitjobs-crds.yaml create mode 100644 charts/fleet-crd/102.2.1+up0.8.1/values.yaml diff --git a/assets/fleet-crd/fleet-crd-102.2.1+up0.8.1.tgz b/assets/fleet-crd/fleet-crd-102.2.1+up0.8.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..8748e5eb76fa4476add348cb3c870362850f09ee GIT binary patch literal 23147 zcmdSAV~k+YxAs}KZQIpl+qP}n>auNDb=kIU+qUhh>3;wBPVPIIWG0zUbCR?7N%lz& zKK%Bx*0UCVBm@e;zvG7zfZ9M@k-{wgT;_ZmBCnv#X?hwgH=vdl~qQ~+S0(* z*h5*tjz`?Y+6LgVOUr4KJ%M6#<{LGN5u_E5OrNn2h&iZB`YYif7 zlFDEZXca&`!PD^j1D&LzFri%BG=MEB>23cS36jKL*p#TI0i_prknHXGRS?6?ofz$m zjc4HDWG46L_3P!RXC{}=@Ac*Z-_P@VD)Pqf^?E4sM)&h|KyHWI?{4ei#_yfXbDNE* zgP=t=%`V3+=VEW<3KF8I5n0yKM2|P}k2-t&`I`Yvmeij7xt$S%>@*1pJu$JeH=yZ> z5&AC){;nwB6KS}fjkho)=-TwKJrm_GcX`Czt~xk0F1@*DlO)Mxy_-)fFjK;8o>rgp zpN<5oIW^al1u#VfG&m?`UC|cjA8F%zY7FWoPfXgMhxF0=jb54U{qdY@uBD&kK~KW-;}l=C>32rzk9pL{>x9ib;b ze17{6d{Cdcrw_r6bJE2K64(+){HQ22^N(Z!BFDC##4I5Id)J>_>c(aE`aRJy^VIm} z+&?>CfB!R|&(H3s-_HU(-~AgtFl$lnD2X%1t(g_uVW>{l099JDZv3 zw6XODEBh{=`2no+x*Y*AC6e2s)v<-Ixo4*B{xnf8U1c${ySzDG#Vj54Ro)1c1dq(F z*z5$SK3{uFRh8DdtLhbms#_>tps~qS=oM^z-CuI)W4B%7$6c&Ow;6|`%MXcQ1$;_( zn{BUjlh32XLUV_~DVGxC0t<6_5ljxMJQ0L28k9L`fc5UPa-HlXUFtzTiDRw4C}tj< zV=;)1vy%I~9(J+zD7>4Yfa|ncLgvVf$Mj^v4}T&;29u4{soaPk778>_!X7v9+gPaI zDmpHZ8mgcs&&fi{l+!QUi)pTw0rE;)vwTd;FRmP1D+SUvQyQPHY{i$R?I;n__s(DA zBsQ!r*1#I3zo9i_qw)o|6gl3Y*6Y%%o%XOO+6jUdN9Tzo*n1Ql_DwCDC(w0j=%q8H zjV75#1J1%?XW<0Xa*6@(q^28W+0SV8DuGgeqvBn>zYK2m1-HDW(-r0OKIw=`w}*@J z#QeJ18SJy0f&ad^>G|2{JMa1S`C7pL{`~lHTYY`u`~2v6yG-zxh8F>p)$Sjm1|8NN z#lqWa4wj|kKe>i6tV$4tD&H9{-hh24#(tf8>ND|$6ZHr7s%7=YJxo5j&~N_bvlOLA z_@Y^?dv3(%_89~7@Jt-F-M6XP14w*oRAuV;t!v!VJ4L>lKa|J|#%CAQ03R1bt=ZUo z7BMirS!XsHwi-2t}4Qn)o^NR(h3SqmQEF>XOO|X4s{Zl2^>r5PWhyFw|6Zd1; zbV;3ygL{=@N;#MW6QmA7c#p&_RO+|&Rr5w2fsB^7#{1`?owJ+p121{~@cCwPA$Cf> zfBI{Osx3HAJHD6;er?j)`&0Bz%zMOfQCS0c=r>^c=oMY6KC(^bJMrEXYNQJ$A5-N# z4ApYD@`Jz1gFmkKfckp0?85%?ag;s7PCkQ6gZrUuF4VzzgMD)%EzvPQ&9tDlpMoK! zG0QYX!=|tL3bfUgx5fm_7QL0qEDDO~EOE+&ZcP?H`WEwbeG55nG7;+<-b^O>T za~-oqBkB}2yIit;vAu>#LoI&|Yh;GVD`;fXx{l$i&>_QW0AZBCNaXZc3e!Fs6Bsdv z$_E{ESHHwKWK+0nWE8(BD_gE_Ft9<`lH3ozBh`WY){fso4jd?{LJnN+GYBnFx*oU< zZAfWTB9q5q4NRFA2qd+sIVqA;CR=Dv7Kltfrtg!F7onbx(zz~LrcRT`X;VC|tSjoL z`9PD1b~Nv`;Zi<=VxX`RJV^%fLjuFA?l+iF5zLS8h=ur7q&sf!q~_FXjyKoKZ3wPziEXR z;dJ8?GTn!`mXf*#cEeuRv6V*h^5^SR9cRYt`LAPY{$(nQ$sE0@1-fqUfLic!009+@ zfOgYaBkXY*p z9DBO(840Yr=C@~XI!+63IL5)jvJ5cD z8ZBk(qurUdb}mfnKPo!VK`32q^3KU%Bij&G@OLe}*2$o4wOGl%w~BvJ%M?(wO4`N1 zLa6DTn!jYecQ(F}br%I@jyF4(CN1W1H*L&2tkqo|M9mJ9=+OvwJ%G7T15?A2nAGH6 z(?KvCQ%op^hZkF7TjeK~vl*YnC#fF2H0h=mbkp9doRl_rsyf3@_4U(h3g1ysRJuM? zDx_`q=_?Qwndl~%+1OV%kAMHxnltMI2XAd0lL11lz% zLUp02S%Tt(a$b z#5Ocw2Zy=XU{e7vDbHZ?#hsljR0lcpq(f-Fu;17YVGi52)4_jFRM(Q)HK=u@EXOXD zNnD)IRD3~fJ`5npRUI$RqvbEnuDGJDM|s)Yuwg&0Z;N8xajv|HW?a5Ug9@F-@yLa- zj_~w@NK}?Z|LK&;HVtDfR^YXC1Qv&AixfXtm4}f2GZwQkgKl%|8PsWR+1)3WWf=7* zJs$#$qCESzv9qVA$e09J(cS|C_oNte0706z{P3R<;>q=chz?NP=5(L+Y8Kk!oaPnm zDJ~m&wlwE;T^p7IX874!>S)o-Vugol2YIge_4m36xAi=L3qk6L)Nej|t5 z|4I9Ua!}D>rHBTm{#U%%rvSAMsI#Z`=P%A!gOL_ZO$esV4e-?*Is`kjeCdrd%Gr+4 z{3I2%A)duRR@|go=9KhX|9oi>3RW=h(W|7~UZ^D8N*6Y(^I%^X_Sr=ulFryFHAptX zU5mV?irB`uWY8~b`N${tAYSjAIIGjX?@>wL)%F+Q{L-x8og4eYZ&BA+_zhiExNzJT zc7y*Jfpt&U`D*9){pE*`cJp~A*F%jtar1rqGLYQa!zNcmzw$q{(=+K`?WC?$IL(in z-Tn2xwbqq;k(9-9v?-ue>8xZ@ZAw~RhozROd^xL%ui{eS5eHVC!rxbRHG=B~Yv*+X zaTlz;%82#2-xrJ`703f3q- zpPHxBsXy5Xtir*M;U1caX|j%M>ghc-CV*vWSRn&v=QFsHj)R9T7(Aw5J_pl}B;SxY zj=VUt`U|}s!8lW)wj08j-mszSlUP*Eg7Rxsj|W0&uOyU6NJ0sQ(%7@p-$4G=VdhRVi^(JOCtx{`BAF;XV7SjPm%?1y1XBUB zo=+pT9B^&TdRh4k(WuI@=5v+G7B3UltFi<0&$v;AQA1n55xrW&@Oq37ZfZ)ArGe#E zRsXAIB#I?|o3rM}Jqt(S^W6Xg3u*_lm=DX4E}Xg-?$B4~6!W#t06tUv#=E9UM|!@C zA>7y)e@w6CW9%iIvD+?>zS}NZEmz!@e}UZ0buY{IC0wOn+Lr$%9LXML9T&nL+@&4i z8uW;6>u{_gJ-De;v9l^eQy^-)RK+GWg=r)iT5!lA-@6 zMxQpBHIV*gLz}kYOOx5VZ8v2-^@@Tw!E=DNiE7|TT(aV&X~;jbxu(k5_%<}s%A%m; zEPqYMNeTAD^Va-T-alCU0MuQ1YzJPf#v8u1I_p->*_(YNoDOC zF5sluVQK%-e0TbMaxs1Z#!1#%>JrLwcSM`u-qjABXreIVMUCv973IZ;#qq88%P?Lm zQH}aO&-iel#V_n&^{5Lg%W@Zf_jKn9t)ADkintjGck2q*3`iV&G9lT!XbFU^&M2vc<~ z?bt4lwLnA)9Gf6$C8d_*d!w-;-1e6(8yGutpEjd~E!nOrX;;Fen@!wyr7Fk8PhGs~ zCR8`uw$9MtFHYgmTBa+*~W=SMCb`Y_!F=Ul6^L zvVZFSRlcXvyGRY7^0s{5B_WQm9iv;?(*S-WG0)GrrluJreU^DGek1h`ap!Z${Vmt$ zz<~{OGvy1GIQr1&k5VUZ@j<@}$ zN8+Iya5_!d{?y4e!dyCx&bg@a7`DrvaZcx?7?hZ?1dc+H!y#cjF@71&o7Ay+!quPg z`BAYP(JkJoj{{G2`A+ZX(_hQjLR7X@8Z{gIH|@2M2b6)h%kW)tg(F&)J&%v5G|TFh zRl53h&9F4f87Ibd!-i8zl}|Q)IJ`K%@&lC%>9S9s$EjypgLMN=P!|wmK?3W(t{%+* zT#%Z2xASYONi)UX2}VdYfo~Ujedmy+KD{5@rN_W%lwAHIQ1>2alr)O!h1`(w^X)XF z4Gj7oVB@3e8ARH1JjZrl)r>bIVGv+PBw~#AC1}oP6EgMS5{2Z(p^-;qXA9r?7#!|p_m{o zezB77ZqULu&>o4UqCN|mEMNGd)|9N~s8f>{0zDYi2PTddHS+98&n4EN^QoWzi+3mc zN76W)(YEi!4|28atJOfIOs<7|I#?HbxzKxX+VX3xO7O7Dv`2NmQi%6)Yw)Y!86_u< zv0hogKis=ZuikGpO7w#^Y^WZ)1$(W*9I9&SbCWIfv%aKfO^Ghe(A+uz%@C|q^lqF9 ztB;8EI-|Z{4_;<+-A2mB#JFEUZ7}e#N|2JgyynSYIwxoLT08f%lc@xAjm(HzIygI7 z#_A_Wi|lV9e|;S-bnwjQCF2n|kq(Fh|S;4eZJX)Uazvr#O z6!iM@sIwVzsXxW@rB!Lx*+gqG6>rVKw-m`OJ)bl}jHtByx*1GNQCgheY6^u^?F!^O z1>xO%n(=~&MjMSk()Yn1>yRt!Yl^1N5UWQiUf^uBK)I+a$PL~yfH^H4R?T{S6)fdQ zc1XF&O~QdoAbSoGba*+p)-(ox`+jk>4SINg+~^PqWt0U+=6#{346NJ=Dc|^bP3NW# zis#_PvOdj0@3f3wkEgiKFn@OUpeQ^(*+`krJ(}GPGwi07T=k8To-Rd(f zzEt0Ex&w=_oSy4cTW|9XkYzuV_8@yi~pcpfVQY|vw8}aJ)CUd@H|PmC+k2M zce{p@*;7N;=}8Ser@$9s)uRa_bgH;U0U36F{c|m>yhV-;bD^-|gK$91Nssxi!84#1HamQ^L77+#mq0^KhZ*`M3E;% zqcaQxSmrJN-Z-MHK`XH0t#4?SrQmG0n>+`rde7ec8aCbOjZ4ciOHx?OD2M<=*vwJT zr>VEWGN%!IOtoyw#->kJ_EzcY%@d6BzE8!CJsaM+XU7A)7GFxtsj<;W+L>j*U4$Fe|_coO1f0oBNxX7sXS{1p18R8xHQt^4ZY)xd%|u zh>YcvHJ~g>f4E_UVv?vsh8Fm6uePRI8(&s8hzYzINGz6Q*s4qi6S8C_BM zpU#A6)O%{?@;W}7sINAR4sQ}EC*pZ9kaCy!fAPa2-%Dj>wL0Bh>NrsSIW*3cuw~>@ zQym@a;c{yH-=wTbQyghK_{)AX6c)n>=M=hC&5*z&e1!^TCl0P^rla~$AevA$YlY?% z71*Kv!3(Xf5>M-YWm9>7{fh|fI{s%wQ22J7vMtbcxKkxSJNU#U|FDnj_i4MKOq>N= zpey?G(E{vnyYUeC^Zw!YsWnBp)~9+wM5784+_&C_yO-A;GN((#yUUq4%oSu(a@$5+ z?%(55!@j7^37mdC9A~(vUp;lji>DlG$54@+{)uO&DfjgowaOPS^T8MaKZ7OWV(HEK zWdIHK(onljm!`0TZSd|`u2eu3uXF%5RS}h=4!|YTRU5YZX(dqcBQL-6nds+grswBo zU_YDh>&)$lq32^@2VTuB^258;+ldBE+Q9fkv{dIgoi69yGTIBbAu5R*`!~LbLS?l7 zYBmN3vDlVY7E6t(~};>Gh4S#Vo8j|B5Ww+AXw- zYTA~mX?m_$R)9=>}3;{AkjP!K7vG(Jyx z3I5D}=rIU3a@bxVT8Xm9KdBZEFP)#kg=u6ytE|mbkeIKZOy!>Vgoolr}zU?{-L@~XJ@tekZc28ysg-jm+CWTG)vl&Gf zErgOwB<)00Y+X-R8P<97GRnDiz232Gq$)n!c7O3*$FdlAZXuMsRx|QNqFP((u9|4Y zzUbg#U{$mRNySRZjT0)&5Y+!dceM>7T87*9dv29PVwI{8aM!l zY=)27pN^D10IcNkg|)j`84@Xkl3M zDDQx6SKH)W9`|?bqUc?ce@Wh6x`jvG+7NTV@h)<+t-I+?--N1hc=2nUqE$+>q2ZLg zea0ebVT^fU{jq%q-|+hgrKE~aO591TG)Z85f28w;Ej9>#Fn|U3S-Mi23l%~ z(WW!20fvif&puNgHV*Y}lRDWo)?QgaHpsAK6Sqp_4@AVWup9_JTG?2mp-FKuf4ol@ zEhTe$rN~{o9Vri4nx<=`EoJfZ?D{b6Ep^S@fN^cB%7|K)ofMdv-lEPf@ zlfj=3BAOaXmk;82X7a9**1;suD^g68J;brDS&Ld~wfk5WvVH2{1;0vZU`lbg%M=4R zLOmj29c#H*u6o{RbN-nC?gr=rdBhmP}gr3Z|u2A$bm{Y%S_c<24Yw%}dw>8*?F#qt##{rY@`(ssk? z%yseG+vOe6ZAlkiK_$17ZB&mJ*N6Q(-O*@AMey<9VdW~LOAp`9nQmW-C$lS&%PRSid5lU(+49M^S2V+|0j5P8 zI^Qv#HFaK4PRTEg$v`+mkm@QXEHQ_dbYaYjaAC98B03$F1F=6OZRPoQG=o9o>Zv~B zO^VHnKT2SDOz-0PQj_z@QQB{-7wIBWN`HHS*{F>^5K)b$(W;7UG;D&93GUZNu{?B%Lx zpG6Oac=krhlj^!Az<`&_%RCY60)YG^S0KWXGZwK>L$EJ3qP1T`EPm=gN5bP-Ze>f@ z#D?sk#4hvhW-r5qI&<0uzt%J-3z5n`ZOnAqW%wOF_$g|mCuXQKEoH)lO3JkO%(nGs zw(zR6f6p)955;Dt(*z+oiK|{GUz13;p)1rMhj!Dc9cA(o+ldr0@&)hC*)uAk~(Ux?ot-x+5t3ENH*Q$N8&E>m)j5mW=i{NmD$J=ej3`Cz&t6BkOTNJF&Rr%Y(euzcXyH*S zu%0tD|I^|+sP0kqHSk>G3j)RUiA@@wU+01+Hn&Al03L7G!^lf3;Oe+($F@iY*tHP( zq>lq#8}zVa6YQkAd2duO=7f>~jqa+hf0o{2P$H{LU~JL7pv~=i8kp~t$&6$z_`LJ5 z_9n@)Kviy^yexY(*Qmy#sWO=eH*ud#|$UAk6jV)?V9c3);jM( zz=;vmTJKKal-Q@%T5sdG){%P$ngNRumGfG$MD^nAY3K42ww~Ew1Nhg3m2li)WUeUi z7C8^>$j-5NoneeLUEeyhP#!M1p@szshbu9QEh~|*&Kck8M!I3_6g3QekD>cO0H9Q`Ed7_$K~3lSg*BMQ9v!fyolC~XVS+0<@erj$nP5eNG} zycbfZ9esjcJ+T|#D+O#pj82PVBsd0kocxI;W{L1P*+ZUn2(8`Ja%Kwrv|hRhv5GaL zyv!9P9Z5vQjN^(EuxNEFqR4`e-0=?``9qphho4=ezW$kV4A?RPw>@&6TcqU5)Dq;! z&sAf$OBzLkazRYZv@6e<#z!5OuxxQiJFr-71DP{On;{Yb-JjJJ3hW9>AK{| zrmEdH2d!*03CVUqwf9rwZp43L)x`{sywGcn%YuCfFZYt|<`2rW1AwgLqIuy5?B(WW z#X4Bs&5yDu8!upi_GW^loq%)cVOF8D|DfmU))?E?--^eK&w7tH3ddLd3c-^(M!Rcg zUAI*PJxhzc^r3ywclchZ^MT%Y==8nPC_OJND_*o(ZVe3^uN@hR@y&+Hn2{pQMmd8l z+&}(XpMbkT3y6}BW60^3eaQGZkER#W;w1%006%}T>HvlF~w6?trWo@^?fxod~PhZzXYv`p_o58uUVd;NmBa}b!%-Y<- z;~jiuV{HemDI4NF`1gJfym_SRiXMWEx%n7DDs&_>u}IF9Q`{M{1%Gu2XPey>9GbtJ z;2s#X)ChAT-kPdYg{xMGa}kBP5J{|H#*oRO? zqW(*r#QM~e0skr|0mHjkVUSw=0gST4%4K&hh-;o>CMxEySpr*Op6IstTb#H2@i=k$ zx=FfkTOIsVvzfRmdu%D*$HV2uzC$0`jj(*m^MAwP4Q?2f5MS} zPofhgg}+>Z`MPPrTpKadqLx|@3aul{9%FbohUSE3uuj*wM0AEEhh&&bloQPY)0JOn z7JKZJah@ifs=83}F&Q?wZ5mw_2V0zgFPCgY?Pj@nd>soX%B4@?Kg$;4chS12KuE30 z;z>MonG-DZfCjqU)O74&pbf(5_p|-_>MW7$oH;lw%QsQF5arT^437>#m*TEtjPiey zkuW2aX&{jG^qZd?@UaeUNyZK7ER2`e-|zAw?xv|)mbl93w3-8=1Ukln)<9``!yesr zCW=78QHJE%BN-mLlYL?nWw}oR%W*-#zZNu5-%n5eHbsuY7Scz zezED;{f3J<@NshHOD?`pU`~u9`w(~_O4RF9Pe`|dU5Hm~>t#ls#d@Z(HO&6=<>@DW z-t0)oqTC#CR!S8wWx+zZ^e5m>%d-u`Qae-X)x z2eUoF)&-HUE=J)-^6`Pq7wY#;`b8A^Q>8~%!(^|tZm9c6O(EWb4Wx97jxI*h(nN3? zxO`ie@By>jg8Y8JB1hmW*>Djed=6vkKO**q7RR7XP0$wJ^aY{&(=mM%TDnsWZwh*X zyWeoN#F6obE}%L^jV%;+f{%zx4;I|ZEUP=Ki{G@xBLZ=IS1xFqM4W0iHEpUYxVapaglXp zI+E!a)!*Vs8b=zro;YoY&?O(p(Eio1pBaHiOB-osdDVpoC!+0{MpZc41sDgr%f#`; z@8^r7MbZXvHP$qWiunF;kG88COX%;B3s}fVqM%DX_8fz4H))qpVK8J~^Cljxp+af5NDUTCrk2rFPm zQZORkU|in%uOyXK`Iu8r-NBjw@TgFHram5NyX({tTg?*pC?3~s$sn?CUJ~3@C_z*A zMwJ@UgAu$biQPau$01IJ*gkG*`i*@Q>;(yYO&G@*xzZ~p(Av^J&^kmgHPD)U^mvaN z$9O=1RbXN)E|wj9%{eF3-9eUQ+)a*2I%&XHnLRm+weeqpRoZ%p)oNuYER{F>as-F| zM@w{!8o?BBmJp#pL3EMq185e%17;Sl#4pObJeGTG#&yck&i**Z7b;7t0_bA$ViAAQ z(ne)MGiS2nLVbqfmkxPEOEktQG5v=J`Eaw~^@@wAT`}K?&r``vsj_2oq$XLR2)oB} zgt*=+VTT4z$)Z}DEaagmO6%6Nwp~J>NFaDgGR3<*VM>KQqu5l8og6$idVmxy^gtf~ zHJtlzFm4~O`5k>d>k5_cd``yH(99v zktN3{oAdiGS*VIR8?OhPm6QMaBpFFSiha%$HDgA8_RrklDxp5Aq*%XIAVDrusRUvP zAxB5yEyKHVV089c+QZ`1M@rpD-`}wLSo&@zU4|1qm$|1kO!diXggOt@6l2etL5er% z=wU86wZh&GS-)Y$#3=F&%CZE!kq_oG!DkL98ePm}cZE#FB7Yq(FTd#bNAjnp`zVTY zqZ--TbOCq1WNT?5=M9`iv^G7tdk1T2!TVFTG;f3bhY(i+G>2-xfX(3auHut#SZeR1 zb5j4#FhdkNbb&iPir%o&@xVc%mq_#j$f~0uo6WC!6`4I~zoWHjE0?iWSZ{uTUaR{T0m7SzjkEQ3b+D^Q-8T zpXQeXostCAJVy!)8YFf*-lSMZ2?8}CBsOC$#VAU5-2CBRjNra4 zATRvkCsx)hk7MFQc2e9#UHH&Z24gWuHH~R`^C%r`5WHG)5w&0A74da0nkrI$Kn~X| zAsk}!RDlrRRTVq~S^ttaw9x8lPkVt;4AaqSQOxZ%oY&2N3Gale!Yvm1#M` z*@jpVm7~B-{*yhdslxn)iK+d-ew5%pzrhE4mZ{Cr_InIsb{IYGkdkcP==T`q8$}>Q zDJHA#nw03CwKX+P41G}lhI>dtdLzX(pjt3m!&NZEHI``DES^0_>D{WZvbiX%;A7K> zNv!+az=$S%EHtmAi@Wx%!=liEU~8DtK~X5FQ_bmViLgmh_EZB+FenB2yka{+Gk{HU zQCnl@D)aEPk)8GBJTG6ArFF5o0R*A}ZiW8yO>>r8hxN4oqz}x}0poG3OtKN{S=ftSkTWBk#2uz* zp}^#NwHJXO!iU@{Ecbc7<{X-g0G~*&Bg%2&S-UUy|{`Z+{q)Hb>%gu zL&bC@LpxaTTJD*9sMBE7oFc)d6}q)9^mdDHC`R_^X99<{{+d;5q}oq*T-xF;irXB5 z^5sdgyXLHklI@xD0Rzxkys70f6c|-5HF|=rq}n>a-~UwF&rch3OeHRbS72P#vFJOP z=oR&IV*ZdW-5sSbkVQekGeyD<+zFE3$9twT$SVHnKjV;I#IW=PaS<`IlM~d`Ovpp; zIRcX{?1Bl9HA2)AXYs2^>2L*Py4!U#=}^ph|*kEfsvxin;*%nr3?T$JRDt{D?-B)SR~0kn(H zR|bbnta`5pq}hoaHUcKq&DCe6(Bv()wZzQNlVX>r8VwmSFOsxB7tbweZc6^l})cTEU=Fi+i4IB6B~?ia+tNLi@zE z-wiuC2=7)@>n9N_p=bfQsBYa8o6|8vnh)xwq(04adrK`wOaFu#POyxq%2z_r3uWkD z0$Mn?sWPA{$?3^txtIr#3fRPefoUX*q%UjYBT2y zSvrX?KL3PdSN!4<-5+2j@Yy=r(f3NNXjA*qo8!vV#3;6=`Tz zdOn7dm0d%3TOI^rkGJu=#BJK?bST;5!Glk?J`i8*-hTkDQM%?LO9VE1 zYdF-mgDKtmK2)SipF1EE#~5}ZdNX&+9>lV*V&mm}&&VG6j}+V_V>_v#?F89(_LY3x zkvV6TKzV3I=p*MIhG%awUUpud=br~-zHVPiojW0E&{~f1HE1|(25~mrU9gK8NmT&{ zlBC-ZZnsjOo(PHwADGQ3Ce9OSfRm2R<%Yz|{tTd#IrdNXea-xM?~c2bvQ<};@EYGy z(xXOG7TJF_9i9s?kXJVgl-=|Bj&q68}iHpcWdm zqNF5r-E$acZh?~~FxeF#O}DknUjr-{jg{bS^1L9yqS7iRPBphjg0id8))&leY?%*H z3}os?SW~#BlP!#XLb^@(?dzl^=c4LS5t>OM94$|ER%oB0ENV%z=nE@3TP-`Hr2-)@ z2&Qg->>Z%hTH%Fdu|iZ$s6RgDWWY< zmtFS7y8W7^iwc4oxI!p1oeSbDk@MKG&KsV;+s($r3B2z%CMMeUnxL>@IUjZ!H|R-V zYrIPpVIJMZIP{~`!fRjqjacJn1E~A1L6qT%?2;INADa(LwC7HXK?-v~0p~)yZRQ;* z%&lF5y=N2|(lVFxRRmGntlko6cMY?Q{P3%_1b-*XvZ)I$a6~Hq2sD z#z}H*U}V3Fg&}o0IOTMo9}-nLa+G4+MqNSLO3q81J$|~I1Abrt&oC|IZ{k&-LZ@Hm z&RSiZwlP8WAQO`JYW7z8B9ADXL;Y(Gq#~3IR{~$(D87FqmL}R#pAJVmyw`bf(j45u zfrn=fnhcI4cg+YmzL6_lpTejkjs1e;!2AOW>A0_a@Q_gwc zhC@k^3kD>0q0a2u^60-$QsI&YwM3>@yg1rbADcHt*Z<8#g1z@VojCqVR>?dJJ{s() zNFi|MkBjtJ0Mg0Wu6)r+3(uZf9l#u83O8w0R@ha_q(NYBx15I^SI0(0Cxt@mMj7}t zunc37ZT|*rsyJh8*rh&-yRwo3Z%a^OC}ASAb+KNdgN-g7?2;QT-;DFtP{}t$L1o1Q z`+v5LfU0lowqKed0rxML+&?mn(2ZYs!L1N{zNh8KTjaqF(N%*=t)gb``Hj*wc6)aO zs=dX&!u$BDHu!x9qK%v`u?)5a9=5v4Dn{Z}yb^LZiwQWku=tM}vC950L! zF5TY*tkR6m-T7I-lk~oE6zOEYKh#i!YBg?)J{LQGKQemd=l<+;;BMv$IEmU#J$x^EC6=$-@8_B6`DtUIgRx(a z@B8TTVeW+9tSYcl?S+ArVEKNDvu>0%gezlUm>(3ES8L=)L@QIitC1+y(r!omMa@U| zJMLeP!xf&YGU*bxT(HK^d*v)-9?1y(x#AhMis{H&>fGNphqR61_TIzim~`$9kxc9) z4OWt*vEi{f%+i8|7QG&>NP2z3<;6}ZOpjH^9$ABQ3*>>+6emqT$&(G7dI^^DQrlE+ z>*U~QM+P*%F_nbtq()pZSyBqOWpm?8)<9*n{mtIBqDkH!t`8{DX;-ZFjA%_wA2crF zmUe?w%&w%d>)u#f;>--FCmpe>n%r%ZLrtCveG~X;%|%Bj;mboLS$>i-aB_=bl?9@q0vyo-a zMT9YX-JTlQ`+e0GPt)^T0&4594SJtd?vTML_LQZ{mtECS}SFwS~XCkqm?_s{=QLU|lEuzmUDC3U9L z+%?uARfs%a)z_VU1-JI4tV9ynYd((@m;?VLkg-YrwP@ZeHh7WXfj# z?rsbSaAg8%5zxf#Z|Wxx!-!S;e(CTKD~L@DUtf}~M=I`hBCQWpEGXp7wVR~>Ry>;H zr+k94UODHl_eOOfFuzwpl9m823ZFjPo4vx*lIMh@(PSQz)aUY@ zfyBbXB@&eoN^@vQiv15s=plA#x_^_%6=n2f|8<(3P>VxpUS!4R3QJCvU*{!%-bnoo ztIj(5Du%67-|KUlOt{caAEx!H0B%sWLM#|Z+7(;+I^ON!b2sk_ytJHik?Id0TUeZ@ zDT@uY9AjL)W>^^(dI6YVkr)o%L2&{ z(B8i|5AT@LdM&eRJtKiql!f&ro?1y!D_X94r2`=*neo^bZhM`AerbVJ&c>Q@8f4Nf z6??Uq2Ip`$9&3RSvK$dD356OR(2ulRoFlSvU(DWCMl!?%yg~W(;kY1AE9gnh4iG)I zWAgTMo)gs;T)%!8#Xv08fO`s`*rutrT$x<)Ja0V=ZM;&aIAQ2>j5x*|ZNhP@Pv`p| zZ6-O|!YCP+G~I0{&s}xMnsF{YWapMZev{DLK=aXa@vfUZ!I9!b zbK<(&=LiQ&bHZ+01o-#FRf^H-iZFO_2AIeO)Z1@O{%~^G99MRrE*%lReiS?z&-T|C$B5Z)eeL4 zfG;3;7JTO&zd7HW`Ocg<|Lr`p zf9_m+KfmjD-{WgCOFK?8kd6cQdH^bl68ZkLH0b4;K8>HMraZ0Fwab;luZuQ#e~S!jfTVv`G@&wZNR|`z?L%K17ndkc3OT=d&|_hdu=|%h=Y(#6C{2t|>%HCM`5;X~fR&YKs|6Mz=+z03 z82uPB)Sfy)!O=}_QuxJERXYOJinW}C$v??V0IJc9)BCLsTRY;=AJ~P8ne7{@6@i6c z?1F_|4idcdwM7*+a-@A0&59Vv01=HT_^?={QT^p>+HSN>(y%aDM(COVk<}MKf5sC> z`0Volj;1^ze9zht+kTm;Bfwp5**h->mKdrGG zi&DeA%%=PJuhg%EzQm1K_J*AffZ*P?Q*ZYiUkHR?VuqXkFI8r6A+?rZH=Rk!T&8G6kj zAG0SrR}gHjSo$Q*PzPHY=*&vi#TO9xAO*5{c!a1nfTs8BiVB(ayx?63YwzF3faB~? z(DY<_phGZl_@QkiA+mX>8f`d0vUxPn!$>-tOhuDSnvG3+Cv}Jv31b+ZJcFS#oxEh= zoApfy)7fA89$cO^1(u87!ekYBEc&*}RWM^!Y2hg<<3-7Mx|)8|3_lujtfjYeiGdoi z=*XWVQ&^`4JxyS>><%)8jeyjt8gtTr?2U#h|DD1reGF!G}T2JC+R`uq2zJ`2d?M+EMEjISv5=HD)-T1Y0` zU|lh%xYyS&Z_jy-yKLvv*kdya+qo**AtF;08UF7pn)Ks+x`7iSJnScHHZHg$??dqs zjI&1}av>UdrkL?idS&0SR!HozWX`k%`17^2tVIkL9c~#pqTFSyIbpZPc_rMno{i-F z%XXBg=dm-Se3Vx5qi9)bn2!%%jIm_D9Pg)5W|I_4rn{2%*H?YBk9~+PM z#;Emej;P;%-k@+y_D1aKk6x9l*>sXB{oPR2xjS(j=vDH#3=F7Y10!Hn}Xx|U%@*pAgr_><` z?xva~@_b2NGj8S1_f7Rkt%cZkZr+KdszK*ncM6HWU zuhi8=Y1+nVJ-OV@1nc-7jMbRml)$(TH{*%@qKI~c9-Bi(Legsc92Q46rb!|B!*Y^C z7~h+Uz@$~N-``(0O)`UZmKvh`@PlI+?%J7ibDwG98}3Fb`JIJntb4XMOwNG5X&C!4 z4ivV2nFM^eq_iO8KC3$n{h;LMH7unNC~t$`3GpX&6Sm~bfk&m7ik$;`Z}x3;ovSS& ze@V58HYY9*Sr?l}$JqFZ7P{hw$=0;kvO-&I&AC78OrgR*&KgZIDH6gzY9B&d%B}@J z>wrQycy1qe^H-9>#GCD_PSS#)_6TgMmYE6V4QZDdKk@zBO`<^#A=y~Te<~-0_73U> zQMZ+oMhAx*Br$-KtUrvjec9jqmNt)`iG-|^U{OW&c|y8OzN;`A)%lDN*LZ8oQz&FH zWqiAJz&L!oa@*GiKgj<2#{t){Y+)j_&cEIkO$;5#v=lhOm&l@tnQ6rYz-{fEFu5Nl zR(gUsns+RQK9DZ_aLny3=PLXL+vrK!LT^{(qx^sBB_3D3Pgq3BcFO8RX$93z^Lk}d zWwC#IUvar7e|TR)qIi(C3DqDke6K1`Ju0R{1H0H=DpuQKPdgOT^*+WYsXOh<+ehZa z+t*`AjjMrAjSK6b2j!7C^Y-o1;Gx^Riw=^a4SJdyBqc%~Y-z|5?Dgged6ymDI8ZPS z^QpkbyfNMd*i_SE0IHhuT8vG%l=;LUDmn2L%M$L_}TPi%|jNm<9c?L;pA3(_c{Zm4KJr8`5q3z$tPk!|dZG2NZ=5aCCk zowE6P2Mb<;g9dbAt6*V9Q4ZfrBR{`yz++n_s{ZMZSx9hz0W(Or1bEQMYq2=CYu4_! zlkIJMSu?hZER47pS6Yz0*m_a?m6zPZ#yy*#Y5RC=Hw7_F=Zc2AE4Lj6^d;*l_=6k+^Z(2E@J)*899a$NAtKd!IA)nd<)bK}&ZK2`4#W}ohX=jV|CR@JcRWb^ z-|}D&`!^5j{~HfHPW~+qs4o8DL0Z5cJaF{>pLj4P_8;;f{pSCl2UO`-wB@9(79*D{ zL{%Op0$w1eTMi_**oq)IkZCo*`RSGeMyt6%Ye*dSEeGCb{VNAn{ckzYO*A^r$tGv} z2M0XY|2+qiRC9)7r8A%#N|6*J^pIJ>9|Q#$B}C_F4Xj-}j&q`mYCpWoCtRF6n<3bBbx2~GQYNB?ptA7K1^(7-y~64EUpTvTRTaCPhJSa1SgcM z7Ox|z-Y8UOgYVPDD#VaKx}GpksOwKkz)A7%vPX8ovp&l+oQiWv5a)UZ@OM7@;@w9Q z1+*2sI)a`d%*)|6kSDA+h|9M!h-_P3MZnYNk7MQvosCw=PT*&a;LzGxCESdS{DxljMI1a{d%~WN*QaJ7}(=XmGUcF~>mI{`g_e8l#5UWj_VR zQoS~(_J)F=4iv9aZR(xF_Tughim;zt-$Nfh8qPE;hRPA{l`>--xO7>9#&Wjy4p=lG ze@>Zw$Ds(HfE#*Y$WA}8Rx=&_HdR}#t?}O3Grg69%zl>$*1}xv>c+L5{MCV0MTk59 zjZ)d#;N#-q$&2I1kvR8`C7JV-%9P1jkDWUve-i5pa0w=V&MT^CHRWWHVvbyPL1i5` zQdN$u4&y0EYnxHveUSRxC%kHr4^P5aqU9l4CiF{hVVCwac@^fj_Pja$B%CkV43Vpgd!|5-PfGjvq0liVC)=k&- zC)zG;)nPDF*X9w26j}bEYsYxm!6wOVbuk`yx>hOXn8ryRb!A1?xRk>*KL16qP1aez z5$)LoD^k}!7(Qb^nvV3vfk!C6MKi}bi$nfzUSLF4kR@q6vsQHLPqXSuyFon-vukx| zy6~p^YE+&?tN}Ib@_>$qm#*iVl*{&X0sUfAl+xyKlD)~pnVI&1X|r;G2+iH zB;1bkgnDh)66x)(LksQulOka$<>@ri6@{%!jM4=IXVmw;SYS`MP+_k||spTn=Qw4?BG3?kf z3gULI$}X#jsC^S}<6%z%dNj$XWT^ekMvVt<-8$3%=(00wUbDnXoKQ8xYvG+J{ccri zxN;sl+)+k8WI15*$_8~}1yPKl45=#SZOQjGv&SZupiDU;Akg%r=yRL@^wAvI;jP!OE=U%r7s-N4JTP0wqe@* zA{PedZ4Gx=9Lr3;®dQpJ|)6fyu$XV^ff#2W8M#8qp+IKo>FPApH zD&aOp3p=owAAs`eEBb!Zc`nW~T!GBI0&LY4is19hUTZ`b(57NAewrkQ<(27V4Xz?P z!+sQwoFwr%czy>#&;wu;8(8cPudOyhNltj-sEDxn%8tLsn-E-Btbp7cP$gD8jq;zY z3JB{VJ!{i~jLKM{qFETSAg1O;0?uwgASGbBExIHd<$~s?b8trTBux(ki|;)Lj4({% z_gV>vD+V@a8P|KnQN{t1d2Qv#~_;? zg(~DrW6<*igQSDtq3u;RN#+Fc27Y*fMN9|IYhud1g^um1w=JuoprDv0v~r)&k3R_X z7Wi6I^~JC7ygM_ET3^X|cvy;X%RY#9z|}BH81GC6;KpzDlfe^~RS_z~>~M7{Sk^N73oHoMRU~Ab~vJwWa%HLmE9! zB)y_K2cKFWjC0w!NpPRY2F}My7=a(mq?QlF`<&_QpuMJx+3v(C)-}bCXKf==mD{Rn zkZ9|ut)`sB5bOm6z&+m;1~k-iXINljD3(a-!=8a1WWrnZe3CocL!9!4FD7X>pfLP( z>7gL0O(KT~Rv9U)+$1+jxZEBaI<=KP22u4u#|ZL=7ESPzI!2j^-r={URS>$fv?c=e zcb1kA`4`O))IVn`G$p1uhG{=Af11R8B&}V~;%KPF;TS9;<14?1T{z)y(Tu!t8)!qJ zS^)#Z-;=qF%`&v-l8U4guSwqia3X}^or+SLRU9)5eqE;NvzrnLNRvw3bw8F1E$iK5 zwX5hV$`a+`D~I3z*wT_u5}k7%QnYGsCTkr)N#LV9zlVbB#IiuPuq3QOu^b#f)@hC#?FpgQnk^IzPBWT1Y8sMx={ay% zyQ3aZ4~edv_(bK#yzKI>es3_-*)#GHm}IuI{xz*h5K!`pHW?csL6vL&WOHl&)i&m? zP40nN(cMjpCxa;E749AGbW8qFcN^+O`Q@S#33<;tSSe!mAqK6~Iy?hC8A=2E=4p5* zX}e$k?70k;cnWWjdD}^fvHG{9mB#}|`P@lb8i6)Gq@*opzLT`PoCw2Z77w}23xI1x6D~1RPFgNu50&aQitlyVdJv^=aGHPOoF$ zR*QKJstY3cV$*A@f%fe}R{O7TBLE2j%{$TXw;^tXG{%@~S)h+^{df{nkjtp9h||>x z_OtZ|uPmn|D(ufx4V#G-sKRT+as{CGHu6%D_XPZ>a6R+sBz(><&bMTHy^h_ytRwi$ z)W3#l-k>WmYdvXSCZdtoadIdOYWsBqYZz+%c@B?v!;e-!MoWX0t{{{E5kkbGF literal 0 HcmV?d00001 diff --git a/charts/fleet-crd/102.2.1+up0.8.1/Chart.yaml b/charts/fleet-crd/102.2.1+up0.8.1/Chart.yaml new file mode 100644 index 0000000000..94ea35508a --- /dev/null +++ b/charts/fleet-crd/102.2.1+up0.8.1/Chart.yaml @@ -0,0 +1,13 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-fleet-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/release-name: fleet-crd +apiVersion: v2 +appVersion: 0.8.1 +description: Fleet Manager CustomResourceDefinitions +icon: https://charts.rancher.io/assets/logos/fleet.svg +name: fleet-crd +version: 102.2.1+up0.8.1 diff --git a/charts/fleet-crd/102.2.1+up0.8.1/README.md b/charts/fleet-crd/102.2.1+up0.8.1/README.md new file mode 100644 index 0000000000..2452ab2f1f --- /dev/null +++ b/charts/fleet-crd/102.2.1+up0.8.1/README.md @@ -0,0 +1,5 @@ +# Fleet CRD Helm Chart + +Fleet Manager CustomResourceDefinitions Helm chart is a requirement for the Fleet Helm Chart. + +The Fleet documentation is centralized in the [doc website](https://fleet.rancher.io/). \ No newline at end of file diff --git a/charts/fleet-crd/102.2.1+up0.8.1/templates/crds.yaml b/charts/fleet-crd/102.2.1+up0.8.1/templates/crds.yaml new file mode 100644 index 0000000000..16f8db2e10 --- /dev/null +++ b/charts/fleet-crd/102.2.1+up0.8.1/templates/crds.yaml @@ -0,0 +1,3444 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: bundles.fleet.cattle.io +spec: + group: fleet.cattle.io + names: + kind: Bundle + plural: bundles + singular: bundle + preserveUnknownFields: false + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.display.readyClusters + name: BundleDeployments-Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + correctDrift: + properties: + enabled: + type: boolean + force: + type: boolean + keepFailHistory: + type: boolean + type: object + defaultNamespace: + nullable: true + type: string + dependsOn: + items: + properties: + name: + nullable: true + type: string + selector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + type: object + nullable: true + type: array + diff: + nullable: true + properties: + comparePatches: + items: + properties: + apiVersion: + nullable: true + type: string + jsonPointers: + items: + nullable: true + type: string + nullable: true + type: array + kind: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + operations: + items: + properties: + op: + nullable: true + type: string + path: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + type: object + nullable: true + type: array + type: object + forceSyncGeneration: + type: integer + helm: + nullable: true + properties: + atomic: + type: boolean + chart: + nullable: true + type: string + disablePreProcess: + type: boolean + force: + type: boolean + maxHistory: + type: integer + releaseName: + maxLength: 53 + nullable: true + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + repo: + nullable: true + type: string + takeOwnership: + type: boolean + timeoutSeconds: + type: integer + values: + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + valuesFiles: + items: + nullable: true + type: string + nullable: true + type: array + valuesFrom: + items: + properties: + configMapKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + type: object + secretKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + type: object + type: object + nullable: true + type: array + version: + nullable: true + type: string + waitForJobs: + type: boolean + type: object + ignore: + properties: + conditions: + items: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + nullable: true + type: array + type: object + keepResources: + type: boolean + kustomize: + nullable: true + properties: + dir: + nullable: true + type: string + type: object + namespace: + nullable: true + type: string + namespaceAnnotations: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + namespaceLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + paused: + type: boolean + resources: + items: + properties: + content: + nullable: true + type: string + encoding: + nullable: true + type: string + name: + nullable: true + type: string + type: object + nullable: true + type: array + rolloutStrategy: + nullable: true + properties: + autoPartitionSize: + nullable: true + type: string + maxUnavailable: + nullable: true + type: string + maxUnavailablePartitions: + nullable: true + type: string + partitions: + items: + properties: + clusterGroup: + nullable: true + type: string + clusterGroupSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + clusterName: + nullable: true + type: string + clusterSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + maxUnavailable: + nullable: true + type: string + name: + nullable: true + type: string + type: object + nullable: true + type: array + type: object + serviceAccount: + nullable: true + type: string + targetRestrictions: + items: + properties: + clusterGroup: + nullable: true + type: string + clusterGroupSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + clusterName: + nullable: true + type: string + clusterSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + name: + nullable: true + type: string + type: object + nullable: true + type: array + targets: + items: + properties: + clusterGroup: + nullable: true + type: string + clusterGroupSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + clusterName: + nullable: true + type: string + clusterSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + correctDrift: + properties: + enabled: + type: boolean + force: + type: boolean + keepFailHistory: + type: boolean + type: object + defaultNamespace: + nullable: true + type: string + diff: + nullable: true + properties: + comparePatches: + items: + properties: + apiVersion: + nullable: true + type: string + jsonPointers: + items: + nullable: true + type: string + nullable: true + type: array + kind: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + operations: + items: + properties: + op: + nullable: true + type: string + path: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + type: object + nullable: true + type: array + type: object + doNotDeploy: + type: boolean + forceSyncGeneration: + type: integer + helm: + nullable: true + properties: + atomic: + type: boolean + chart: + nullable: true + type: string + disablePreProcess: + type: boolean + force: + type: boolean + maxHistory: + type: integer + releaseName: + nullable: true + type: string + repo: + nullable: true + type: string + takeOwnership: + type: boolean + timeoutSeconds: + type: integer + values: + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + valuesFiles: + items: + nullable: true + type: string + nullable: true + type: array + valuesFrom: + items: + properties: + configMapKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + type: object + secretKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + type: object + type: object + nullable: true + type: array + version: + nullable: true + type: string + waitForJobs: + type: boolean + type: object + ignore: + properties: + conditions: + items: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + nullable: true + type: array + type: object + keepResources: + type: boolean + kustomize: + nullable: true + properties: + dir: + nullable: true + type: string + type: object + name: + nullable: true + type: string + namespace: + nullable: true + type: string + namespaceAnnotations: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + namespaceLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + serviceAccount: + nullable: true + type: string + yaml: + nullable: true + properties: + overlays: + items: + nullable: true + type: string + nullable: true + type: array + type: object + type: object + nullable: true + type: array + yaml: + nullable: true + properties: + overlays: + items: + nullable: true + type: string + nullable: true + type: array + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + nullable: true + type: string + lastUpdateTime: + nullable: true + type: string + message: + nullable: true + type: string + reason: + nullable: true + type: string + status: + nullable: true + type: string + type: + nullable: true + type: string + type: object + nullable: true + type: array + display: + properties: + readyClusters: + nullable: true + type: string + state: + nullable: true + type: string + type: object + maxNew: + type: integer + maxUnavailable: + type: integer + maxUnavailablePartitions: + type: integer + newlyCreated: + type: integer + observedGeneration: + type: integer + partitions: + items: + properties: + count: + type: integer + maxUnavailable: + type: integer + name: + nullable: true + type: string + summary: + properties: + desiredReady: + type: integer + errApplied: + type: integer + modified: + type: integer + nonReadyResources: + items: + properties: + bundleState: + nullable: true + type: string + message: + nullable: true + type: string + modifiedStatus: + items: + properties: + apiVersion: + nullable: true + type: string + delete: + type: boolean + kind: + nullable: true + type: string + missing: + type: boolean + name: + nullable: true + type: string + namespace: + nullable: true + type: string + patch: + nullable: true + type: string + type: object + nullable: true + type: array + name: + nullable: true + type: string + nonReadyStatus: + items: + properties: + apiVersion: + nullable: true + type: string + kind: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + summary: + properties: + error: + type: boolean + message: + items: + nullable: true + type: string + nullable: true + type: array + state: + nullable: true + type: string + transitioning: + type: boolean + type: object + uid: + nullable: true + type: string + type: object + nullable: true + type: array + type: object + nullable: true + type: array + notReady: + type: integer + outOfSync: + type: integer + pending: + type: integer + ready: + type: integer + waitApplied: + type: integer + type: object + unavailable: + type: integer + type: object + nullable: true + type: array + resourceKey: + items: + properties: + apiVersion: + nullable: true + type: string + kind: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + type: object + nullable: true + type: array + summary: + properties: + desiredReady: + type: integer + errApplied: + type: integer + modified: + type: integer + nonReadyResources: + items: + properties: + bundleState: + nullable: true + type: string + message: + nullable: true + type: string + modifiedStatus: + items: + properties: + apiVersion: + nullable: true + type: string + delete: + type: boolean + kind: + nullable: true + type: string + missing: + type: boolean + name: + nullable: true + type: string + namespace: + nullable: true + type: string + patch: + nullable: true + type: string + type: object + nullable: true + type: array + name: + nullable: true + type: string + nonReadyStatus: + items: + properties: + apiVersion: + nullable: true + type: string + kind: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + summary: + properties: + error: + type: boolean + message: + items: + nullable: true + type: string + nullable: true + type: array + state: + nullable: true + type: string + transitioning: + type: boolean + type: object + uid: + nullable: true + type: string + type: object + nullable: true + type: array + type: object + nullable: true + type: array + notReady: + type: integer + outOfSync: + type: integer + pending: + type: integer + ready: + type: integer + waitApplied: + type: integer + type: object + unavailable: + type: integer + unavailablePartitions: + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: bundledeployments.fleet.cattle.io +spec: + group: fleet.cattle.io + names: + kind: BundleDeployment + plural: bundledeployments + singular: bundledeployment + preserveUnknownFields: false + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.display.deployed + name: Deployed + type: string + - jsonPath: .status.display.monitored + name: Monitored + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + correctDrift: + properties: + enabled: + type: boolean + force: + type: boolean + keepFailHistory: + type: boolean + type: object + dependsOn: + items: + properties: + name: + nullable: true + type: string + selector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + type: object + nullable: true + type: array + deploymentID: + nullable: true + type: string + options: + properties: + correctDrift: + properties: + enabled: + type: boolean + force: + type: boolean + keepFailHistory: + type: boolean + type: object + defaultNamespace: + nullable: true + type: string + diff: + nullable: true + properties: + comparePatches: + items: + properties: + apiVersion: + nullable: true + type: string + jsonPointers: + items: + nullable: true + type: string + nullable: true + type: array + kind: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + operations: + items: + properties: + op: + nullable: true + type: string + path: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + type: object + nullable: true + type: array + type: object + forceSyncGeneration: + type: integer + helm: + nullable: true + properties: + atomic: + type: boolean + chart: + nullable: true + type: string + disablePreProcess: + type: boolean + force: + type: boolean + maxHistory: + type: integer + releaseName: + maxLength: 53 + nullable: true + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + repo: + nullable: true + type: string + takeOwnership: + type: boolean + timeoutSeconds: + type: integer + values: + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + valuesFiles: + items: + nullable: true + type: string + nullable: true + type: array + valuesFrom: + items: + properties: + configMapKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + type: object + secretKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + type: object + type: object + nullable: true + type: array + version: + nullable: true + type: string + waitForJobs: + type: boolean + type: object + ignore: + properties: + conditions: + items: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + nullable: true + type: array + type: object + keepResources: + type: boolean + kustomize: + nullable: true + properties: + dir: + nullable: true + type: string + type: object + namespace: + nullable: true + type: string + namespaceAnnotations: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + namespaceLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + serviceAccount: + nullable: true + type: string + yaml: + nullable: true + properties: + overlays: + items: + nullable: true + type: string + nullable: true + type: array + type: object + type: object + paused: + type: boolean + stagedDeploymentID: + nullable: true + type: string + stagedOptions: + properties: + correctDrift: + properties: + enabled: + type: boolean + force: + type: boolean + keepFailHistory: + type: boolean + type: object + defaultNamespace: + nullable: true + type: string + diff: + nullable: true + properties: + comparePatches: + items: + properties: + apiVersion: + nullable: true + type: string + jsonPointers: + items: + nullable: true + type: string + nullable: true + type: array + kind: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + operations: + items: + properties: + op: + nullable: true + type: string + path: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + type: object + nullable: true + type: array + type: object + forceSyncGeneration: + type: integer + helm: + nullable: true + properties: + atomic: + type: boolean + chart: + nullable: true + type: string + disablePreProcess: + type: boolean + force: + type: boolean + maxHistory: + type: integer + releaseName: + nullable: true + type: string + repo: + nullable: true + type: string + takeOwnership: + type: boolean + timeoutSeconds: + type: integer + values: + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + valuesFiles: + items: + nullable: true + type: string + nullable: true + type: array + valuesFrom: + items: + properties: + configMapKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + type: object + secretKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + type: object + type: object + nullable: true + type: array + version: + nullable: true + type: string + waitForJobs: + type: boolean + type: object + ignore: + properties: + conditions: + items: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + nullable: true + type: array + type: object + keepResources: + type: boolean + kustomize: + nullable: true + properties: + dir: + nullable: true + type: string + type: object + namespace: + nullable: true + type: string + namespaceAnnotations: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + namespaceLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + serviceAccount: + nullable: true + type: string + yaml: + nullable: true + properties: + overlays: + items: + nullable: true + type: string + nullable: true + type: array + type: object + type: object + type: object + status: + properties: + appliedDeploymentID: + nullable: true + type: string + conditions: + items: + properties: + lastTransitionTime: + nullable: true + type: string + lastUpdateTime: + nullable: true + type: string + message: + nullable: true + type: string + reason: + nullable: true + type: string + status: + nullable: true + type: string + type: + nullable: true + type: string + type: object + nullable: true + type: array + display: + properties: + deployed: + nullable: true + type: string + monitored: + nullable: true + type: string + state: + nullable: true + type: string + type: object + modifiedStatus: + items: + properties: + apiVersion: + nullable: true + type: string + delete: + type: boolean + kind: + nullable: true + type: string + missing: + type: boolean + name: + nullable: true + type: string + namespace: + nullable: true + type: string + patch: + nullable: true + type: string + type: object + nullable: true + type: array + nonModified: + type: boolean + nonReadyStatus: + items: + properties: + apiVersion: + nullable: true + type: string + kind: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + summary: + properties: + error: + type: boolean + message: + items: + nullable: true + type: string + nullable: true + type: array + state: + nullable: true + type: string + transitioning: + type: boolean + type: object + uid: + nullable: true + type: string + type: object + nullable: true + type: array + ready: + type: boolean + release: + nullable: true + type: string + resources: + items: + properties: + apiVersion: + nullable: true + type: string + createdAt: + nullable: true + type: string + kind: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + type: object + nullable: true + type: array + syncGeneration: + nullable: true + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: bundlenamespacemappings.fleet.cattle.io +spec: + group: fleet.cattle.io + names: + kind: BundleNamespaceMapping + plural: bundlenamespacemappings + singular: bundlenamespacemapping + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + bundleSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaceSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clustergroups.fleet.cattle.io +spec: + group: fleet.cattle.io + names: + categories: + - fleet + kind: ClusterGroup + plural: clustergroups + singular: clustergroup + preserveUnknownFields: false + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.display.readyClusters + name: Clusters-Ready + type: string + - jsonPath: .status.display.readyBundles + name: Bundles-Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + selector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + type: object + status: + properties: + clusterCount: + type: integer + conditions: + items: + properties: + lastTransitionTime: + nullable: true + type: string + lastUpdateTime: + nullable: true + type: string + message: + nullable: true + type: string + reason: + nullable: true + type: string + status: + nullable: true + type: string + type: + nullable: true + type: string + type: object + nullable: true + type: array + display: + properties: + readyBundles: + nullable: true + type: string + readyClusters: + nullable: true + type: string + state: + nullable: true + type: string + type: object + nonReadyClusterCount: + type: integer + nonReadyClusters: + items: + nullable: true + type: string + nullable: true + type: array + resourceCounts: + properties: + desiredReady: + type: integer + missing: + type: integer + modified: + type: integer + notReady: + type: integer + orphaned: + type: integer + ready: + type: integer + unknown: + type: integer + waitApplied: + type: integer + type: object + summary: + properties: + desiredReady: + type: integer + errApplied: + type: integer + modified: + type: integer + nonReadyResources: + items: + properties: + bundleState: + nullable: true + type: string + message: + nullable: true + type: string + modifiedStatus: + items: + properties: + apiVersion: + nullable: true + type: string + delete: + type: boolean + kind: + nullable: true + type: string + missing: + type: boolean + name: + nullable: true + type: string + namespace: + nullable: true + type: string + patch: + nullable: true + type: string + type: object + nullable: true + type: array + name: + nullable: true + type: string + nonReadyStatus: + items: + properties: + apiVersion: + nullable: true + type: string + kind: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + summary: + properties: + error: + type: boolean + message: + items: + nullable: true + type: string + nullable: true + type: array + state: + nullable: true + type: string + transitioning: + type: boolean + type: object + uid: + nullable: true + type: string + type: object + nullable: true + type: array + type: object + nullable: true + type: array + notReady: + type: integer + outOfSync: + type: integer + pending: + type: integer + ready: + type: integer + waitApplied: + type: integer + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusters.fleet.cattle.io +spec: + group: fleet.cattle.io + names: + kind: Cluster + plural: clusters + singular: cluster + preserveUnknownFields: false + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.display.readyBundles + name: Bundles-Ready + type: string + - jsonPath: .status.display.readyNodes + name: Nodes-Ready + type: string + - jsonPath: .status.display.sampleNode + name: Sample-Node + type: string + - jsonPath: .status.agent.lastSeen + name: Last-Seen + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + metadata: + properties: + name: + maxLength: 63 + pattern: ^[-a-z0-9]+$ + type: string + type: object + spec: + properties: + agentAffinity: + nullable: true + properties: + nodeAffinity: + nullable: true + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + - Gt + - Lt + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchFields: + items: + properties: + key: + nullable: true + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + - Gt + - Lt + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + type: object + weight: + type: integer + type: object + nullable: true + type: array + requiredDuringSchedulingIgnoredDuringExecution: + nullable: true + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + - Gt + - Lt + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchFields: + items: + properties: + key: + nullable: true + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + - Gt + - Lt + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + type: object + nullable: true + type: array + type: object + type: object + podAffinity: + nullable: true + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaceSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaces: + items: + nullable: true + type: string + nullable: true + type: array + topologyKey: + nullable: true + type: string + type: object + weight: + type: integer + type: object + nullable: true + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaceSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaces: + items: + nullable: true + type: string + nullable: true + type: array + topologyKey: + nullable: true + type: string + type: object + nullable: true + type: array + type: object + podAntiAffinity: + nullable: true + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaceSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaces: + items: + nullable: true + type: string + nullable: true + type: array + topologyKey: + nullable: true + type: string + type: object + weight: + type: integer + type: object + nullable: true + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaceSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaces: + items: + nullable: true + type: string + nullable: true + type: array + topologyKey: + nullable: true + type: string + type: object + nullable: true + type: array + type: object + type: object + agentEnvVars: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + valueFrom: + nullable: true + properties: + configMapKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + fieldRef: + nullable: true + properties: + apiVersion: + nullable: true + type: string + fieldPath: + nullable: true + type: string + type: object + resourceFieldRef: + nullable: true + properties: + containerName: + nullable: true + type: string + divisor: + nullable: true + type: string + resource: + nullable: true + type: string + type: object + secretKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + type: object + type: object + nullable: true + type: array + agentNamespace: + nullable: true + type: string + agentResources: + nullable: true + properties: + limits: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + requests: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + agentTolerations: + items: + properties: + effect: + nullable: true + type: string + key: + nullable: true + type: string + operator: + nullable: true + type: string + tolerationSeconds: + maximum: 86400 + nullable: true + type: integer + value: + nullable: true + type: string + type: object + nullable: true + type: array + clientID: + nullable: true + type: string + kubeConfigSecret: + nullable: true + type: string + paused: + type: boolean + privateRepoURL: + nullable: true + type: string + redeployAgentGeneration: + type: integer + templateValues: + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + properties: + agent: + properties: + lastSeen: + nullable: true + type: string + namespace: + nullable: true + type: string + nonReadyNodeNames: + items: + nullable: true + type: string + nullable: true + type: array + nonReadyNodes: + type: integer + readyNodeNames: + items: + nullable: true + type: string + nullable: true + type: array + readyNodes: + type: integer + type: object + agentAffinityHash: + nullable: true + type: string + agentConfigChanged: + type: boolean + agentDeployedGeneration: + nullable: true + type: integer + agentEnvVarsHash: + nullable: true + type: string + agentMigrated: + type: boolean + agentNamespaceMigrated: + type: boolean + agentPrivateRepoURL: + nullable: true + type: string + agentResourcesHash: + nullable: true + type: string + agentTolerationsHash: + nullable: true + type: string + apiServerCAHash: + nullable: true + type: string + apiServerURL: + nullable: true + type: string + cattleNamespaceMigrated: + type: boolean + conditions: + items: + properties: + lastTransitionTime: + nullable: true + type: string + lastUpdateTime: + nullable: true + type: string + message: + nullable: true + type: string + reason: + nullable: true + type: string + status: + nullable: true + type: string + type: + nullable: true + type: string + type: object + nullable: true + type: array + desiredReadyGitRepos: + type: integer + display: + properties: + readyBundles: + nullable: true + type: string + readyNodes: + nullable: true + type: string + sampleNode: + nullable: true + type: string + state: + nullable: true + type: string + type: object + namespace: + nullable: true + type: string + readyGitRepos: + type: integer + resourceCounts: + properties: + desiredReady: + type: integer + missing: + type: integer + modified: + type: integer + notReady: + type: integer + orphaned: + type: integer + ready: + type: integer + unknown: + type: integer + waitApplied: + type: integer + type: object + summary: + properties: + desiredReady: + type: integer + errApplied: + type: integer + modified: + type: integer + nonReadyResources: + items: + properties: + bundleState: + nullable: true + type: string + message: + nullable: true + type: string + modifiedStatus: + items: + properties: + apiVersion: + nullable: true + type: string + delete: + type: boolean + kind: + nullable: true + type: string + missing: + type: boolean + name: + nullable: true + type: string + namespace: + nullable: true + type: string + patch: + nullable: true + type: string + type: object + nullable: true + type: array + name: + nullable: true + type: string + nonReadyStatus: + items: + properties: + apiVersion: + nullable: true + type: string + kind: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + summary: + properties: + error: + type: boolean + message: + items: + nullable: true + type: string + nullable: true + type: array + state: + nullable: true + type: string + transitioning: + type: boolean + type: object + uid: + nullable: true + type: string + type: object + nullable: true + type: array + type: object + nullable: true + type: array + notReady: + type: integer + outOfSync: + type: integer + pending: + type: integer + ready: + type: integer + waitApplied: + type: integer + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterregistrationtokens.fleet.cattle.io +spec: + group: fleet.cattle.io + names: + kind: ClusterRegistrationToken + plural: clusterregistrationtokens + singular: clusterregistrationtoken + preserveUnknownFields: false + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.secretName + name: Secret-Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + metadata: + properties: + name: + maxLength: 63 + pattern: ^[-a-z0-9]+$ + type: string + type: object + spec: + properties: + ttl: + nullable: true + type: string + type: object + status: + properties: + expires: + nullable: true + type: string + secretName: + nullable: true + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: gitrepos.fleet.cattle.io +spec: + group: fleet.cattle.io + names: + categories: + - fleet + kind: GitRepo + plural: gitrepos + singular: gitrepo + preserveUnknownFields: false + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.repo + name: Repo + type: string + - jsonPath: .status.commit + name: Commit + type: string + - jsonPath: .status.display.readyBundleDeployments + name: BundleDeployments-Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + branch: + nullable: true + type: string + caBundle: + nullable: true + type: string + clientSecretName: + nullable: true + type: string + correctDrift: + properties: + enabled: + type: boolean + force: + type: boolean + keepFailHistory: + type: boolean + type: object + forceSyncGeneration: + type: integer + helmRepoURLRegex: + nullable: true + type: string + helmSecretName: + nullable: true + type: string + helmSecretNameForPaths: + nullable: true + type: string + imageScanCommit: + properties: + authorEmail: + nullable: true + type: string + authorName: + nullable: true + type: string + messageTemplate: + nullable: true + type: string + type: object + imageScanInterval: + nullable: true + type: string + insecureSkipTLSVerify: + type: boolean + keepResources: + type: boolean + paths: + items: + nullable: true + type: string + nullable: true + type: array + paused: + type: boolean + pollingInterval: + nullable: true + type: string + repo: + nullable: true + type: string + revision: + nullable: true + type: string + serviceAccount: + nullable: true + type: string + targetNamespace: + nullable: true + type: string + targets: + items: + properties: + clusterGroup: + nullable: true + type: string + clusterGroupSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + clusterName: + nullable: true + type: string + clusterSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + name: + nullable: true + type: string + type: object + nullable: true + type: array + type: object + status: + properties: + commit: + nullable: true + type: string + conditions: + items: + properties: + lastTransitionTime: + nullable: true + type: string + lastUpdateTime: + nullable: true + type: string + message: + nullable: true + type: string + reason: + nullable: true + type: string + status: + nullable: true + type: string + type: + nullable: true + type: string + type: object + nullable: true + type: array + desiredReadyClusters: + type: integer + display: + properties: + error: + type: boolean + message: + nullable: true + type: string + readyBundleDeployments: + nullable: true + type: string + state: + nullable: true + type: string + type: object + gitJobStatus: + nullable: true + type: string + lastSyncedImageScanTime: + nullable: true + type: string + observedGeneration: + type: integer + readyClusters: + type: integer + resourceCounts: + properties: + desiredReady: + type: integer + missing: + type: integer + modified: + type: integer + notReady: + type: integer + orphaned: + type: integer + ready: + type: integer + unknown: + type: integer + waitApplied: + type: integer + type: object + resourceErrors: + items: + nullable: true + type: string + nullable: true + type: array + resources: + items: + properties: + apiVersion: + nullable: true + type: string + error: + type: boolean + id: + nullable: true + type: string + incompleteState: + type: boolean + kind: + nullable: true + type: string + message: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + perClusterState: + items: + properties: + clusterId: + nullable: true + type: string + error: + type: boolean + message: + nullable: true + type: string + patch: + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + state: + nullable: true + type: string + transitioning: + type: boolean + type: object + nullable: true + type: array + state: + nullable: true + type: string + transitioning: + type: boolean + type: + nullable: true + type: string + type: object + nullable: true + type: array + summary: + properties: + desiredReady: + type: integer + errApplied: + type: integer + modified: + type: integer + nonReadyResources: + items: + properties: + bundleState: + nullable: true + type: string + message: + nullable: true + type: string + modifiedStatus: + items: + properties: + apiVersion: + nullable: true + type: string + delete: + type: boolean + kind: + nullable: true + type: string + missing: + type: boolean + name: + nullable: true + type: string + namespace: + nullable: true + type: string + patch: + nullable: true + type: string + type: object + nullable: true + type: array + name: + nullable: true + type: string + nonReadyStatus: + items: + properties: + apiVersion: + nullable: true + type: string + kind: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + summary: + properties: + error: + type: boolean + message: + items: + nullable: true + type: string + nullable: true + type: array + state: + nullable: true + type: string + transitioning: + type: boolean + type: object + uid: + nullable: true + type: string + type: object + nullable: true + type: array + type: object + nullable: true + type: array + notReady: + type: integer + outOfSync: + type: integer + pending: + type: integer + ready: + type: integer + waitApplied: + type: integer + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterregistrations.fleet.cattle.io +spec: + group: fleet.cattle.io + names: + kind: ClusterRegistration + plural: clusterregistrations + singular: clusterregistration + preserveUnknownFields: false + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.clusterName + name: Cluster-Name + type: string + - jsonPath: .spec.clusterLabels + name: Labels + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + clientID: + nullable: true + type: string + clientRandom: + nullable: true + type: string + clusterLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + status: + properties: + clusterName: + nullable: true + type: string + granted: + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: gitreporestrictions.fleet.cattle.io +spec: + group: fleet.cattle.io + names: + kind: GitRepoRestriction + plural: gitreporestrictions + singular: gitreporestriction + preserveUnknownFields: false + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .defaultServiceAccount + name: Default-ServiceAccount + type: string + - jsonPath: .allowedServiceAccounts + name: Allowed-ServiceAccounts + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + allowedClientSecretNames: + items: + nullable: true + type: string + nullable: true + type: array + allowedRepoPatterns: + items: + nullable: true + type: string + nullable: true + type: array + allowedServiceAccounts: + items: + nullable: true + type: string + nullable: true + type: array + allowedTargetNamespaces: + items: + nullable: true + type: string + nullable: true + type: array + defaultClientSecretName: + nullable: true + type: string + defaultServiceAccount: + nullable: true + type: string + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: contents.fleet.cattle.io +spec: + group: fleet.cattle.io + names: + kind: Content + plural: contents + singular: content + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + content: + nullable: true + type: string + type: object + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: imagescans.fleet.cattle.io +spec: + group: fleet.cattle.io + names: + categories: + - fleet + kind: ImageScan + plural: imagescans + singular: imagescan + preserveUnknownFields: false + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.image + name: Repository + type: string + - jsonPath: .status.latestTag + name: Latest + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + gitrepoName: + nullable: true + type: string + image: + nullable: true + type: string + interval: + nullable: true + type: string + policy: + properties: + alphabetical: + nullable: true + properties: + order: + nullable: true + type: string + type: object + semver: + nullable: true + properties: + range: + nullable: true + type: string + type: object + type: object + secretRef: + nullable: true + properties: + name: + nullable: true + type: string + type: object + suspend: + type: boolean + tagName: + nullable: true + type: string + type: object + status: + properties: + canonicalImageName: + nullable: true + type: string + conditions: + items: + properties: + lastTransitionTime: + nullable: true + type: string + lastUpdateTime: + nullable: true + type: string + message: + nullable: true + type: string + reason: + nullable: true + type: string + status: + nullable: true + type: string + type: + nullable: true + type: string + type: object + nullable: true + type: array + lastScanTime: + nullable: true + type: string + latestDigest: + nullable: true + type: string + latestImage: + nullable: true + type: string + latestTag: + nullable: true + type: string + observedGeneration: + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/fleet-crd/102.2.1+up0.8.1/templates/gitjobs-crds.yaml b/charts/fleet-crd/102.2.1+up0.8.1/templates/gitjobs-crds.yaml new file mode 100644 index 0000000000..d6c36cb7b6 --- /dev/null +++ b/charts/fleet-crd/102.2.1+up0.8.1/templates/gitjobs-crds.yaml @@ -0,0 +1,7510 @@ +{{- if .Capabilities.APIVersions.Has "apiextensions.k8s.io/v1" -}} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: gitjobs.gitjob.cattle.io +spec: + group: gitjob.cattle.io + names: + kind: GitJob + plural: gitjobs + singular: gitjob + preserveUnknownFields: false + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.git.repo + name: REPO + type: string + - jsonPath: .spec.git.branch + name: BRANCH + type: string + - jsonPath: .status.commit + name: COMMIT + type: string + - jsonPath: .status.jobStatus + name: JOBSTATUS + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + forceUpdateGeneration: + type: integer + git: + properties: + branch: + nullable: true + type: string + caBundle: + nullable: true + type: string + clientSecretName: + nullable: true + type: string + insecureSkipTLSVerify: + type: boolean + onTag: + nullable: true + type: string + provider: + nullable: true + type: string + repo: + nullable: true + type: string + revision: + nullable: true + type: string + type: object + jobSpec: + properties: + activeDeadlineSeconds: + nullable: true + type: integer + backoffLimit: + nullable: true + type: integer + completionMode: + nullable: true + type: string + completions: + nullable: true + type: integer + manualSelector: + nullable: true + type: boolean + parallelism: + nullable: true + type: integer + podFailurePolicy: + nullable: true + properties: + rules: + items: + properties: + action: + nullable: true + type: string + onExitCodes: + nullable: true + properties: + containerName: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + type: integer + nullable: true + type: array + type: object + onPodConditions: + items: + properties: + status: + nullable: true + type: string + type: + nullable: true + type: string + type: object + nullable: true + type: array + type: object + nullable: true + type: array + type: object + selector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + suspend: + nullable: true + type: boolean + template: + properties: + metadata: + properties: + annotations: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + creationTimestamp: + nullable: true + type: string + deletionGracePeriodSeconds: + nullable: true + type: integer + deletionTimestamp: + nullable: true + type: string + finalizers: + items: + nullable: true + type: string + nullable: true + type: array + generateName: + nullable: true + type: string + generation: + type: integer + labels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + managedFields: + items: + properties: + apiVersion: + nullable: true + type: string + fieldsType: + nullable: true + type: string + fieldsV1: + nullable: true + type: object + manager: + nullable: true + type: string + operation: + nullable: true + type: string + subresource: + nullable: true + type: string + time: + nullable: true + type: string + type: object + nullable: true + type: array + name: + nullable: true + type: string + namespace: + nullable: true + type: string + ownerReferences: + items: + properties: + apiVersion: + nullable: true + type: string + blockOwnerDeletion: + nullable: true + type: boolean + controller: + nullable: true + type: boolean + kind: + nullable: true + type: string + name: + nullable: true + type: string + uid: + nullable: true + type: string + type: object + nullable: true + type: array + resourceVersion: + nullable: true + type: string + selfLink: + nullable: true + type: string + uid: + nullable: true + type: string + type: object + spec: + properties: + activeDeadlineSeconds: + nullable: true + type: integer + affinity: + nullable: true + properties: + nodeAffinity: + nullable: true + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchFields: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + type: object + weight: + type: integer + type: object + nullable: true + type: array + requiredDuringSchedulingIgnoredDuringExecution: + nullable: true + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchFields: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + type: object + nullable: true + type: array + type: object + type: object + podAffinity: + nullable: true + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaceSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaces: + items: + nullable: true + type: string + nullable: true + type: array + topologyKey: + nullable: true + type: string + type: object + weight: + type: integer + type: object + nullable: true + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaceSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaces: + items: + nullable: true + type: string + nullable: true + type: array + topologyKey: + nullable: true + type: string + type: object + nullable: true + type: array + type: object + podAntiAffinity: + nullable: true + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaceSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaces: + items: + nullable: true + type: string + nullable: true + type: array + topologyKey: + nullable: true + type: string + type: object + weight: + type: integer + type: object + nullable: true + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaceSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaces: + items: + nullable: true + type: string + nullable: true + type: array + topologyKey: + nullable: true + type: string + type: object + nullable: true + type: array + type: object + type: object + automountServiceAccountToken: + nullable: true + type: boolean + containers: + items: + properties: + args: + items: + nullable: true + type: string + nullable: true + type: array + command: + items: + nullable: true + type: string + nullable: true + type: array + env: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + valueFrom: + nullable: true + properties: + configMapKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + fieldRef: + nullable: true + properties: + apiVersion: + nullable: true + type: string + fieldPath: + nullable: true + type: string + type: object + resourceFieldRef: + nullable: true + properties: + containerName: + nullable: true + type: string + divisor: + nullable: true + type: string + resource: + nullable: true + type: string + type: object + secretKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + type: object + type: object + nullable: true + type: array + envFrom: + items: + properties: + configMapRef: + nullable: true + properties: + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + prefix: + nullable: true + type: string + secretRef: + nullable: true + properties: + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + type: object + nullable: true + type: array + image: + nullable: true + type: string + imagePullPolicy: + nullable: true + type: string + lifecycle: + nullable: true + properties: + postStart: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + type: object + preStop: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + type: object + type: object + livenessProbe: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + failureThreshold: + type: integer + grpc: + nullable: true + properties: + port: + type: integer + service: + nullable: true + type: string + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + initialDelaySeconds: + type: integer + periodSeconds: + type: integer + successThreshold: + type: integer + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + terminationGracePeriodSeconds: + nullable: true + type: integer + timeoutSeconds: + type: integer + type: object + name: + nullable: true + type: string + ports: + items: + properties: + containerPort: + type: integer + hostIP: + nullable: true + type: string + hostPort: + type: integer + name: + nullable: true + type: string + protocol: + nullable: true + type: string + type: object + nullable: true + type: array + readinessProbe: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + failureThreshold: + type: integer + grpc: + nullable: true + properties: + port: + type: integer + service: + nullable: true + type: string + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + initialDelaySeconds: + type: integer + periodSeconds: + type: integer + successThreshold: + type: integer + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + terminationGracePeriodSeconds: + nullable: true + type: integer + timeoutSeconds: + type: integer + type: object + resources: + properties: + limits: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + requests: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + securityContext: + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + nullable: true + properties: + add: + items: + nullable: true + type: string + nullable: true + type: array + drop: + items: + nullable: true + type: string + nullable: true + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + nullable: true + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + nullable: true + type: integer + seLinuxOptions: + nullable: true + properties: + level: + nullable: true + type: string + role: + nullable: true + type: string + type: + nullable: true + type: string + user: + nullable: true + type: string + type: object + seccompProfile: + nullable: true + properties: + localhostProfile: + nullable: true + type: string + type: + nullable: true + type: string + type: object + windowsOptions: + nullable: true + properties: + gmsaCredentialSpec: + nullable: true + type: string + gmsaCredentialSpecName: + nullable: true + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + nullable: true + type: string + type: object + type: object + startupProbe: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + failureThreshold: + type: integer + grpc: + nullable: true + properties: + port: + type: integer + service: + nullable: true + type: string + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + initialDelaySeconds: + type: integer + periodSeconds: + type: integer + successThreshold: + type: integer + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + terminationGracePeriodSeconds: + nullable: true + type: integer + timeoutSeconds: + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + nullable: true + type: string + terminationMessagePolicy: + nullable: true + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + nullable: true + type: string + name: + nullable: true + type: string + type: object + nullable: true + type: array + volumeMounts: + items: + properties: + mountPath: + nullable: true + type: string + mountPropagation: + nullable: true + type: string + name: + nullable: true + type: string + readOnly: + type: boolean + subPath: + nullable: true + type: string + subPathExpr: + nullable: true + type: string + type: object + nullable: true + type: array + workingDir: + nullable: true + type: string + type: object + nullable: true + type: array + dnsConfig: + nullable: true + properties: + nameservers: + items: + nullable: true + type: string + nullable: true + type: array + options: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + searches: + items: + nullable: true + type: string + nullable: true + type: array + type: object + dnsPolicy: + nullable: true + type: string + enableServiceLinks: + nullable: true + type: boolean + ephemeralContainers: + items: + properties: + args: + items: + nullable: true + type: string + nullable: true + type: array + command: + items: + nullable: true + type: string + nullable: true + type: array + env: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + valueFrom: + nullable: true + properties: + configMapKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + fieldRef: + nullable: true + properties: + apiVersion: + nullable: true + type: string + fieldPath: + nullable: true + type: string + type: object + resourceFieldRef: + nullable: true + properties: + containerName: + nullable: true + type: string + divisor: + nullable: true + type: string + resource: + nullable: true + type: string + type: object + secretKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + type: object + type: object + nullable: true + type: array + envFrom: + items: + properties: + configMapRef: + nullable: true + properties: + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + prefix: + nullable: true + type: string + secretRef: + nullable: true + properties: + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + type: object + nullable: true + type: array + image: + nullable: true + type: string + imagePullPolicy: + nullable: true + type: string + lifecycle: + nullable: true + properties: + postStart: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + type: object + preStop: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + type: object + type: object + livenessProbe: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + failureThreshold: + type: integer + grpc: + nullable: true + properties: + port: + type: integer + service: + nullable: true + type: string + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + initialDelaySeconds: + type: integer + periodSeconds: + type: integer + successThreshold: + type: integer + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + terminationGracePeriodSeconds: + nullable: true + type: integer + timeoutSeconds: + type: integer + type: object + name: + nullable: true + type: string + ports: + items: + properties: + containerPort: + type: integer + hostIP: + nullable: true + type: string + hostPort: + type: integer + name: + nullable: true + type: string + protocol: + nullable: true + type: string + type: object + nullable: true + type: array + readinessProbe: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + failureThreshold: + type: integer + grpc: + nullable: true + properties: + port: + type: integer + service: + nullable: true + type: string + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + initialDelaySeconds: + type: integer + periodSeconds: + type: integer + successThreshold: + type: integer + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + terminationGracePeriodSeconds: + nullable: true + type: integer + timeoutSeconds: + type: integer + type: object + resources: + properties: + limits: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + requests: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + securityContext: + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + nullable: true + properties: + add: + items: + nullable: true + type: string + nullable: true + type: array + drop: + items: + nullable: true + type: string + nullable: true + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + nullable: true + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + nullable: true + type: integer + seLinuxOptions: + nullable: true + properties: + level: + nullable: true + type: string + role: + nullable: true + type: string + type: + nullable: true + type: string + user: + nullable: true + type: string + type: object + seccompProfile: + nullable: true + properties: + localhostProfile: + nullable: true + type: string + type: + nullable: true + type: string + type: object + windowsOptions: + nullable: true + properties: + gmsaCredentialSpec: + nullable: true + type: string + gmsaCredentialSpecName: + nullable: true + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + nullable: true + type: string + type: object + type: object + startupProbe: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + failureThreshold: + type: integer + grpc: + nullable: true + properties: + port: + type: integer + service: + nullable: true + type: string + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + initialDelaySeconds: + type: integer + periodSeconds: + type: integer + successThreshold: + type: integer + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + terminationGracePeriodSeconds: + nullable: true + type: integer + timeoutSeconds: + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + targetContainerName: + nullable: true + type: string + terminationMessagePath: + nullable: true + type: string + terminationMessagePolicy: + nullable: true + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + nullable: true + type: string + name: + nullable: true + type: string + type: object + nullable: true + type: array + volumeMounts: + items: + properties: + mountPath: + nullable: true + type: string + mountPropagation: + nullable: true + type: string + name: + nullable: true + type: string + readOnly: + type: boolean + subPath: + nullable: true + type: string + subPathExpr: + nullable: true + type: string + type: object + nullable: true + type: array + workingDir: + nullable: true + type: string + type: object + nullable: true + type: array + hostAliases: + items: + properties: + hostnames: + items: + nullable: true + type: string + nullable: true + type: array + ip: + nullable: true + type: string + type: object + nullable: true + type: array + hostIPC: + type: boolean + hostNetwork: + type: boolean + hostPID: + type: boolean + hostUsers: + nullable: true + type: boolean + hostname: + nullable: true + type: string + imagePullSecrets: + items: + properties: + name: + nullable: true + type: string + type: object + nullable: true + type: array + initContainers: + items: + properties: + args: + items: + nullable: true + type: string + nullable: true + type: array + command: + items: + nullable: true + type: string + nullable: true + type: array + env: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + valueFrom: + nullable: true + properties: + configMapKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + fieldRef: + nullable: true + properties: + apiVersion: + nullable: true + type: string + fieldPath: + nullable: true + type: string + type: object + resourceFieldRef: + nullable: true + properties: + containerName: + nullable: true + type: string + divisor: + nullable: true + type: string + resource: + nullable: true + type: string + type: object + secretKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + type: object + type: object + nullable: true + type: array + envFrom: + items: + properties: + configMapRef: + nullable: true + properties: + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + prefix: + nullable: true + type: string + secretRef: + nullable: true + properties: + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + type: object + nullable: true + type: array + image: + nullable: true + type: string + imagePullPolicy: + nullable: true + type: string + lifecycle: + nullable: true + properties: + postStart: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + type: object + preStop: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + type: object + type: object + livenessProbe: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + failureThreshold: + type: integer + grpc: + nullable: true + properties: + port: + type: integer + service: + nullable: true + type: string + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + initialDelaySeconds: + type: integer + periodSeconds: + type: integer + successThreshold: + type: integer + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + terminationGracePeriodSeconds: + nullable: true + type: integer + timeoutSeconds: + type: integer + type: object + name: + nullable: true + type: string + ports: + items: + properties: + containerPort: + type: integer + hostIP: + nullable: true + type: string + hostPort: + type: integer + name: + nullable: true + type: string + protocol: + nullable: true + type: string + type: object + nullable: true + type: array + readinessProbe: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + failureThreshold: + type: integer + grpc: + nullable: true + properties: + port: + type: integer + service: + nullable: true + type: string + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + initialDelaySeconds: + type: integer + periodSeconds: + type: integer + successThreshold: + type: integer + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + terminationGracePeriodSeconds: + nullable: true + type: integer + timeoutSeconds: + type: integer + type: object + resources: + properties: + limits: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + requests: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + securityContext: + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + nullable: true + properties: + add: + items: + nullable: true + type: string + nullable: true + type: array + drop: + items: + nullable: true + type: string + nullable: true + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + nullable: true + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + nullable: true + type: integer + seLinuxOptions: + nullable: true + properties: + level: + nullable: true + type: string + role: + nullable: true + type: string + type: + nullable: true + type: string + user: + nullable: true + type: string + type: object + seccompProfile: + nullable: true + properties: + localhostProfile: + nullable: true + type: string + type: + nullable: true + type: string + type: object + windowsOptions: + nullable: true + properties: + gmsaCredentialSpec: + nullable: true + type: string + gmsaCredentialSpecName: + nullable: true + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + nullable: true + type: string + type: object + type: object + startupProbe: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + failureThreshold: + type: integer + grpc: + nullable: true + properties: + port: + type: integer + service: + nullable: true + type: string + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + initialDelaySeconds: + type: integer + periodSeconds: + type: integer + successThreshold: + type: integer + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + terminationGracePeriodSeconds: + nullable: true + type: integer + timeoutSeconds: + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + nullable: true + type: string + terminationMessagePolicy: + nullable: true + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + nullable: true + type: string + name: + nullable: true + type: string + type: object + nullable: true + type: array + volumeMounts: + items: + properties: + mountPath: + nullable: true + type: string + mountPropagation: + nullable: true + type: string + name: + nullable: true + type: string + readOnly: + type: boolean + subPath: + nullable: true + type: string + subPathExpr: + nullable: true + type: string + type: object + nullable: true + type: array + workingDir: + nullable: true + type: string + type: object + nullable: true + type: array + nodeName: + nullable: true + type: string + nodeSelector: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + os: + nullable: true + properties: + name: + nullable: true + type: string + type: object + overhead: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + preemptionPolicy: + nullable: true + type: string + priority: + nullable: true + type: integer + priorityClassName: + nullable: true + type: string + readinessGates: + items: + properties: + conditionType: + nullable: true + type: string + type: object + nullable: true + type: array + restartPolicy: + nullable: true + type: string + runtimeClassName: + nullable: true + type: string + schedulerName: + nullable: true + type: string + securityContext: + nullable: true + properties: + fsGroup: + nullable: true + type: integer + fsGroupChangePolicy: + nullable: true + type: string + runAsGroup: + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + nullable: true + type: integer + seLinuxOptions: + nullable: true + properties: + level: + nullable: true + type: string + role: + nullable: true + type: string + type: + nullable: true + type: string + user: + nullable: true + type: string + type: object + seccompProfile: + nullable: true + properties: + localhostProfile: + nullable: true + type: string + type: + nullable: true + type: string + type: object + supplementalGroups: + items: + type: integer + nullable: true + type: array + sysctls: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + windowsOptions: + nullable: true + properties: + gmsaCredentialSpec: + nullable: true + type: string + gmsaCredentialSpecName: + nullable: true + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + nullable: true + type: string + type: object + type: object + serviceAccount: + nullable: true + type: string + serviceAccountName: + nullable: true + type: string + setHostnameAsFQDN: + nullable: true + type: boolean + shareProcessNamespace: + nullable: true + type: boolean + subdomain: + nullable: true + type: string + terminationGracePeriodSeconds: + nullable: true + type: integer + tolerations: + items: + properties: + effect: + nullable: true + type: string + key: + nullable: true + type: string + operator: + nullable: true + type: string + tolerationSeconds: + nullable: true + type: integer + value: + nullable: true + type: string + type: object + nullable: true + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + matchLabelKeys: + items: + nullable: true + type: string + nullable: true + type: array + maxSkew: + type: integer + minDomains: + nullable: true + type: integer + nodeAffinityPolicy: + nullable: true + type: string + nodeTaintsPolicy: + nullable: true + type: string + topologyKey: + nullable: true + type: string + whenUnsatisfiable: + nullable: true + type: string + type: object + nullable: true + type: array + volumes: + items: + properties: + awsElasticBlockStore: + nullable: true + properties: + fsType: + nullable: true + type: string + partition: + type: integer + readOnly: + type: boolean + volumeID: + nullable: true + type: string + type: object + azureDisk: + nullable: true + properties: + cachingMode: + nullable: true + type: string + diskName: + nullable: true + type: string + diskURI: + nullable: true + type: string + fsType: + nullable: true + type: string + kind: + nullable: true + type: string + readOnly: + nullable: true + type: boolean + type: object + azureFile: + nullable: true + properties: + readOnly: + type: boolean + secretName: + nullable: true + type: string + shareName: + nullable: true + type: string + type: object + cephfs: + nullable: true + properties: + monitors: + items: + nullable: true + type: string + nullable: true + type: array + path: + nullable: true + type: string + readOnly: + type: boolean + secretFile: + nullable: true + type: string + secretRef: + nullable: true + properties: + name: + nullable: true + type: string + type: object + user: + nullable: true + type: string + type: object + cinder: + nullable: true + properties: + fsType: + nullable: true + type: string + readOnly: + type: boolean + secretRef: + nullable: true + properties: + name: + nullable: true + type: string + type: object + volumeID: + nullable: true + type: string + type: object + configMap: + nullable: true + properties: + defaultMode: + nullable: true + type: integer + items: + items: + properties: + key: + nullable: true + type: string + mode: + nullable: true + type: integer + path: + nullable: true + type: string + type: object + nullable: true + type: array + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + csi: + nullable: true + properties: + driver: + nullable: true + type: string + fsType: + nullable: true + type: string + nodePublishSecretRef: + nullable: true + properties: + name: + nullable: true + type: string + type: object + readOnly: + nullable: true + type: boolean + volumeAttributes: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + downwardAPI: + nullable: true + properties: + defaultMode: + nullable: true + type: integer + items: + items: + properties: + fieldRef: + nullable: true + properties: + apiVersion: + nullable: true + type: string + fieldPath: + nullable: true + type: string + type: object + mode: + nullable: true + type: integer + path: + nullable: true + type: string + resourceFieldRef: + nullable: true + properties: + containerName: + nullable: true + type: string + divisor: + nullable: true + type: string + resource: + nullable: true + type: string + type: object + type: object + nullable: true + type: array + type: object + emptyDir: + nullable: true + properties: + medium: + nullable: true + type: string + sizeLimit: + nullable: true + type: string + type: object + ephemeral: + nullable: true + properties: + volumeClaimTemplate: + nullable: true + properties: + metadata: + properties: + annotations: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + creationTimestamp: + nullable: true + type: string + deletionGracePeriodSeconds: + nullable: true + type: integer + deletionTimestamp: + nullable: true + type: string + finalizers: + items: + nullable: true + type: string + nullable: true + type: array + generateName: + nullable: true + type: string + generation: + type: integer + labels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + managedFields: + items: + properties: + apiVersion: + nullable: true + type: string + fieldsType: + nullable: true + type: string + fieldsV1: + nullable: true + type: object + manager: + nullable: true + type: string + operation: + nullable: true + type: string + subresource: + nullable: true + type: string + time: + nullable: true + type: string + type: object + nullable: true + type: array + name: + nullable: true + type: string + namespace: + nullable: true + type: string + ownerReferences: + items: + properties: + apiVersion: + nullable: true + type: string + blockOwnerDeletion: + nullable: true + type: boolean + controller: + nullable: true + type: boolean + kind: + nullable: true + type: string + name: + nullable: true + type: string + uid: + nullable: true + type: string + type: object + nullable: true + type: array + resourceVersion: + nullable: true + type: string + selfLink: + nullable: true + type: string + uid: + nullable: true + type: string + type: object + spec: + properties: + accessModes: + items: + nullable: true + type: string + nullable: true + type: array + dataSource: + nullable: true + properties: + apiGroup: + nullable: true + type: string + kind: + nullable: true + type: string + name: + nullable: true + type: string + type: object + dataSourceRef: + nullable: true + properties: + apiGroup: + nullable: true + type: string + kind: + nullable: true + type: string + name: + nullable: true + type: string + type: object + resources: + properties: + limits: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + requests: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + selector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + storageClassName: + nullable: true + type: string + volumeMode: + nullable: true + type: string + volumeName: + nullable: true + type: string + type: object + type: object + type: object + fc: + nullable: true + properties: + fsType: + nullable: true + type: string + lun: + nullable: true + type: integer + readOnly: + type: boolean + targetWWNs: + items: + nullable: true + type: string + nullable: true + type: array + wwids: + items: + nullable: true + type: string + nullable: true + type: array + type: object + flexVolume: + nullable: true + properties: + driver: + nullable: true + type: string + fsType: + nullable: true + type: string + options: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + readOnly: + type: boolean + secretRef: + nullable: true + properties: + name: + nullable: true + type: string + type: object + type: object + flocker: + nullable: true + properties: + datasetName: + nullable: true + type: string + datasetUUID: + nullable: true + type: string + type: object + gcePersistentDisk: + nullable: true + properties: + fsType: + nullable: true + type: string + partition: + type: integer + pdName: + nullable: true + type: string + readOnly: + type: boolean + type: object + gitRepo: + nullable: true + properties: + directory: + nullable: true + type: string + repository: + nullable: true + type: string + revision: + nullable: true + type: string + type: object + glusterfs: + nullable: true + properties: + endpoints: + nullable: true + type: string + path: + nullable: true + type: string + readOnly: + type: boolean + type: object + hostPath: + nullable: true + properties: + path: + nullable: true + type: string + type: + nullable: true + type: string + type: object + iscsi: + nullable: true + properties: + chapAuthDiscovery: + type: boolean + chapAuthSession: + type: boolean + fsType: + nullable: true + type: string + initiatorName: + nullable: true + type: string + iqn: + nullable: true + type: string + iscsiInterface: + nullable: true + type: string + lun: + type: integer + portals: + items: + nullable: true + type: string + nullable: true + type: array + readOnly: + type: boolean + secretRef: + nullable: true + properties: + name: + nullable: true + type: string + type: object + targetPortal: + nullable: true + type: string + type: object + name: + nullable: true + type: string + nfs: + nullable: true + properties: + path: + nullable: true + type: string + readOnly: + type: boolean + server: + nullable: true + type: string + type: object + persistentVolumeClaim: + nullable: true + properties: + claimName: + nullable: true + type: string + readOnly: + type: boolean + type: object + photonPersistentDisk: + nullable: true + properties: + fsType: + nullable: true + type: string + pdID: + nullable: true + type: string + type: object + portworxVolume: + nullable: true + properties: + fsType: + nullable: true + type: string + readOnly: + type: boolean + volumeID: + nullable: true + type: string + type: object + projected: + nullable: true + properties: + defaultMode: + nullable: true + type: integer + sources: + items: + properties: + configMap: + nullable: true + properties: + items: + items: + properties: + key: + nullable: true + type: string + mode: + nullable: true + type: integer + path: + nullable: true + type: string + type: object + nullable: true + type: array + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + downwardAPI: + nullable: true + properties: + items: + items: + properties: + fieldRef: + nullable: true + properties: + apiVersion: + nullable: true + type: string + fieldPath: + nullable: true + type: string + type: object + mode: + nullable: true + type: integer + path: + nullable: true + type: string + resourceFieldRef: + nullable: true + properties: + containerName: + nullable: true + type: string + divisor: + nullable: true + type: string + resource: + nullable: true + type: string + type: object + type: object + nullable: true + type: array + type: object + secret: + nullable: true + properties: + items: + items: + properties: + key: + nullable: true + type: string + mode: + nullable: true + type: integer + path: + nullable: true + type: string + type: object + nullable: true + type: array + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + serviceAccountToken: + nullable: true + properties: + audience: + nullable: true + type: string + expirationSeconds: + nullable: true + type: integer + path: + nullable: true + type: string + type: object + type: object + nullable: true + type: array + type: object + quobyte: + nullable: true + properties: + group: + nullable: true + type: string + readOnly: + type: boolean + registry: + nullable: true + type: string + tenant: + nullable: true + type: string + user: + nullable: true + type: string + volume: + nullable: true + type: string + type: object + rbd: + nullable: true + properties: + fsType: + nullable: true + type: string + image: + nullable: true + type: string + keyring: + nullable: true + type: string + monitors: + items: + nullable: true + type: string + nullable: true + type: array + pool: + nullable: true + type: string + readOnly: + type: boolean + secretRef: + nullable: true + properties: + name: + nullable: true + type: string + type: object + user: + nullable: true + type: string + type: object + scaleIO: + nullable: true + properties: + fsType: + nullable: true + type: string + gateway: + nullable: true + type: string + protectionDomain: + nullable: true + type: string + readOnly: + type: boolean + secretRef: + nullable: true + properties: + name: + nullable: true + type: string + type: object + sslEnabled: + type: boolean + storageMode: + nullable: true + type: string + storagePool: + nullable: true + type: string + system: + nullable: true + type: string + volumeName: + nullable: true + type: string + type: object + secret: + nullable: true + properties: + defaultMode: + nullable: true + type: integer + items: + items: + properties: + key: + nullable: true + type: string + mode: + nullable: true + type: integer + path: + nullable: true + type: string + type: object + nullable: true + type: array + optional: + nullable: true + type: boolean + secretName: + nullable: true + type: string + type: object + storageos: + nullable: true + properties: + fsType: + nullable: true + type: string + readOnly: + type: boolean + secretRef: + nullable: true + properties: + name: + nullable: true + type: string + type: object + volumeName: + nullable: true + type: string + volumeNamespace: + nullable: true + type: string + type: object + vsphereVolume: + nullable: true + properties: + fsType: + nullable: true + type: string + storagePolicyID: + nullable: true + type: string + storagePolicyName: + nullable: true + type: string + volumePath: + nullable: true + type: string + type: object + type: object + nullable: true + type: array + type: object + type: object + ttlSecondsAfterFinished: + nullable: true + type: integer + type: object + syncInterval: + type: integer + type: object + status: + properties: + commit: + nullable: true + type: string + conditions: + items: + properties: + lastTransitionTime: + nullable: true + type: string + lastUpdateTime: + nullable: true + type: string + message: + nullable: true + type: string + reason: + nullable: true + type: string + status: + nullable: true + type: string + type: + nullable: true + type: string + type: object + nullable: true + type: array + event: + nullable: true + type: string + hookId: + nullable: true + type: string + jobStatus: + nullable: true + type: string + lastExecutedCommit: + nullable: true + type: string + lastSyncedTime: + nullable: true + type: string + observedGeneration: + type: integer + secretToken: + nullable: true + type: string + updateGeneration: + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- else -}} +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: gitjobs.gitjob.cattle.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.git.repo + name: REPO + type: string + - JSONPath: .spec.git.branch + name: BRANCH + type: string + - JSONPath: .status.commit + name: COMMIT + type: string + - JSONPath: .status.jobStatus + name: JOBSTATUS + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: gitjob.cattle.io + names: + kind: GitJob + plural: gitjobs + singular: gitjob + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + forceUpdateGeneration: + type: integer + git: + properties: + branch: + nullable: true + type: string + caBundle: + nullable: true + type: string + clientSecretName: + nullable: true + type: string + insecureSkipTLSVerify: + type: boolean + onTag: + nullable: true + type: string + provider: + nullable: true + type: string + repo: + nullable: true + type: string + revision: + nullable: true + type: string + type: object + jobSpec: + properties: + activeDeadlineSeconds: + nullable: true + type: integer + backoffLimit: + nullable: true + type: integer + completionMode: + nullable: true + type: string + completions: + nullable: true + type: integer + manualSelector: + nullable: true + type: boolean + parallelism: + nullable: true + type: integer + podFailurePolicy: + nullable: true + properties: + rules: + items: + properties: + action: + nullable: true + type: string + onExitCodes: + nullable: true + properties: + containerName: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + type: integer + nullable: true + type: array + type: object + onPodConditions: + items: + properties: + status: + nullable: true + type: string + type: + nullable: true + type: string + type: object + nullable: true + type: array + type: object + nullable: true + type: array + type: object + selector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + suspend: + nullable: true + type: boolean + template: + properties: + metadata: + properties: + annotations: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + creationTimestamp: + nullable: true + type: string + deletionGracePeriodSeconds: + nullable: true + type: integer + deletionTimestamp: + nullable: true + type: string + finalizers: + items: + nullable: true + type: string + nullable: true + type: array + generateName: + nullable: true + type: string + generation: + type: integer + labels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + managedFields: + items: + properties: + apiVersion: + nullable: true + type: string + fieldsType: + nullable: true + type: string + fieldsV1: + nullable: true + type: object + manager: + nullable: true + type: string + operation: + nullable: true + type: string + subresource: + nullable: true + type: string + time: + nullable: true + type: string + type: object + nullable: true + type: array + name: + nullable: true + type: string + namespace: + nullable: true + type: string + ownerReferences: + items: + properties: + apiVersion: + nullable: true + type: string + blockOwnerDeletion: + nullable: true + type: boolean + controller: + nullable: true + type: boolean + kind: + nullable: true + type: string + name: + nullable: true + type: string + uid: + nullable: true + type: string + type: object + nullable: true + type: array + resourceVersion: + nullable: true + type: string + selfLink: + nullable: true + type: string + uid: + nullable: true + type: string + type: object + spec: + properties: + activeDeadlineSeconds: + nullable: true + type: integer + affinity: + nullable: true + properties: + nodeAffinity: + nullable: true + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchFields: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + type: object + weight: + type: integer + type: object + nullable: true + type: array + requiredDuringSchedulingIgnoredDuringExecution: + nullable: true + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchFields: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + type: object + nullable: true + type: array + type: object + type: object + podAffinity: + nullable: true + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaceSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaces: + items: + nullable: true + type: string + nullable: true + type: array + topologyKey: + nullable: true + type: string + type: object + weight: + type: integer + type: object + nullable: true + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaceSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaces: + items: + nullable: true + type: string + nullable: true + type: array + topologyKey: + nullable: true + type: string + type: object + nullable: true + type: array + type: object + podAntiAffinity: + nullable: true + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaceSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaces: + items: + nullable: true + type: string + nullable: true + type: array + topologyKey: + nullable: true + type: string + type: object + weight: + type: integer + type: object + nullable: true + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaceSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + namespaces: + items: + nullable: true + type: string + nullable: true + type: array + topologyKey: + nullable: true + type: string + type: object + nullable: true + type: array + type: object + type: object + automountServiceAccountToken: + nullable: true + type: boolean + containers: + items: + properties: + args: + items: + nullable: true + type: string + nullable: true + type: array + command: + items: + nullable: true + type: string + nullable: true + type: array + env: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + valueFrom: + nullable: true + properties: + configMapKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + fieldRef: + nullable: true + properties: + apiVersion: + nullable: true + type: string + fieldPath: + nullable: true + type: string + type: object + resourceFieldRef: + nullable: true + properties: + containerName: + nullable: true + type: string + divisor: + nullable: true + type: string + resource: + nullable: true + type: string + type: object + secretKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + type: object + type: object + nullable: true + type: array + envFrom: + items: + properties: + configMapRef: + nullable: true + properties: + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + prefix: + nullable: true + type: string + secretRef: + nullable: true + properties: + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + type: object + nullable: true + type: array + image: + nullable: true + type: string + imagePullPolicy: + nullable: true + type: string + lifecycle: + nullable: true + properties: + postStart: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + type: object + preStop: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + type: object + type: object + livenessProbe: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + failureThreshold: + type: integer + grpc: + nullable: true + properties: + port: + type: integer + service: + nullable: true + type: string + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + initialDelaySeconds: + type: integer + periodSeconds: + type: integer + successThreshold: + type: integer + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + terminationGracePeriodSeconds: + nullable: true + type: integer + timeoutSeconds: + type: integer + type: object + name: + nullable: true + type: string + ports: + items: + properties: + containerPort: + type: integer + hostIP: + nullable: true + type: string + hostPort: + type: integer + name: + nullable: true + type: string + protocol: + nullable: true + type: string + type: object + nullable: true + type: array + readinessProbe: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + failureThreshold: + type: integer + grpc: + nullable: true + properties: + port: + type: integer + service: + nullable: true + type: string + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + initialDelaySeconds: + type: integer + periodSeconds: + type: integer + successThreshold: + type: integer + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + terminationGracePeriodSeconds: + nullable: true + type: integer + timeoutSeconds: + type: integer + type: object + resources: + properties: + limits: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + requests: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + securityContext: + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + nullable: true + properties: + add: + items: + nullable: true + type: string + nullable: true + type: array + drop: + items: + nullable: true + type: string + nullable: true + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + nullable: true + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + nullable: true + type: integer + seLinuxOptions: + nullable: true + properties: + level: + nullable: true + type: string + role: + nullable: true + type: string + type: + nullable: true + type: string + user: + nullable: true + type: string + type: object + seccompProfile: + nullable: true + properties: + localhostProfile: + nullable: true + type: string + type: + nullable: true + type: string + type: object + windowsOptions: + nullable: true + properties: + gmsaCredentialSpec: + nullable: true + type: string + gmsaCredentialSpecName: + nullable: true + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + nullable: true + type: string + type: object + type: object + startupProbe: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + failureThreshold: + type: integer + grpc: + nullable: true + properties: + port: + type: integer + service: + nullable: true + type: string + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + initialDelaySeconds: + type: integer + periodSeconds: + type: integer + successThreshold: + type: integer + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + terminationGracePeriodSeconds: + nullable: true + type: integer + timeoutSeconds: + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + nullable: true + type: string + terminationMessagePolicy: + nullable: true + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + nullable: true + type: string + name: + nullable: true + type: string + type: object + nullable: true + type: array + volumeMounts: + items: + properties: + mountPath: + nullable: true + type: string + mountPropagation: + nullable: true + type: string + name: + nullable: true + type: string + readOnly: + type: boolean + subPath: + nullable: true + type: string + subPathExpr: + nullable: true + type: string + type: object + nullable: true + type: array + workingDir: + nullable: true + type: string + type: object + nullable: true + type: array + dnsConfig: + nullable: true + properties: + nameservers: + items: + nullable: true + type: string + nullable: true + type: array + options: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + searches: + items: + nullable: true + type: string + nullable: true + type: array + type: object + dnsPolicy: + nullable: true + type: string + enableServiceLinks: + nullable: true + type: boolean + ephemeralContainers: + items: + properties: + args: + items: + nullable: true + type: string + nullable: true + type: array + command: + items: + nullable: true + type: string + nullable: true + type: array + env: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + valueFrom: + nullable: true + properties: + configMapKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + fieldRef: + nullable: true + properties: + apiVersion: + nullable: true + type: string + fieldPath: + nullable: true + type: string + type: object + resourceFieldRef: + nullable: true + properties: + containerName: + nullable: true + type: string + divisor: + nullable: true + type: string + resource: + nullable: true + type: string + type: object + secretKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + type: object + type: object + nullable: true + type: array + envFrom: + items: + properties: + configMapRef: + nullable: true + properties: + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + prefix: + nullable: true + type: string + secretRef: + nullable: true + properties: + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + type: object + nullable: true + type: array + image: + nullable: true + type: string + imagePullPolicy: + nullable: true + type: string + lifecycle: + nullable: true + properties: + postStart: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + type: object + preStop: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + type: object + type: object + livenessProbe: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + failureThreshold: + type: integer + grpc: + nullable: true + properties: + port: + type: integer + service: + nullable: true + type: string + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + initialDelaySeconds: + type: integer + periodSeconds: + type: integer + successThreshold: + type: integer + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + terminationGracePeriodSeconds: + nullable: true + type: integer + timeoutSeconds: + type: integer + type: object + name: + nullable: true + type: string + ports: + items: + properties: + containerPort: + type: integer + hostIP: + nullable: true + type: string + hostPort: + type: integer + name: + nullable: true + type: string + protocol: + nullable: true + type: string + type: object + nullable: true + type: array + readinessProbe: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + failureThreshold: + type: integer + grpc: + nullable: true + properties: + port: + type: integer + service: + nullable: true + type: string + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + initialDelaySeconds: + type: integer + periodSeconds: + type: integer + successThreshold: + type: integer + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + terminationGracePeriodSeconds: + nullable: true + type: integer + timeoutSeconds: + type: integer + type: object + resources: + properties: + limits: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + requests: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + securityContext: + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + nullable: true + properties: + add: + items: + nullable: true + type: string + nullable: true + type: array + drop: + items: + nullable: true + type: string + nullable: true + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + nullable: true + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + nullable: true + type: integer + seLinuxOptions: + nullable: true + properties: + level: + nullable: true + type: string + role: + nullable: true + type: string + type: + nullable: true + type: string + user: + nullable: true + type: string + type: object + seccompProfile: + nullable: true + properties: + localhostProfile: + nullable: true + type: string + type: + nullable: true + type: string + type: object + windowsOptions: + nullable: true + properties: + gmsaCredentialSpec: + nullable: true + type: string + gmsaCredentialSpecName: + nullable: true + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + nullable: true + type: string + type: object + type: object + startupProbe: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + failureThreshold: + type: integer + grpc: + nullable: true + properties: + port: + type: integer + service: + nullable: true + type: string + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + initialDelaySeconds: + type: integer + periodSeconds: + type: integer + successThreshold: + type: integer + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + terminationGracePeriodSeconds: + nullable: true + type: integer + timeoutSeconds: + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + targetContainerName: + nullable: true + type: string + terminationMessagePath: + nullable: true + type: string + terminationMessagePolicy: + nullable: true + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + nullable: true + type: string + name: + nullable: true + type: string + type: object + nullable: true + type: array + volumeMounts: + items: + properties: + mountPath: + nullable: true + type: string + mountPropagation: + nullable: true + type: string + name: + nullable: true + type: string + readOnly: + type: boolean + subPath: + nullable: true + type: string + subPathExpr: + nullable: true + type: string + type: object + nullable: true + type: array + workingDir: + nullable: true + type: string + type: object + nullable: true + type: array + hostAliases: + items: + properties: + hostnames: + items: + nullable: true + type: string + nullable: true + type: array + ip: + nullable: true + type: string + type: object + nullable: true + type: array + hostIPC: + type: boolean + hostNetwork: + type: boolean + hostPID: + type: boolean + hostUsers: + nullable: true + type: boolean + hostname: + nullable: true + type: string + imagePullSecrets: + items: + properties: + name: + nullable: true + type: string + type: object + nullable: true + type: array + initContainers: + items: + properties: + args: + items: + nullable: true + type: string + nullable: true + type: array + command: + items: + nullable: true + type: string + nullable: true + type: array + env: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + valueFrom: + nullable: true + properties: + configMapKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + fieldRef: + nullable: true + properties: + apiVersion: + nullable: true + type: string + fieldPath: + nullable: true + type: string + type: object + resourceFieldRef: + nullable: true + properties: + containerName: + nullable: true + type: string + divisor: + nullable: true + type: string + resource: + nullable: true + type: string + type: object + secretKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + type: object + type: object + nullable: true + type: array + envFrom: + items: + properties: + configMapRef: + nullable: true + properties: + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + prefix: + nullable: true + type: string + secretRef: + nullable: true + properties: + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + type: object + nullable: true + type: array + image: + nullable: true + type: string + imagePullPolicy: + nullable: true + type: string + lifecycle: + nullable: true + properties: + postStart: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + type: object + preStop: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + type: object + type: object + livenessProbe: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + failureThreshold: + type: integer + grpc: + nullable: true + properties: + port: + type: integer + service: + nullable: true + type: string + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + initialDelaySeconds: + type: integer + periodSeconds: + type: integer + successThreshold: + type: integer + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + terminationGracePeriodSeconds: + nullable: true + type: integer + timeoutSeconds: + type: integer + type: object + name: + nullable: true + type: string + ports: + items: + properties: + containerPort: + type: integer + hostIP: + nullable: true + type: string + hostPort: + type: integer + name: + nullable: true + type: string + protocol: + nullable: true + type: string + type: object + nullable: true + type: array + readinessProbe: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + failureThreshold: + type: integer + grpc: + nullable: true + properties: + port: + type: integer + service: + nullable: true + type: string + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + initialDelaySeconds: + type: integer + periodSeconds: + type: integer + successThreshold: + type: integer + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + terminationGracePeriodSeconds: + nullable: true + type: integer + timeoutSeconds: + type: integer + type: object + resources: + properties: + limits: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + requests: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + securityContext: + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + nullable: true + properties: + add: + items: + nullable: true + type: string + nullable: true + type: array + drop: + items: + nullable: true + type: string + nullable: true + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + nullable: true + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + nullable: true + type: integer + seLinuxOptions: + nullable: true + properties: + level: + nullable: true + type: string + role: + nullable: true + type: string + type: + nullable: true + type: string + user: + nullable: true + type: string + type: object + seccompProfile: + nullable: true + properties: + localhostProfile: + nullable: true + type: string + type: + nullable: true + type: string + type: object + windowsOptions: + nullable: true + properties: + gmsaCredentialSpec: + nullable: true + type: string + gmsaCredentialSpecName: + nullable: true + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + nullable: true + type: string + type: object + type: object + startupProbe: + nullable: true + properties: + exec: + nullable: true + properties: + command: + items: + nullable: true + type: string + nullable: true + type: array + type: object + failureThreshold: + type: integer + grpc: + nullable: true + properties: + port: + type: integer + service: + nullable: true + type: string + type: object + httpGet: + nullable: true + properties: + host: + nullable: true + type: string + httpHeaders: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + path: + nullable: true + type: string + port: + nullable: true + type: string + scheme: + nullable: true + type: string + type: object + initialDelaySeconds: + type: integer + periodSeconds: + type: integer + successThreshold: + type: integer + tcpSocket: + nullable: true + properties: + host: + nullable: true + type: string + port: + nullable: true + type: string + type: object + terminationGracePeriodSeconds: + nullable: true + type: integer + timeoutSeconds: + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + nullable: true + type: string + terminationMessagePolicy: + nullable: true + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + nullable: true + type: string + name: + nullable: true + type: string + type: object + nullable: true + type: array + volumeMounts: + items: + properties: + mountPath: + nullable: true + type: string + mountPropagation: + nullable: true + type: string + name: + nullable: true + type: string + readOnly: + type: boolean + subPath: + nullable: true + type: string + subPathExpr: + nullable: true + type: string + type: object + nullable: true + type: array + workingDir: + nullable: true + type: string + type: object + nullable: true + type: array + nodeName: + nullable: true + type: string + nodeSelector: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + os: + nullable: true + properties: + name: + nullable: true + type: string + type: object + overhead: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + preemptionPolicy: + nullable: true + type: string + priority: + nullable: true + type: integer + priorityClassName: + nullable: true + type: string + readinessGates: + items: + properties: + conditionType: + nullable: true + type: string + type: object + nullable: true + type: array + restartPolicy: + nullable: true + type: string + runtimeClassName: + nullable: true + type: string + schedulerName: + nullable: true + type: string + securityContext: + nullable: true + properties: + fsGroup: + nullable: true + type: integer + fsGroupChangePolicy: + nullable: true + type: string + runAsGroup: + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + nullable: true + type: integer + seLinuxOptions: + nullable: true + properties: + level: + nullable: true + type: string + role: + nullable: true + type: string + type: + nullable: true + type: string + user: + nullable: true + type: string + type: object + seccompProfile: + nullable: true + properties: + localhostProfile: + nullable: true + type: string + type: + nullable: true + type: string + type: object + supplementalGroups: + items: + type: integer + nullable: true + type: array + sysctls: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + windowsOptions: + nullable: true + properties: + gmsaCredentialSpec: + nullable: true + type: string + gmsaCredentialSpecName: + nullable: true + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + nullable: true + type: string + type: object + type: object + serviceAccount: + nullable: true + type: string + serviceAccountName: + nullable: true + type: string + setHostnameAsFQDN: + nullable: true + type: boolean + shareProcessNamespace: + nullable: true + type: boolean + subdomain: + nullable: true + type: string + terminationGracePeriodSeconds: + nullable: true + type: integer + tolerations: + items: + properties: + effect: + nullable: true + type: string + key: + nullable: true + type: string + operator: + nullable: true + type: string + tolerationSeconds: + nullable: true + type: integer + value: + nullable: true + type: string + type: object + nullable: true + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + matchLabelKeys: + items: + nullable: true + type: string + nullable: true + type: array + maxSkew: + type: integer + minDomains: + nullable: true + type: integer + nodeAffinityPolicy: + nullable: true + type: string + nodeTaintsPolicy: + nullable: true + type: string + topologyKey: + nullable: true + type: string + whenUnsatisfiable: + nullable: true + type: string + type: object + nullable: true + type: array + volumes: + items: + properties: + awsElasticBlockStore: + nullable: true + properties: + fsType: + nullable: true + type: string + partition: + type: integer + readOnly: + type: boolean + volumeID: + nullable: true + type: string + type: object + azureDisk: + nullable: true + properties: + cachingMode: + nullable: true + type: string + diskName: + nullable: true + type: string + diskURI: + nullable: true + type: string + fsType: + nullable: true + type: string + kind: + nullable: true + type: string + readOnly: + nullable: true + type: boolean + type: object + azureFile: + nullable: true + properties: + readOnly: + type: boolean + secretName: + nullable: true + type: string + shareName: + nullable: true + type: string + type: object + cephfs: + nullable: true + properties: + monitors: + items: + nullable: true + type: string + nullable: true + type: array + path: + nullable: true + type: string + readOnly: + type: boolean + secretFile: + nullable: true + type: string + secretRef: + nullable: true + properties: + name: + nullable: true + type: string + type: object + user: + nullable: true + type: string + type: object + cinder: + nullable: true + properties: + fsType: + nullable: true + type: string + readOnly: + type: boolean + secretRef: + nullable: true + properties: + name: + nullable: true + type: string + type: object + volumeID: + nullable: true + type: string + type: object + configMap: + nullable: true + properties: + defaultMode: + nullable: true + type: integer + items: + items: + properties: + key: + nullable: true + type: string + mode: + nullable: true + type: integer + path: + nullable: true + type: string + type: object + nullable: true + type: array + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + csi: + nullable: true + properties: + driver: + nullable: true + type: string + fsType: + nullable: true + type: string + nodePublishSecretRef: + nullable: true + properties: + name: + nullable: true + type: string + type: object + readOnly: + nullable: true + type: boolean + volumeAttributes: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + downwardAPI: + nullable: true + properties: + defaultMode: + nullable: true + type: integer + items: + items: + properties: + fieldRef: + nullable: true + properties: + apiVersion: + nullable: true + type: string + fieldPath: + nullable: true + type: string + type: object + mode: + nullable: true + type: integer + path: + nullable: true + type: string + resourceFieldRef: + nullable: true + properties: + containerName: + nullable: true + type: string + divisor: + nullable: true + type: string + resource: + nullable: true + type: string + type: object + type: object + nullable: true + type: array + type: object + emptyDir: + nullable: true + properties: + medium: + nullable: true + type: string + sizeLimit: + nullable: true + type: string + type: object + ephemeral: + nullable: true + properties: + volumeClaimTemplate: + nullable: true + properties: + metadata: + properties: + annotations: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + creationTimestamp: + nullable: true + type: string + deletionGracePeriodSeconds: + nullable: true + type: integer + deletionTimestamp: + nullable: true + type: string + finalizers: + items: + nullable: true + type: string + nullable: true + type: array + generateName: + nullable: true + type: string + generation: + type: integer + labels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + managedFields: + items: + properties: + apiVersion: + nullable: true + type: string + fieldsType: + nullable: true + type: string + fieldsV1: + nullable: true + type: object + manager: + nullable: true + type: string + operation: + nullable: true + type: string + subresource: + nullable: true + type: string + time: + nullable: true + type: string + type: object + nullable: true + type: array + name: + nullable: true + type: string + namespace: + nullable: true + type: string + ownerReferences: + items: + properties: + apiVersion: + nullable: true + type: string + blockOwnerDeletion: + nullable: true + type: boolean + controller: + nullable: true + type: boolean + kind: + nullable: true + type: string + name: + nullable: true + type: string + uid: + nullable: true + type: string + type: object + nullable: true + type: array + resourceVersion: + nullable: true + type: string + selfLink: + nullable: true + type: string + uid: + nullable: true + type: string + type: object + spec: + properties: + accessModes: + items: + nullable: true + type: string + nullable: true + type: array + dataSource: + nullable: true + properties: + apiGroup: + nullable: true + type: string + kind: + nullable: true + type: string + name: + nullable: true + type: string + type: object + dataSourceRef: + nullable: true + properties: + apiGroup: + nullable: true + type: string + kind: + nullable: true + type: string + name: + nullable: true + type: string + type: object + resources: + properties: + limits: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + requests: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + selector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + storageClassName: + nullable: true + type: string + volumeMode: + nullable: true + type: string + volumeName: + nullable: true + type: string + type: object + type: object + type: object + fc: + nullable: true + properties: + fsType: + nullable: true + type: string + lun: + nullable: true + type: integer + readOnly: + type: boolean + targetWWNs: + items: + nullable: true + type: string + nullable: true + type: array + wwids: + items: + nullable: true + type: string + nullable: true + type: array + type: object + flexVolume: + nullable: true + properties: + driver: + nullable: true + type: string + fsType: + nullable: true + type: string + options: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + readOnly: + type: boolean + secretRef: + nullable: true + properties: + name: + nullable: true + type: string + type: object + type: object + flocker: + nullable: true + properties: + datasetName: + nullable: true + type: string + datasetUUID: + nullable: true + type: string + type: object + gcePersistentDisk: + nullable: true + properties: + fsType: + nullable: true + type: string + partition: + type: integer + pdName: + nullable: true + type: string + readOnly: + type: boolean + type: object + gitRepo: + nullable: true + properties: + directory: + nullable: true + type: string + repository: + nullable: true + type: string + revision: + nullable: true + type: string + type: object + glusterfs: + nullable: true + properties: + endpoints: + nullable: true + type: string + path: + nullable: true + type: string + readOnly: + type: boolean + type: object + hostPath: + nullable: true + properties: + path: + nullable: true + type: string + type: + nullable: true + type: string + type: object + iscsi: + nullable: true + properties: + chapAuthDiscovery: + type: boolean + chapAuthSession: + type: boolean + fsType: + nullable: true + type: string + initiatorName: + nullable: true + type: string + iqn: + nullable: true + type: string + iscsiInterface: + nullable: true + type: string + lun: + type: integer + portals: + items: + nullable: true + type: string + nullable: true + type: array + readOnly: + type: boolean + secretRef: + nullable: true + properties: + name: + nullable: true + type: string + type: object + targetPortal: + nullable: true + type: string + type: object + name: + nullable: true + type: string + nfs: + nullable: true + properties: + path: + nullable: true + type: string + readOnly: + type: boolean + server: + nullable: true + type: string + type: object + persistentVolumeClaim: + nullable: true + properties: + claimName: + nullable: true + type: string + readOnly: + type: boolean + type: object + photonPersistentDisk: + nullable: true + properties: + fsType: + nullable: true + type: string + pdID: + nullable: true + type: string + type: object + portworxVolume: + nullable: true + properties: + fsType: + nullable: true + type: string + readOnly: + type: boolean + volumeID: + nullable: true + type: string + type: object + projected: + nullable: true + properties: + defaultMode: + nullable: true + type: integer + sources: + items: + properties: + configMap: + nullable: true + properties: + items: + items: + properties: + key: + nullable: true + type: string + mode: + nullable: true + type: integer + path: + nullable: true + type: string + type: object + nullable: true + type: array + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + downwardAPI: + nullable: true + properties: + items: + items: + properties: + fieldRef: + nullable: true + properties: + apiVersion: + nullable: true + type: string + fieldPath: + nullable: true + type: string + type: object + mode: + nullable: true + type: integer + path: + nullable: true + type: string + resourceFieldRef: + nullable: true + properties: + containerName: + nullable: true + type: string + divisor: + nullable: true + type: string + resource: + nullable: true + type: string + type: object + type: object + nullable: true + type: array + type: object + secret: + nullable: true + properties: + items: + items: + properties: + key: + nullable: true + type: string + mode: + nullable: true + type: integer + path: + nullable: true + type: string + type: object + nullable: true + type: array + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + serviceAccountToken: + nullable: true + properties: + audience: + nullable: true + type: string + expirationSeconds: + nullable: true + type: integer + path: + nullable: true + type: string + type: object + type: object + nullable: true + type: array + type: object + quobyte: + nullable: true + properties: + group: + nullable: true + type: string + readOnly: + type: boolean + registry: + nullable: true + type: string + tenant: + nullable: true + type: string + user: + nullable: true + type: string + volume: + nullable: true + type: string + type: object + rbd: + nullable: true + properties: + fsType: + nullable: true + type: string + image: + nullable: true + type: string + keyring: + nullable: true + type: string + monitors: + items: + nullable: true + type: string + nullable: true + type: array + pool: + nullable: true + type: string + readOnly: + type: boolean + secretRef: + nullable: true + properties: + name: + nullable: true + type: string + type: object + user: + nullable: true + type: string + type: object + scaleIO: + nullable: true + properties: + fsType: + nullable: true + type: string + gateway: + nullable: true + type: string + protectionDomain: + nullable: true + type: string + readOnly: + type: boolean + secretRef: + nullable: true + properties: + name: + nullable: true + type: string + type: object + sslEnabled: + type: boolean + storageMode: + nullable: true + type: string + storagePool: + nullable: true + type: string + system: + nullable: true + type: string + volumeName: + nullable: true + type: string + type: object + secret: + nullable: true + properties: + defaultMode: + nullable: true + type: integer + items: + items: + properties: + key: + nullable: true + type: string + mode: + nullable: true + type: integer + path: + nullable: true + type: string + type: object + nullable: true + type: array + optional: + nullable: true + type: boolean + secretName: + nullable: true + type: string + type: object + storageos: + nullable: true + properties: + fsType: + nullable: true + type: string + readOnly: + type: boolean + secretRef: + nullable: true + properties: + name: + nullable: true + type: string + type: object + volumeName: + nullable: true + type: string + volumeNamespace: + nullable: true + type: string + type: object + vsphereVolume: + nullable: true + properties: + fsType: + nullable: true + type: string + storagePolicyID: + nullable: true + type: string + storagePolicyName: + nullable: true + type: string + volumePath: + nullable: true + type: string + type: object + type: object + nullable: true + type: array + type: object + type: object + ttlSecondsAfterFinished: + nullable: true + type: integer + type: object + syncInterval: + type: integer + type: object + status: + properties: + commit: + nullable: true + type: string + conditions: + items: + properties: + lastTransitionTime: + nullable: true + type: string + lastUpdateTime: + nullable: true + type: string + message: + nullable: true + type: string + reason: + nullable: true + type: string + status: + nullable: true + type: string + type: + nullable: true + type: string + type: object + nullable: true + type: array + event: + nullable: true + type: string + hookId: + nullable: true + type: string + jobStatus: + nullable: true + type: string + lastExecutedCommit: + nullable: true + type: string + lastSyncedTime: + nullable: true + type: string + observedGeneration: + type: integer + secretToken: + nullable: true + type: string + updateGeneration: + type: integer + type: object + type: object + version: v1 + versions: + - name: v1 + served: true + storage: true +{{- end -}} diff --git a/charts/fleet-crd/102.2.1+up0.8.1/values.yaml b/charts/fleet-crd/102.2.1+up0.8.1/values.yaml new file mode 100644 index 0000000000..d41d3a2444 --- /dev/null +++ b/charts/fleet-crd/102.2.1+up0.8.1/values.yaml @@ -0,0 +1 @@ +# This file is intentionally empty diff --git a/index.yaml b/index.yaml index caf001d3b4..b9dafc7416 100755 --- a/index.yaml +++ b/index.yaml @@ -1681,6 +1681,23 @@ entries: urls: - assets/fleet-crd/fleet-crd-103.1.0+up0.9.0.tgz version: 103.1.0+up0.9.0 + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-fleet-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/release-name: fleet-crd + apiVersion: v2 + appVersion: 0.8.1 + created: "2023-12-04T13:14:01.423312-03:00" + description: Fleet Manager CustomResourceDefinitions + digest: 767f2c9db2aa004fc0e9a6b57b885bde7bf616e876f79143b49d821e17776911 + icon: https://charts.rancher.io/assets/logos/fleet.svg + name: fleet-crd + urls: + - assets/fleet-crd/fleet-crd-102.2.1+up0.8.1.tgz + version: 102.2.1+up0.8.1 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" diff --git a/release.yaml b/release.yaml index dbe15a7729..08e6753c4e 100644 --- a/release.yaml +++ b/release.yaml @@ -10,3 +10,5 @@ longhorn-crd: - 102.3.1+up1.5.3 fleet: - 102.2.1+up0.8.1 +fleet-crd: + - 102.2.1+up0.8.1 From a887189dff4da0aa480f3807cc93e23e688bd50e Mon Sep 17 00:00:00 2001 From: Lucas Lopes Date: Mon, 4 Dec 2023 13:14:36 -0300 Subject: [PATCH 09/10] make forward-port fleet-agent 102.2.1+up0.8.1 --- .../fleet-agent-102.2.1+up0.8.1.tgz | Bin 0 -> 3064 bytes charts/fleet-agent/102.2.1+up0.8.1/Chart.yaml | 15 +++++ charts/fleet-agent/102.2.1+up0.8.1/README.md | 8 +++ .../102.2.1+up0.8.1/templates/_helpers.tpl | 22 ++++++ .../102.2.1+up0.8.1/templates/configmap.yaml | 12 ++++ .../102.2.1+up0.8.1/templates/deployment.yaml | 51 ++++++++++++++ .../templates/network_policy_allow_all.yaml | 15 +++++ .../patch_default_serviceaccount.yaml | 28 ++++++++ .../102.2.1+up0.8.1/templates/rbac.yaml | 25 +++++++ .../102.2.1+up0.8.1/templates/secret.yaml | 10 +++ .../templates/serviceaccount.yaml | 4 ++ .../102.2.1+up0.8.1/templates/validate.yaml | 11 +++ .../fleet-agent/102.2.1+up0.8.1/values.yaml | 63 ++++++++++++++++++ index.yaml | 19 ++++++ release.yaml | 2 + 15 files changed, 285 insertions(+) create mode 100644 assets/fleet-agent/fleet-agent-102.2.1+up0.8.1.tgz create mode 100644 charts/fleet-agent/102.2.1+up0.8.1/Chart.yaml create mode 100644 charts/fleet-agent/102.2.1+up0.8.1/README.md create mode 100644 charts/fleet-agent/102.2.1+up0.8.1/templates/_helpers.tpl create mode 100644 charts/fleet-agent/102.2.1+up0.8.1/templates/configmap.yaml create mode 100644 charts/fleet-agent/102.2.1+up0.8.1/templates/deployment.yaml create mode 100644 charts/fleet-agent/102.2.1+up0.8.1/templates/network_policy_allow_all.yaml create mode 100644 charts/fleet-agent/102.2.1+up0.8.1/templates/patch_default_serviceaccount.yaml create mode 100644 charts/fleet-agent/102.2.1+up0.8.1/templates/rbac.yaml create mode 100644 charts/fleet-agent/102.2.1+up0.8.1/templates/secret.yaml create mode 100644 charts/fleet-agent/102.2.1+up0.8.1/templates/serviceaccount.yaml create mode 100644 charts/fleet-agent/102.2.1+up0.8.1/templates/validate.yaml create mode 100644 charts/fleet-agent/102.2.1+up0.8.1/values.yaml diff --git a/assets/fleet-agent/fleet-agent-102.2.1+up0.8.1.tgz b/assets/fleet-agent/fleet-agent-102.2.1+up0.8.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..018784da1662467a1aa5faa91f6cee35e934a9bf GIT binary patch literal 3064 zcmVDc zVQyr3R8em|NM&qo0PI}6z3Q+j53;cQZc6>7~zcJ$BkRZ_-Q# zB3BY>5MTjNuBz&Pe*=J|NQ$UIiU<_} zqdfn$vo=GSQmulDYyXz=MBJ)Q?qc9g<%i*Mq5Cj=dAI5k84`to8A1d#bMr_>e=HlE z4?U7))z5zTG8}jbs#wxY+oIP-65bL{rYPaWv;YBoOZE4e0;1tMCJa3q8{V1LnTmS7 z*ch}53-ygQL@Cs&$HY{qo>eAP^QpI~Ts71|e;5wK!GGnMQ|hS~?2aCk>i&ODSdQx9 z1Hcyle{e7yw*CKTxby#yLNp~)G@jphLcef=`_?5IFD@|?ifSPjmHY42-2{Lp(+K9y zH+XySZibNMV@6~6;p!a31oRByANd$1M~w@qJkJ3aYA z9Yb#q-b{euL<6RoUI5iV6%eKJ6cf-hs@iS7JHIw8icUEuFkS$GTVxDwxVYtTdJ?Y3 zaC%Z7LdbVs{syTRtu|%yrhas+NRTp=ljk28* zc6fVmX@ff?!cJa1BYf%>+!&d-HS1R!EppCKDOiXcBof9J_L0NwjA&bE2AT-Uryk`R zB`3_7r0eD`Z7S@O+69?hIiPW|5z5Qy5eZ%+!&nOmgq!8T&<$9@M7YOoB_P3!iA8FJ zZ9^7q7>)M!;6fw_ZaG+~OeE$p(L?^$^d8p=knT)B47snTYdm|8GTSlhK;3u74w9snm3jCBMT;yRvTk~8$YDHCJ2Zrw7CET>zguW&+grVArmSgQr7&3|{KDHv?M zi!+08I0%nCFTrs>jbK8ULighw=g1=H?*Qs&Q62wjOfyC_s@}&LvJ9mPb@l*IaQpuM zu!aAQjz>p3{P!5NTn3QfgmMJm+3Lr{8SBR)S}uGDRx8gi(g}n=x=n(!_Hv)wY2}qz zCMnkw@V`<$|BD(xrm*_quk}HmY<%~Y%icHMKOK-=g9*x*#YDy6oRhVF-eO(rEY-ee zSX}6K#q}7e1>6dG!vskb#3E;jg{XxCEZ~+qK?#5I&Zoi(z zFpjcxz!fYn{ja}vz@~W9eYa+&Qw>#wBd0?%M69zYwU(ZG&F<*osN4U?f=}o)CE0@{ z1Gf18{=q@p|Br^pgPs3>47#B_iQv>e@3$mtCM5@6ikc)u6NAw>kZ&TIDjqoKRi0_x9$IEFx=VyV^H1RNtUVJeBe2s@M@g|xZew?3}c(FD7UrN z{8FOh*?EyRa&}9ytSJdlF1bRc){i095btaNpzPjIk@!Jb2^r8bU$+nx`d^&9J-fa< zIX$at3Y7I)iZrSf0!%2f#BBT>_8tXkkJA~D0?a{1k zxZW7AR#CfBlj&;pyy|W9;gmJ8NK?X-`b=21CRYpO+l}?w?;4>Xu!Wl?0W%x$TKRGb zzvMz=vo*U-uQyrY`&ya8IG0o}P6gNatFF&HVNBd!N;; zp0mZ35c)M`=q5b^E%Q2CR<@OFHW8DIj47j|tn59t8X^bav zEOM?llXS)NYi5U*KzYpaXLf^H6Ri^x{}pio9I==b~0 z@^7Wcv!bG=$y59NlDgwRM{TycA2Y#dy!dF1&U}6u8rX{eN3HjN!@=Qjm;ZSb3WA`4 z`HLq{`82$FX;T0dAh>W@M7d*hz3y0Dk{-0Dn6vUcC3JL4UB=|1LgF41)2SI$Y+Am7~}c zZL!qRcez!7_kPiVzYo5B=H^S&8<>(}SmtYxna|}X^Re-AwFtI>G^IL%-NC=V zCw0evIVSPLodewZ{sIfAid)H&h~*F*XY4D95z|uZ>wgPw)SuJfVF0W$Fjx zLfZT&l7i(x?oq@8*qp!5nKhM4muiO6J*|>-D z0NeKeM+fcmzel6N!Os34gIe$VN`tufP^7c;|f~b!|rft$GOdoM%p}1vOM3q z!EP%YPwV9G25Y^(C1KCm-Ysx?V)#poGe)t+Z;XY|W)8By2wu9&{{PsHze(Hdf6#B+ z|M9`WF8)6Xwd}t$w%q^v@2N+yqd!93_CF_#CPd@IAb_p-fAjp$V6e;oJqj(CbOIb< z6C8e0wtl&U384(WF3)(rn^6V!-eGl#r%3x@0+icJ2J4F&UnwBUmKE0|ZC%~H_*>O@ z;q*YBxHFC&Amt^w6vSk}QzU1`5jK@}8t2JFF9cb974-up;}(!l5q zvIP*PL>&zI^}e5aZSLsLr@H^YIy-sw_AE@32kv8={~rtwTK<1{JnZlM|6|bJUU99_ z-6;QmWGUGH1L1jRbCe5L8x&p&5^>9wmPpd((R!J4AiTIfre{Rkw+K0>vB48Imt0;) zblt^*Ybh8*8G`k)PLwM6**IFlg`T0b7eK|Ne(Py1sH)4Eg(u!rF7&)>O?X0>;APLb zGNQRccSX~A_lb~BgTP&h(wH=E3x@DoNJxc5NKg~X6evV^f1k{UugjZa?xKC|8h)W( zP-ow3we=$OoWhjDl@oDd= 1.16.0-0 < 1.27.0-0' + catalog.cattle.io/namespace: cattle-fleet-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: fleet-agent +apiVersion: v2 +appVersion: 0.8.1 +description: Fleet Manager Agent - GitOps at Scale +icon: https://charts.rancher.io/assets/logos/fleet.svg +name: fleet-agent +version: 102.2.1+up0.8.1 diff --git a/charts/fleet-agent/102.2.1+up0.8.1/README.md b/charts/fleet-agent/102.2.1+up0.8.1/README.md new file mode 100644 index 0000000000..2c5724dcef --- /dev/null +++ b/charts/fleet-agent/102.2.1+up0.8.1/README.md @@ -0,0 +1,8 @@ +## Fleet Agent Helm Chart + +Every Fleet-managed downstream cluster will run an agent that communicates back to the Fleet controller. This agent is just another set of Kubernetes controllers running in the downstream cluster. + +Standalone Fleet users use this chart for agent-initiated registration. For more details see [agent-initiated registration](https://fleet.rancher.io/cluster-registration#agent-initiated). +Fleet in Rancher does not use this chart, but creates the agent deployments programmatically. + +The Fleet documentation is centralized in the [doc website](https://fleet.rancher.io/). \ No newline at end of file diff --git a/charts/fleet-agent/102.2.1+up0.8.1/templates/_helpers.tpl b/charts/fleet-agent/102.2.1+up0.8.1/templates/_helpers.tpl new file mode 100644 index 0000000000..6cd96c3ace --- /dev/null +++ b/charts/fleet-agent/102.2.1+up0.8.1/templates/_helpers.tpl @@ -0,0 +1,22 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/charts/fleet-agent/102.2.1+up0.8.1/templates/configmap.yaml b/charts/fleet-agent/102.2.1+up0.8.1/templates/configmap.yaml new file mode 100644 index 0000000000..ce61a87568 --- /dev/null +++ b/charts/fleet-agent/102.2.1+up0.8.1/templates/configmap.yaml @@ -0,0 +1,12 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: fleet-agent +data: + config: |- + { + {{ if .Values.labels }} + "labels":{{toJson .Values.labels}}, + {{ end }} + "clientID":"{{.Values.clientID}}" + } diff --git a/charts/fleet-agent/102.2.1+up0.8.1/templates/deployment.yaml b/charts/fleet-agent/102.2.1+up0.8.1/templates/deployment.yaml new file mode 100644 index 0000000000..582eed608d --- /dev/null +++ b/charts/fleet-agent/102.2.1+up0.8.1/templates/deployment.yaml @@ -0,0 +1,51 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: fleet-agent +spec: + selector: + matchLabels: + app: fleet-agent + template: + metadata: + labels: + app: fleet-agent + spec: + containers: + - env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: '{{ template "system_default_registry" . }}{{.Values.image.repository}}:{{.Values.image.tag}}' + name: fleet-agent + command: + - fleetagent + {{- if .Values.debug }} + - --debug + - --debug-level + - {{ quote .Values.debugLevel }} + {{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + capabilities: + drop: + - ALL + {{- end }} + serviceAccountName: fleet-agent + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.fleetAgent.nodeSelector }} +{{ toYaml .Values.fleetAgent.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.fleetAgent.tolerations }} +{{ toYaml .Values.fleetAgent.tolerations | indent 8 }} +{{- end }} +{{- if not .Values.debug }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} diff --git a/charts/fleet-agent/102.2.1+up0.8.1/templates/network_policy_allow_all.yaml b/charts/fleet-agent/102.2.1+up0.8.1/templates/network_policy_allow_all.yaml new file mode 100644 index 0000000000..a72109a062 --- /dev/null +++ b/charts/fleet-agent/102.2.1+up0.8.1/templates/network_policy_allow_all.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-allow-all + namespace: {{ .Values.internal.systemNamespace }} +spec: + podSelector: {} + ingress: + - {} + egress: + - {} + policyTypes: + - Ingress + - Egress diff --git a/charts/fleet-agent/102.2.1+up0.8.1/templates/patch_default_serviceaccount.yaml b/charts/fleet-agent/102.2.1+up0.8.1/templates/patch_default_serviceaccount.yaml new file mode 100644 index 0000000000..aad4eea415 --- /dev/null +++ b/charts/fleet-agent/102.2.1+up0.8.1/templates/patch_default_serviceaccount.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: patch-fleet-sa + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + template: + spec: + serviceAccountName: fleet-agent + restartPolicy: Never + containers: + - name: sa + image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] + args: ["-n", {{ .Values.internal.systemNamespace }}] + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.kubectl.nodeSelector }} +{{ toYaml .Values.kubectl.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.kubectl.tolerations }} +{{ toYaml .Values.kubectl.tolerations | indent 8 }} +{{- end }} + backoffLimit: 1 diff --git a/charts/fleet-agent/102.2.1+up0.8.1/templates/rbac.yaml b/charts/fleet-agent/102.2.1+up0.8.1/templates/rbac.yaml new file mode 100644 index 0000000000..805949bf2c --- /dev/null +++ b/charts/fleet-agent/102.2.1+up0.8.1/templates/rbac.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: fleet-agent-system-fleet-agent-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: fleet-agent-system-fleet-agent-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: fleet-agent-system-fleet-agent-role +subjects: +- kind: ServiceAccount + name: fleet-agent + namespace: {{.Release.Namespace}} diff --git a/charts/fleet-agent/102.2.1+up0.8.1/templates/secret.yaml b/charts/fleet-agent/102.2.1+up0.8.1/templates/secret.yaml new file mode 100644 index 0000000000..4715882047 --- /dev/null +++ b/charts/fleet-agent/102.2.1+up0.8.1/templates/secret.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + systemRegistrationNamespace: "{{b64enc .Values.systemRegistrationNamespace}}" + clusterNamespace: "{{b64enc .Values.clusterNamespace}}" + token: "{{b64enc .Values.token}}" + apiServerURL: "{{b64enc .Values.apiServerURL}}" + apiServerCA: "{{b64enc .Values.apiServerCA}}" +kind: Secret +metadata: + name: fleet-agent-bootstrap diff --git a/charts/fleet-agent/102.2.1+up0.8.1/templates/serviceaccount.yaml b/charts/fleet-agent/102.2.1+up0.8.1/templates/serviceaccount.yaml new file mode 100644 index 0000000000..73e27f0be9 --- /dev/null +++ b/charts/fleet-agent/102.2.1+up0.8.1/templates/serviceaccount.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: fleet-agent diff --git a/charts/fleet-agent/102.2.1+up0.8.1/templates/validate.yaml b/charts/fleet-agent/102.2.1+up0.8.1/templates/validate.yaml new file mode 100644 index 0000000000..d53ff1c508 --- /dev/null +++ b/charts/fleet-agent/102.2.1+up0.8.1/templates/validate.yaml @@ -0,0 +1,11 @@ +{{if ne .Release.Namespace .Values.internal.systemNamespace }} +{{ fail (printf "This chart must be installed in the namespace %s as the release name fleet-agent" .Values.internal.systemNamespace) }} +{{end}} + +{{if ne .Release.Name .Values.internal.managedReleaseName }} +{{ fail (printf "This chart must be installed in the namespace %s as the release name fleet-agent" .Values.internal.managedReleaseName) }} +{{end}} + +{{if not .Values.apiServerURL }} +{{ fail "apiServerURL is required to be set, and most likely also apiServerCA" }} +{{end}} diff --git a/charts/fleet-agent/102.2.1+up0.8.1/values.yaml b/charts/fleet-agent/102.2.1+up0.8.1/values.yaml new file mode 100644 index 0000000000..1243b6a47c --- /dev/null +++ b/charts/fleet-agent/102.2.1+up0.8.1/values.yaml @@ -0,0 +1,63 @@ +image: + os: "windows,linux" + repository: rancher/fleet-agent + tag: v0.8.1 + +# The public URL of the Kubernetes API server running the Fleet Manager must be set here +# Example: https://example.com:6443 +apiServerURL: "" + +# The the pem encoded value of the CA of the Kubernetes API server running the Fleet Manager. +# If left empty it is assumed this Kubernetes API TLS is signed by a well known CA. +apiServerCA: "" + +# The cluster registration value +token: "" + +# Labels to add to the cluster upon registration only. They are not added after the fact. +#labels: +# foo: bar + +# The client ID of the cluster to associate with +clientID: "" + +# The namespace of the cluster we are register with +clusterNamespace: "" + +# The namespace containing the clusters registration secrets +systemRegistrationNamespace: cattle-fleet-clusters-system + +# Please do not change the below setting unless you really know what you are doing +internal: + systemNamespace: cattle-fleet-system + managedReleaseName: fleet-agent + +# The nodeSelector and tolerations for the agent deployment +fleetAgent: + ## Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## List of node taints to tolerate (requires Kubernetes >= 1.6) + tolerations: [] +kubectl: + ## Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## List of node taints to tolerate (requires Kubernetes >= 1.6) + tolerations: + - key: node.cloudprovider.kubernetes.io/uninitialized + operator: "Equal" + value: "true" + effect: NoSchedule + +global: + cattle: + systemDefaultRegistry: "" + kubectl: + repository: rancher/kubectl + tag: v1.21.5 + +debug: false +debugLevel: 0 diff --git a/index.yaml b/index.yaml index b9dafc7416..9bd3e81ad3 100755 --- a/index.yaml +++ b/index.yaml @@ -1232,6 +1232,25 @@ entries: urls: - assets/fleet-agent/fleet-agent-103.1.0+up0.9.0.tgz version: 103.1.0+up0.9.0 + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.27.0-0' + catalog.cattle.io/namespace: cattle-fleet-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: fleet-agent + apiVersion: v2 + appVersion: 0.8.1 + created: "2023-12-04T13:14:21.864382-03:00" + description: Fleet Manager Agent - GitOps at Scale + digest: 32d0e4d8bc7407614613a85a2682e05dfe2a9f3b0688f524a81f0f53f25e53ac + icon: https://charts.rancher.io/assets/logos/fleet.svg + name: fleet-agent + urls: + - assets/fleet-agent/fleet-agent-102.2.1+up0.8.1.tgz + version: 102.2.1+up0.8.1 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" diff --git a/release.yaml b/release.yaml index 08e6753c4e..7dc51a89d3 100644 --- a/release.yaml +++ b/release.yaml @@ -12,3 +12,5 @@ fleet: - 102.2.1+up0.8.1 fleet-crd: - 102.2.1+up0.8.1 +fleet-agent: + - 102.2.1+up0.8.1 From c42253a7b8ad41457747c0d46e3f8b5218d14947 Mon Sep 17 00:00:00 2001 From: rancherbot Date: Mon, 18 Dec 2023 13:46:39 +0000 Subject: [PATCH 10/10] Updating resync.yaml --- regsync.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/regsync.yaml b/regsync.yaml index e19bc35a21..9051b54e60 100644 --- a/regsync.yaml +++ b/regsync.yaml @@ -177,6 +177,7 @@ sync: - v0.7.0 - v0.7.1 - v0.8.0 + - v0.8.1 - v0.9.0 - source: docker.io/rancher/fleet-agent target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/fleet-agent' @@ -205,6 +206,7 @@ sync: - v0.7.0 - v0.7.1 - v0.8.0 + - v0.8.1 - v0.9.0 - source: docker.io/rancher/fluent-bit target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/fluent-bit' @@ -251,6 +253,7 @@ sync: - v0.1.54 - v0.1.6 - v0.1.76 + - v0.1.76-security1 - v0.1.8 - v0.1.96 - source: docker.io/rancher/gke-operator @@ -1272,6 +1275,7 @@ sync: - 5.2.0 - 5.2.1 - 5.2.2-s1 + - 5.2.4 - source: docker.io/rancher/mirrored-neuvector-enforcer target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-neuvector-enforcer' type: repository @@ -1287,6 +1291,7 @@ sync: - 5.2.0 - 5.2.1 - 5.2.2-s1 + - 5.2.4 - source: docker.io/rancher/mirrored-neuvector-manager target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-neuvector-manager' type: repository @@ -1302,6 +1307,7 @@ sync: - 5.2.0 - 5.2.1 - 5.2.2-s1 + - 5.2.4 - source: docker.io/rancher/mirrored-neuvector-prometheus-exporter target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-neuvector-prometheus-exporter' type: repository @@ -1310,6 +1316,7 @@ sync: - 5.2.0 - 5.2.1 - 5.2.2 + - 5.2.4 - source: docker.io/rancher/mirrored-neuvector-registry-adapter target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-neuvector-registry-adapter' type: repository @@ -1689,6 +1696,7 @@ sync: - v0.1.22 - v0.1.3 - v0.1.33 + - v0.1.37 - v0.1.5 - v0.1.6 - v0.1.7