diff --git a/assets/epinio-crd/epinio-crd-102.0.4+up1.9.0.tgz b/assets/epinio-crd/epinio-crd-102.0.4+up1.9.0.tgz new file mode 100644 index 0000000000..a2678b6504 Binary files /dev/null and b/assets/epinio-crd/epinio-crd-102.0.4+up1.9.0.tgz differ diff --git a/assets/epinio/epinio-102.0.4+up1.9.0.tgz b/assets/epinio/epinio-102.0.4+up1.9.0.tgz new file mode 100644 index 0000000000..ec2ae5ea00 Binary files /dev/null and b/assets/epinio/epinio-102.0.4+up1.9.0.tgz differ diff --git a/charts/epinio-crd/102.0.4+up1.9.0/Chart.yaml b/charts/epinio-crd/102.0.4+up1.9.0/Chart.yaml new file mode 100644 index 0000000000..0837f21f5f --- /dev/null +++ b/charts/epinio-crd/102.0.4+up1.9.0/Chart.yaml @@ -0,0 +1,10 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-epinio-system + catalog.cattle.io/release-name: epinio-crd +apiVersion: v2 +description: Installs the CRDs for Epinio. +name: epinio-crd +type: application +version: 102.0.4+up1.9.0 diff --git a/charts/epinio-crd/102.0.4+up1.9.0/README.md b/charts/epinio-crd/102.0.4+up1.9.0/README.md new file mode 100644 index 0000000000..527081aec4 --- /dev/null +++ b/charts/epinio-crd/102.0.4+up1.9.0/README.md @@ -0,0 +1,2 @@ +# epinio-crd +A Rancher chart that installs the CRDs used by epinio. diff --git a/charts/epinio-crd/102.0.4+up1.9.0/templates/app-crd.yaml b/charts/epinio-crd/102.0.4+up1.9.0/templates/app-crd.yaml new file mode 100644 index 0000000000..bae8a1f9ca --- /dev/null +++ b/charts/epinio-crd/102.0.4+up1.9.0/templates/app-crd.yaml @@ -0,0 +1,118 @@ +# Copied from here: +# https://github.com/epinio/application/blob/main/config/crd/bases/application.epinio.io_apps.yaml +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + creationTimestamp: null + name: apps.application.epinio.io +spec: + group: application.epinio.io + names: + kind: App + listKind: AppList + plural: apps + singular: app + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: App is the Schema for the apps API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AppSpec defines the desired state of App + properties: + blobuid: + description: BlobUID stores the blob uid that was used when the application + was last staged (from code). It can be empty if the application + was never staged (e.g. pushed with container image). Epinio will + use the value set by the user explicitly but if one is not set, + it will try to use the previously set blobUID from the application + CRD. + type: string + builderimage: + description: This field stores the builder image that was used when + the application was last staged (from code). It can be empty if + the application was never staged (e.g. pushed with container image). + Epinio will use the builder image set by the user explicitly but + if one is not set, it will try to use the previously set image. + type: string + chartname: + description: ChartName stores the name of the application support + chart used to deploy the currently running application. This is + set on deployment, for use in updates. The name references an epinio + AppCharts resource. + type: string + imageurl: + description: ImageURL stores the image reference of the currently + running application. This is set on deployment, for use in updates. + type: string + origin: + properties: + archive: + type: boolean + container: + type: string + git: + properties: + branch: + type: string + provider: + type: string + repository: + type: string + revision: + type: string + required: + - repository + type: object + path: + type: string + type: object + routes: + items: + type: string + type: array + settings: + additionalProperties: + type: string + description: Settings stores the fields and values set by the user + to configure the application chart. See ChartName. + type: object + stageid: + description: StageID stores the id of the latest attempt to stage + the application, regardless of outcome. This enables access to the + staging logs of an application which never staged successfully. + type: string + required: + - origin + type: object + status: + description: AppStatus defines the observed state of App + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/epinio-crd/102.0.4+up1.9.0/templates/appcharts-crd.yaml b/charts/epinio-crd/102.0.4+up1.9.0/templates/appcharts-crd.yaml new file mode 100644 index 0000000000..940ea6dc50 --- /dev/null +++ b/charts/epinio-crd/102.0.4+up1.9.0/templates/appcharts-crd.yaml @@ -0,0 +1,108 @@ +# Copied from here: +# https://github.com/epinio/application/blob/main/config/crd/bases/application.epinio.io_appcharts.yaml +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + creationTimestamp: null + name: appcharts.application.epinio.io +spec: + group: application.epinio.io + names: + kind: AppChart + listKind: AppChartList + plural: appcharts + singular: appchart + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: AppChart is the Schema for the appcharts API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AppChartSpec defines the desired state of AppChart + properties: + description: + description: Description of the chart. Long form to be used in detailed + displays + type: string + helmChart: + description: HelmChart is the name of the Helm chart used to deploy + an application. + type: string + helmRepo: + description: HelmRepo is the URL to the Helm repository where to fetch + the helm chart. This can be empty. In that case the HelmChart field + has to reference the chart as full URL instead of as a simple name. + type: string + settings: + additionalProperties: + description: AppChartSetting is an older name for ChartSetting. + Created to keep backward compatibility. Should also reduce misunderstandings + of what kind of settings are handled in a particular context. + properties: + enum: + description: Enumeration of allowed values, for types string, + number, integer + items: + type: string + type: array + maximum: + description: Maximal allowed value, for number, integer + type: string + minimum: + description: Minimal allowed value, for number, integer + type: string + type: + description: Type of the setting (string, bool, number, or integer) + type: string + required: + - type + type: object + description: Settings declares the fields underneath `userValues` + the user is allowed to customize when deploying an application with + the helm chart referenced by this app chart. + type: object + shortDescription: + description: ShortDescription of the chart. To be used in list displays + type: string + values: + additionalProperties: + type: string + description: Values provides settings, i.e. field names and values + to customize the referenced helm chart when deploying an application + with this app chart. Note that user-configurable settings are declared + with `Settings` instead. While nothing checks against exposing a + field set here to the user this is strongly discouraged, to avoid + confusion. + type: object + type: object + status: + description: AppChartStatus defines the observed state of AppChart + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/epinio-crd/102.0.4+up1.9.0/templates/service-crd.yaml b/charts/epinio-crd/102.0.4+up1.9.0/templates/service-crd.yaml new file mode 100644 index 0000000000..017f5478b1 --- /dev/null +++ b/charts/epinio-crd/102.0.4+up1.9.0/templates/service-crd.yaml @@ -0,0 +1,120 @@ +# Copied from here: +# https://github.com/epinio/application/blob/main/config/crd/bases/application.epinio.io_services.yaml +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + creationTimestamp: null + name: services.application.epinio.io +spec: + group: application.epinio.io + names: + kind: Service + listKind: ServiceList + plural: services + singular: service + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Service is the Schema for the services API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceSpec defines the desired state of Service + properties: + appVersion: + description: AppVersion is the version of the service deployed by + the referenced chart + type: string + chart: + description: HelmChart is the name of the Helm chart used to deploy + the service + type: string + chartVersion: + description: ChartVersion is the version of the Helm chart used to + deploy the service + type: string + description: + description: Description of the service to be used when the service + is described + type: string + helmRepo: + description: HelmRepo is the Helm repository where to fetch the helm + chart + properties: + name: + type: string + url: + type: string + type: object + name: + description: Name of the service (i.e. redis-small) + type: string + serviceIcon: + description: ServiceIcon is an image associated with this service + type: string + settings: + additionalProperties: + description: ServiceSetting is an alias to ChartSetting. Should + reduce misunderstandings of what kind of settings are handled + in a particular context. + properties: + enum: + description: Enumeration of allowed values, for types string, + number, integer + items: + type: string + type: array + maximum: + description: Maximal allowed value, for number, integer + type: string + minimum: + description: Minimal allowed value, for number, integer + type: string + type: + description: Type of the setting (string, bool, number, or integer) + type: string + required: + - type + type: object + description: Settings declares the fields the user is allowed to customize + when deploying a service with the helm chart referenced by this + service class. + type: object + shortDescription: + description: ShortDescription of the service to be used in lists + type: string + values: + description: Values are the values provided by the operator. They + are used to customize the deployment of the service. + type: string + type: object + status: + description: ServiceStatus defines the observed state of Service + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/epinio/102.0.4+up1.9.0/Chart.lock b/charts/epinio/102.0.4+up1.9.0/Chart.lock new file mode 100644 index 0000000000..3f884a51ac --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/Chart.lock @@ -0,0 +1,15 @@ +dependencies: +- name: dex + repository: https://charts.dexidp.io + version: 0.14.3 +- name: minio + repository: https://charts.min.io/ + version: 5.0.13 +- name: kubed + repository: https://charts.appscode.com/stable/ + version: v0.13.2 +- name: s3gw + repository: https://aquarist-labs.github.io/s3gw-charts + version: 0.14.0 +digest: sha256:bb126710c2f9a5b3d92dcb6186b97747881fd323fbfe0a53cda5194dc9f1000d +generated: "2023-07-18T14:35:31.781489759+02:00" diff --git a/charts/epinio/102.0.4+up1.9.0/Chart.yaml b/charts/epinio/102.0.4+up1.9.0/Chart.yaml new file mode 100644 index 0000000000..957d6ea0e7 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/Chart.yaml @@ -0,0 +1,51 @@ +annotations: + artifacthub.io/license: Apache-2.0 + artifacthub.io/prerelease: "false" + catalog.cattle.io/auto-install: epinio-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Epinio + catalog.cattle.io/experimental: "true" + catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.28.0-0' + catalog.cattle.io/namespace: cattle-epinio-system + catalog.cattle.io/permits-os: linux + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: epinio + catalog.cattle.io/type: app + catalog.cattle.io/upstream-version: 1.9.0 +apiVersion: v2 +appVersion: v1.9.0 +dependencies: +- condition: global.dex.enabled + name: dex + repository: file://./charts/dex + tags: + - dex +- condition: kubed.enabled, global.kubed.enabled + name: kubed + repository: file://./charts/kubed + tags: + - kubed +- condition: minio.enabled, global.minio.enabled + name: minio + repository: file://./charts/minio + tags: + - minio +- condition: s3gw.enabled, global.s3gw.enabled + name: s3gw + repository: file://./charts/s3gw + tags: + - s3gw +description: Epinio deploys Kubernetes applications directly from source code in one + step. +home: https://github.com/epinio/epinio +icon: https://charts.rancher.io/assets/logos/epinio.svg +keywords: +- epinio +- paas +maintainers: +- email: team@epinio.io + name: SUSE +name: epinio +sources: +- https://github.com/epinio/epinio +version: 102.0.4+up1.9.0 diff --git a/charts/epinio/102.0.4+up1.9.0/README.md b/charts/epinio/102.0.4+up1.9.0/README.md new file mode 100644 index 0000000000..2e1b39df15 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/README.md @@ -0,0 +1,100 @@ +# Epinio Helm Chart + +From app to URL in one command. + +## Introduction + +This chart deploys Epinio PaaS on a Kubernetes cluster. It also deploys some of +its dependencies as subcharts. + +The documentation is centralized in the [doc website](https://docs.epinio.io). + +## Prerequisites + +Epinio needs a number of external components to be running on your cluster in order to +work. You may already have those deployed, otherwise follow the instructions here +to deploy them. + +Important: Some of the namespaces of the components are hardcoded in the Epinio +code and thus are important to be the same as described here. In the future this +may be configurable on the Epinio Helm chart. + +### Ingress Controller + +Epinio creates Ingress resources for the API server, the applications and depending +on your setup, the internal container registry. Those resources won't work unless +an Ingress controller is running on your cluster. + +If you don't have an Ingress controller already running, you can install Traefik with: + +``` +$ kubectl create namespace traefik +$ export LOAD_BALANCER_IP=$(LOAD_BALANCER_IP:-) # Set this to the IP of your load balancer if you know that +$ helm install traefik --namespace traefik "https://helm.traefik.io/traefik/traefik-10.3.4.tgz" \ + --set globalArguments='' \ + --set-string ports.web.redirectTo=websecure \ + --set-string ingressClass.enabled=true \ + --set-string ingressClass.isDefaultClass=true \ + --set-string service.spec.loadBalancerIP=$LOAD_BALANCER_IP +``` + +### Cert Manager + +Epinio needs [cert-manager](https://cert-manager.io/) in order to create TLS +certificates for the various Ingresses (see "Ingress controller" above). + +If cert-manager is not already installed on the cluster, it can be installed like this: + +``` +$ kubectl create namespace cert-manager +$ helm repo add jetstack https://charts.jetstack.io +$ helm repo update +$ helm install cert-manager --namespace cert-manager jetstack/cert-manager \ + --set installCRDs=true \ + --set extraArgs[0]=--enable-certificate-owner-ref=true +``` + +### Kubed + +Kubed is installed as a subchart when `.Values.kubed.enabled` is true (default). +If you already have kubed running, you can skip the installation by setting +the helm value "kubed.enabled" to "false". + +### S3 storage + +Epinio is using an S3 compatible storage to store the application source code. + +This chart will install [Minio](https://min.io/) when `.Values.minio.enabled` is +true (default). + +This chart will install [s3gw](https://s3gw.io/) when `.Values.s3gw.enabled` is +true. + +Any S3 compatible solution can be used instead by setting the aforementioned values +to `false` and using [the values under `s3`](https://github.com/epinio/helm-charts/blob/main/chart/epinio/values.yaml#L44) +to point to the desired S3 server. + +### Container Registry + +When Epinio builds a container image for an application from source, it needs +to store that image to a container registry. Epinio installs a container registry +on the cluster when `.Values.containerregistry.enabled` is `true` (default). + +Any container registry that supports basic auth authentication can be used (e.g. gcr, dockerhub etc) +instead by setting this value to `false` and using +[the values under `registry`](https://github.com/epinio/helm-charts/blob/main/chart/epinio/values.yaml#L104-L107) +to point to the desired container registry. + +## Install Epinio + +If the above dependencies are available or going to be installed by this chart, +Epinio can be installed with the following: + +``` +$ helm repo add epinio https://epinio.github.io/helm-charts/ +$ helm install epinio -n epinio --create-namespace epinio/epinio --values epinio-values.yaml --set global.domain=myepiniodomain.org +``` + +The only value that is mandatory is the `.Values.global.domain` which +should be a wildcard domain, pointing to the IP address of your running +Ingress controller. diff --git a/charts/epinio/102.0.4+up1.9.0/app-readme.md b/charts/epinio/102.0.4+up1.9.0/app-readme.md new file mode 100644 index 0000000000..1c8d7bd6d3 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/app-readme.md @@ -0,0 +1,37 @@ +# Epinio PaaS + +Opinionated platform that runs on Kubernetes to take you from Code to URL in one step. + +__Attention__: + + - Requires `cert-manager` as dependency. + - Requires `helm-controller` as dependency. + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) +have been removed from the Kubernetes API. + +As a result, __before upgrading to Kubernetes v1.25__ (or on a fresh install in a Kubernetes v1.25+ +cluster), users are expected to perform an in-place upgrade of this chart with +`global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. + +​> __Note:__ +> In this chart release, any previous field that was associated with any PSP resources have been +> removed in favor of a single global field: `global.cattle.psp.enabled`. + +> __Note:__ +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even +> if you manually clean up resources), __it will leave the Helm release in a broken state within the +> cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, +> etc.).__ +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your +> Helm release secrets. + +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed +on its behalf from the cluster. This is the default setting for this chart. ​ + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) +should be used. Please consult the Rancher docs for more details on how to configure your chart +release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. diff --git a/charts/epinio/102.0.4+up1.9.0/assets/epinio-application-0.1.26.tgz b/charts/epinio/102.0.4+up1.9.0/assets/epinio-application-0.1.26.tgz new file mode 100644 index 0000000000..586d2db889 Binary files /dev/null and b/charts/epinio/102.0.4+up1.9.0/assets/epinio-application-0.1.26.tgz differ diff --git a/charts/epinio/102.0.4+up1.9.0/charts/dex/.helmignore b/charts/epinio/102.0.4+up1.9.0/charts/dex/.helmignore new file mode 100644 index 0000000000..00ca644b23 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/dex/.helmignore @@ -0,0 +1,25 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + +README.md.gotmpl diff --git a/charts/epinio/102.0.4+up1.9.0/charts/dex/Chart.yaml b/charts/epinio/102.0.4+up1.9.0/charts/dex/Chart.yaml new file mode 100644 index 0000000000..8015d9a1dc --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/dex/Chart.yaml @@ -0,0 +1,29 @@ +annotations: + artifacthub.io/changes: | + - kind: added + description: "Use updated HorizontalPodAutoscaler API Version which is no longer served in K8s >=1.25" + artifacthub.io/images: | + - name: dex + image: ghcr.io/dexidp/dex:v2.36.0 +apiVersion: v2 +appVersion: 2.36.0 +description: OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable + connectors. +home: https://dexidp.io/ +icon: https://dexidp.io/favicon.png +keywords: +- oidc +- oauth +- identity-provider +- saml +kubeVersion: '>=1.14.0-0' +maintainers: +- email: mark.sagikazar@gmail.com + name: sagikazarmark + url: https://sagikazarmark.hu +name: dex +sources: +- https://github.com/dexidp/dex +- https://github.com/dexidp/helm-charts/tree/master/charts/dex +type: application +version: 0.14.3 diff --git a/charts/epinio/102.0.4+up1.9.0/charts/dex/LICENSE b/charts/epinio/102.0.4+up1.9.0/charts/dex/LICENSE new file mode 100644 index 0000000000..d645695673 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/dex/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/epinio/102.0.4+up1.9.0/charts/dex/README.md b/charts/epinio/102.0.4+up1.9.0/charts/dex/README.md new file mode 100644 index 0000000000..e3539a9d50 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/dex/README.md @@ -0,0 +1,187 @@ +# dex + +![version: 0.14.3](https://img.shields.io/badge/version-0.14.3-informational?style=flat-square) ![type: application](https://img.shields.io/badge/type-application-informational?style=flat-square) ![app version: 2.36.0](https://img.shields.io/badge/app%20version-2.36.0-informational?style=flat-square) ![kube version: >=1.14.0-0](https://img.shields.io/badge/kube%20version->=1.14.0--0-informational?style=flat-square) [![artifact hub](https://img.shields.io/badge/artifact%20hub-dex-informational?style=flat-square)](https://artifacthub.io/packages/helm/dex/dex) + +OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors. + +**Homepage:** + +## TL;DR; + +```bash +helm repo add dex https://charts.dexidp.io +helm install --generate-name --wait dex/dex +``` + +## Getting started + +### Minimal configuration + +Dex requires a minimal configuration in order to work. +You can pass configuration to Dex using Helm values: + +```yaml +config: + # Set it to a valid URL + issuer: http://my-issuer-url.com + + # See https://dexidp.io/docs/storage/ for more options + storage: + type: memory + + # Enable at least one connector + # See https://dexidp.io/docs/connectors/ for more options + enablePasswordDB: true +``` + +The above configuration won't make Dex automatically available on the configured URL. +One (and probably the easiest) way to achieve that is configuring ingress: + +```yaml +ingress: + enabled: true + + hosts: + - host: my-issuer-url.com + paths: + - path: / +``` + +### Minimal TLS configuration + +HTTPS is basically mandatory these days, especially for authentication and authorization services. +There are several solutions for protecting services with TlS in Kubernetes, +but by far the most popular and portable is undoubtedly [Cert Manager](https://cert-manager.io). + +Cert Manager can be [installed](https://cert-manager.io/docs/installation/kubernetes) with a few steps: + +```shell +helm repo add jetstack https://charts.jetstack.io +helm repo update +kubectl create namespace cert-manager +helm install \ + cert-manager jetstack/cert-manager \ + --namespace cert-manager \ + --set installCRDs=true +``` + +The next step is setting up an [issuer](https://cert-manager.io/docs/concepts/issuer/) (eg. [Let's Encrypt](https://letsencrypt.org/)): + +```shell +cat <=1.23-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: autoscaling/v2 +{{- else -}} +apiVersion: autoscaling/v2beta1 +{{- end }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "dex.fullname" . }} + labels: + {{- include "dex.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "dex.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/ingress.yaml b/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/ingress.yaml new file mode 100644 index 0000000000..0b881d0459 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/ingress.yaml @@ -0,0 +1,61 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "dex.fullname" . -}} +{{- $svcPort := .Values.service.ports.http.port -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "dex.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ tpl . $ | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ tpl .host $ | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/networkpolicy.yaml b/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/networkpolicy.yaml new file mode 100644 index 0000000000..acd51b9d89 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/networkpolicy.yaml @@ -0,0 +1,35 @@ +{{- if .Values.networkPolicy.enabled }} +{{- if semverCompare "<1.7-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: extensions/v1beta1 +{{- else -}} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: NetworkPolicy +metadata: + name: {{ include "dex.fullname" . }} + labels: + {{- include "dex.labels" . | nindent 4 }} +spec: + policyTypes: + {{- if .Values.networkPolicy.egressRules }} + - Egress + {{- end }} + - Ingress + podSelector: + matchLabels: + {{- include "dex.selectorLabels" . | nindent 6 }} + ingress: + - ports: + - port: http + {{- if .Values.https.enabled }} + - port: https + {{- end }} + {{- if .Values.grpc.enabled }} + - port: grpc + {{- end }} + - port: telemetry + {{- with .Values.networkPolicy.egressRules }} + egress: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/poddisruptionbudget.yaml b/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..6ec1032ad7 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/poddisruptionbudget.yaml @@ -0,0 +1,22 @@ +{{- if .Values.podDisruptionBudget.enabled }} +{{- if semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: policy/v1 +{{- else -}} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "dex.fullname" . }} + labels: +{{ include "dex.labels" . | indent 4 }} +spec: + {{- with .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ . }} + {{- end }} + {{- with .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ . }} + {{- end }} + selector: + matchLabels: + {{- include "dex.selectorLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/psp.yaml b/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/psp.yaml new file mode 100644 index 0000000000..7b30c45e0a --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/psp.yaml @@ -0,0 +1,86 @@ +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" -}} +{{- if .Values.serviceAccount.create }} +{{- if .Values.global.rbac.pspEnabled }} + +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ printf "%s-psp" .Values.serviceAccount.name | quote }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}" + app.kubernetes.io/part-of: {{ .Values.serviceAccount.name | quote }} + app: {{ .Values.serviceAccount.name | quote }} +{{- if .Values.global.rbac.pspAnnotations }} + annotations: {{ toYaml .Values.global.rbac.pspAnnotations | nindent 4 }} +{{- end }} +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Permits the container to run with root privileges as well. + rule: 'RunAsAny' + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 0 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 0 + max: 65535 + readOnlyRootFilesystem: false + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ printf "%s-psp" .Values.serviceAccount.name | quote }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}" + app.kubernetes.io/part-of: {{ .Values.serviceAccount.name | quote }} + app: {{ .Values.serviceAccount.name | quote }} +rules: +{{- if semverCompare "> 1.15.0-0" .Capabilities.KubeVersion.GitVersion }} +- apiGroups: ['policy'] +{{- else }} +- apiGroups: ['extensions'] +{{- end }} + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ printf "%s-psp" .Values.serviceAccount.name | quote }} + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ printf "%s-psp" .Values.serviceAccount.name | quote }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}" + app.kubernetes.io/part-of: {{ .Values.serviceAccount.name | quote }} + app: {{ .Values.serviceAccount.name | quote }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ printf "%s-psp" .Values.serviceAccount.name | quote }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.name | quote }} + namespace: {{ .Release.Namespace }} + +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/rbac.yaml b/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/rbac.yaml new file mode 100644 index 0000000000..333f2f1000 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/rbac.yaml @@ -0,0 +1,55 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "dex.fullname" . }} + labels: + {{- include "dex.labels" . | nindent 4 }} +rules: + - apiGroups: ["dex.coreos.com"] + resources: ["*"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "dex.fullname" . }} + labels: + {{- include "dex.labels" . | nindent 4 }} +roleRef: + kind: Role + apiGroup: rbac.authorization.k8s.io + name: {{ include "dex.fullname" . }} +subjects: +- kind: ServiceAccount + namespace: {{ .Release.Namespace }} + name: {{ include "dex.serviceAccountName" . }} +{{- if .Values.rbac.createClusterScoped }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "dex.fullname" . }} + labels: + {{- include "dex.labels" . | nindent 4 }} +rules: + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["list", "create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "dex.fullname" . }}-cluster + labels: + {{- include "dex.labels" . | nindent 4 }} +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: {{ include "dex.fullname" . }} +subjects: +- kind: ServiceAccount + namespace: {{ .Release.Namespace }} + name: {{ include "dex.serviceAccountName" . }} +{{- end }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/secret.yaml b/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/secret.yaml new file mode 100644 index 0000000000..27d39546ed --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/secret.yaml @@ -0,0 +1,11 @@ +{{- if .Values.configSecret.create -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "dex.configSecretName" . }} + labels: + {{- include "dex.labels" . | nindent 4 }} +type: Opaque +data: + config.yaml: {{ .Values.config | toYaml | b64enc | quote }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/service.yaml b/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/service.yaml new file mode 100644 index 0000000000..8114e8d59e --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/service.yaml @@ -0,0 +1,59 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "dex.fullname" . }} + labels: + {{- include "dex.labels" . | nindent 4 }} + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.type }} + {{- with .Values.service.clusterIP }} + clusterIP: {{ . }} + {{- end }} + ports: + - name: http + port: {{ .Values.service.ports.http.port }} + {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) .Values.service.ports.http.nodePort }} + nodePort: {{ .Values.service.ports.http.nodePort }} + {{- end }} + targetPort: http + protocol: TCP + {{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.GitVersion }} + appProtocol: http + {{- end }} + {{- if .Values.https.enabled }} + - name: https + port: {{ .Values.service.ports.https.port }} + {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) .Values.service.ports.https.nodePort }} + nodePort: {{ .Values.service.ports.https.nodePort }} + {{- end }} + targetPort: https + protocol: TCP + {{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.GitVersion }} + appProtocol: https + {{- end }} + {{- end }} + {{- if .Values.grpc.enabled }} + - name: grpc + port: {{ .Values.service.ports.grpc.port }} + {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) .Values.service.ports.grpc.nodePort }} + nodePort: {{ .Values.service.ports.grpc.nodePort }} + {{- end }} + targetPort: grpc + protocol: TCP + {{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.GitVersion }} + appProtocol: http + {{- end }} + {{- end }} + - name: telemetry + port: 5558 + targetPort: telemetry + protocol: TCP + {{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.GitVersion }} + appProtocol: http + {{- end }} + selector: + {{- include "dex.selectorLabels" . | nindent 4 }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/serviceaccount.yaml b/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/serviceaccount.yaml new file mode 100644 index 0000000000..30c3ddd90e --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "dex.serviceAccountName" . }} + labels: + {{- include "dex.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/servicemonitor.yaml b/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/servicemonitor.yaml new file mode 100644 index 0000000000..ce96e5be1d --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/servicemonitor.yaml @@ -0,0 +1,54 @@ +{{- if .Values.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + {{- with .Values.serviceMonitor.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "dex.fullname" . }} + {{- with .Values.serviceMonitor.namespace }} + namespace: {{ . }} + {{- end }} + labels: + {{- include "dex.labels" . | nindent 4 }} + {{- with .Values.serviceMonitor.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + endpoints: + - port: telemetry + {{- with .Values.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.serviceMonitor.scheme }} + scheme: {{ . }} + {{- end }} + {{- with .Values.serviceMonitor.bearerTokenFile }} + bearerTokenFile: {{ . }} + {{- end }} + {{- with .Values.serviceMonitor.tlsConfig }} + tlsConfig: + {{- toYaml .| nindent 6 }} + {{- end }} + {{- with .Values.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + path: {{ .Values.serviceMonitor.path }} + honorLabels: {{ .Values.serviceMonitor.honorLabels }} + {{- with .Values.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- tpl (toYaml . | nindent 6) $ }} + {{- end }} + {{- with .Values.serviceMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 6 }} + {{- end }} + jobLabel: {{ include "dex.fullname" . }} + selector: + matchLabels: + {{- include "dex.selectorLabels" . | nindent 6 }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/tests/no-config-secret.yaml b/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/tests/no-config-secret.yaml new file mode 100644 index 0000000000..4b7804f540 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/dex/templates/tests/no-config-secret.yaml @@ -0,0 +1,13 @@ +{{- if not .Values.configSecret.create -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "dex.configSecretName" . }}-test-no-create + labels: + {{- include "dex.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +type: Opaque +data: + config.yaml: {{ .Values.config | toYaml | b64enc | quote }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/dex/values.yaml b/charts/epinio/102.0.4+up1.9.0/charts/dex/values.yaml new file mode 100644 index 0000000000..a00c9bad6f --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/dex/values.yaml @@ -0,0 +1,324 @@ +# Default values for dex. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- Number of replicas (pods) to launch. +replicaCount: 1 + +# -- Labels to apply to all resources and selectors. +commonLabels: {} +# team_name: dev + +image: + # -- Name of the image repository to pull the container image from. + repository: rancher/mirrored-dexidp-dex + tag: v2.36.0 + + # -- [Image pull policy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) for updating already existing images on a node. + pullPolicy: IfNotPresent + +# -- Reference to one or more secrets to be used when [pulling images](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) (from private registries). +imagePullSecrets: [] + +# -- A name in place of the chart name for `app:` labels. +nameOverride: "" + +# -- A name to substitute for the full names of resources. +fullnameOverride: "" + +# -- A list of hosts and IPs that will be injected into the pod's hosts file if specified. +# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#hostname-and-name-resolution) +hostAliases: [] + +https: + # -- Enable the HTTPS endpoint. + enabled: false + +grpc: + # -- Enable the gRPC endpoint. + # Read more in the [documentation](https://dexidp.io/docs/api/). + enabled: false + +configSecret: + # -- Enable creating a secret from the values passed to `config`. + # If set to false, name must point to an existing secret. + create: true + + # -- The name of the secret to mount as configuration in the pod. + # If not set and create is true, a name is generated using the fullname template. + # Must point to secret that contains at least a `config.yaml` key. + name: "" + +# -- Application configuration. +# See the [official documentation](https://dexidp.io/docs/). +config: {} + +# -- Additional storage [volumes](https://kubernetes.io/docs/concepts/storage/volumes/). +# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details. +volumes: [] + +# -- Additional [volume mounts](https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/). +# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details. +volumeMounts: [] + +# -- Additional environment variables mounted from [secrets](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables) or [config maps](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables). +# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. +envFrom: [] + +# -- Additional environment variables passed directly to containers. +# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. +env: {} + +# -- Similar to env but with support for all possible configurations. +# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. +envVars: [] +# - name: SOME_ENV_VAR +# value: value +# - name: SOME_ENV_VAR2 +# valueFrom: +# secretKeyRef: +# name: secret-name +# key: secret-key +# - name: SOME_ENV_VAR3 +# valueFrom: +# configMapKeyRef: +# name: config-map-name +# key: config-map-key + +serviceAccount: + # -- Enable service account creation. + create: true + + # -- Annotations to be added to the service account. + annotations: {} + + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template. + name: "dex-sa" + +rbac: + # -- Specifies whether RBAC resources should be created. + # If disabled, the operator is responsible for creating the necessary resources based on the templates. + create: true + + # -- Specifies which RBAC resources should be created. + # If disabled, the operator is responsible for creating the necessary resources (ClusterRole and RoleBinding or CRD's) + createClusterScoped: true + +# -- Annotations to be added to deployment. +deploymentAnnotations: {} + +# -- Labels to be added to deployment. +deploymentLabels: {} + +# -- Annotations to be added to pods. +podAnnotations: {} + +# -- Labels to be added to pods. +podLabels: {} + +podDisruptionBudget: + # -- Enable a [pod distruption budget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) to help dealing with [disruptions](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/). + # It is **highly recommended** for webhooks as disruptions can prevent launching new pods. + enabled: false + + # -- (int/percentage) Number or percentage of pods that must remain available. + minAvailable: + + # -- (int/percentage) Number or percentage of pods that can be unavailable. + maxUnavailable: + +# -- Specify a priority class name to set [pod priority](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority). +priorityClassName: "" + +# -- Pod [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod). +# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) for details. +podSecurityContext: {} + # fsGroup: 2000 + +# -- Container [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container). +# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) for details. +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + # -- Annotations to be added to the service. + annotations: {} + + # -- Kubernetes [service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types). + type: ClusterIP + + # -- Internal cluster service IP (when applicable) + clusterIP: "" + + ports: + http: + # -- HTTP service port + port: 5556 + + # -- (int) HTTP node port (when applicable) + nodePort: + + https: + # -- HTTPS service port + port: 5554 + + # -- (int) HTTPS node port (when applicable) + nodePort: + + grpc: + # -- gRPC service port + port: 5557 + + # -- (int) gRPC node port (when applicable) + nodePort: + +ingress: + # -- Enable [ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/). + enabled: false + + # -- Ingress [class name](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class). + className: "" + + # -- Annotations to be added to the ingress. + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + + # -- Ingress host configuration. + # @default -- See [values.yaml](values.yaml). + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + + # -- Ingress TLS configuration. + # @default -- See [values.yaml](values.yaml). + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +serviceMonitor: + # -- Enable Prometheus ServiceMonitor. + # See the [documentation](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/design.md#servicemonitor) and the [API reference](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor) for details. + enabled: false + + # -- Namespace where the ServiceMonitor resource should be deployed. + # @default -- Release namespace. + namespace: "" + + # -- (duration) Prometheus scrape interval. + interval: + + # -- (duration) Prometheus scrape timeout. + scrapeTimeout: + + # -- Labels to be added to the ServiceMonitor. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + labels: {} + + # -- Annotations to be added to the ServiceMonitor. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + annotations: {} + + # -- HTTP scheme to use for scraping. + # Can be used with `tlsConfig` for example if using istio mTLS. + scheme: "" + + # -- TLS configuration to use when scraping the endpoint. + # For example if using istio mTLS. + ## Of type: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig + tlsConfig: {} + + # -- Prometheus scrape bearerTokenFile + bearerTokenFile: + + # -- Prometheus scrape metric relabel configs + # to apply to samples before ingestion. + ## [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) + metricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + # -- Relabel configs to apply + # to samples before ingestion. + ## [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # targetLabel: nodename + # replacement: $1 + # action: replace + +# -- Container resource [requests and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). +# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) for details. +# @default -- No requests or limits. +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +# -- Autoscaling configuration (see [values.yaml](values.yaml) for details). +# @default -- Disabled by default. +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +# -- [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) configuration. +nodeSelector: {} + +# -- [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) for node taints. +# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details. +tolerations: [] + +# -- [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) configuration. +# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details. +affinity: {} + +# -- [TopologySpreadConstraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) configuration. +# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details. +topologySpreadConstraints: [] + +# -- Deployment [strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) configuration. +strategy: {} + # rollingUpdate: + # maxUnavailable: 1 + # type: RollingUpdate + +networkPolicy: + # -- Create [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) + enabled: false + # -- A list of network policy egress rules + egressRules: [] + # Allow DNS egress traffic + # - ports: + # - port: 53 + # protocol: UDP + # - port: 53 + # protocol: TCP + # Example to allow LDAP connector to reach LDAPs port on 1.2.3.4 server + # - to: + # - ipBlock + # cidr: 1.2.3.4/32 + # ports: + # - port: 636 + # protocol: TCP diff --git a/charts/epinio/102.0.4+up1.9.0/charts/kubed/.helmignore b/charts/epinio/102.0.4+up1.9.0/charts/kubed/.helmignore new file mode 100644 index 0000000000..be86b789d7 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/kubed/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# Helm files +OWNERS diff --git a/charts/epinio/102.0.4+up1.9.0/charts/kubed/Chart.yaml b/charts/epinio/102.0.4+up1.9.0/charts/kubed/Chart.yaml new file mode 100644 index 0000000000..b01e55e5e0 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/kubed/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +appVersion: v0.13.2 +description: Config Syncer by AppsCode - Kubernetes daemon +home: https://github.com/kubeops/config-syncer +icon: https://cdn.appscode.com/images/products/kubed/icons/android-icon-192x192.png +maintainers: +- email: support@appscode.com + name: appscode +name: kubed +sources: +- https://github.com/kubeops/config-syncer +version: v0.13.2 diff --git a/charts/epinio/102.0.4+up1.9.0/charts/kubed/README.md b/charts/epinio/102.0.4+up1.9.0/charts/kubed/README.md new file mode 100644 index 0000000000..d747c51769 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/kubed/README.md @@ -0,0 +1,94 @@ +# Config Syncer + +[Config Syncer by AppsCode](https://github.com/kubeops/config-syncer) - A Kubernetes cluster manager daemon + +## TL;DR; + +```console +$ helm repo add appscode https://charts.appscode.com/stable/ +$ helm repo update +$ helm install kubed appscode/kubed -n kube-system +``` + +## Introduction + +This chart deploys a Config Syncer operator on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + +- Kubernetes 1.11+ + +## Installing the Chart + +To install the chart with the release name `kubed`: + +```console +$ helm install kubed appscode/kubed -n kube-system +``` + +The command deploys a Config Syncer operator on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `kubed`: + +```console +$ helm delete kubed -n kube-system +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +The following table lists the configurable parameters of the `kubed` chart and their default values. + +| Parameter | Description | Default | +|--------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------| +| nameOverride | Overrides name template | "" | +| fullnameOverride | Overrides fullname template | "" | +| replicaCount | Number of Config Syncer operator replicas to create (only 1 is supported) | 1 | +| operator.registry | Docker registry used to pull Config Syncer operator image | appscode | +| operator.repository | Config Syncer operator container image | kubed | +| operator.tag | Config Syncer operator container image tag | v0.13.2 | +| operator.resources | Compute Resources required by the operator container | {} | +| operator.securityContext | Security options the operator container should run with | {} | +| imagePullSecrets | Specify an array of imagePullSecrets. Secrets must be manually created in the namespace.
Example:
`helm template charts/kubed \`
`--set imagePullSecrets[0].name=sec0 \`
`--set imagePullSecrets[1].name=sec1` | [] | +| imagePullPolicy | Container image pull policy | IfNotPresent | +| criticalAddon | If true, installs Config Syncer operator as critical addon | false | +| logLevel | Log level for operator | 3 | +| annotations | Annotations applied to operator deployment | {} | +| podAnnotations | Annotations passed to operator pod(s). | {} | +| nodeSelector | Node labels for pod assignment | {} | +| tolerations | Tolerations for pod assignment | [] | +| affinity | Affinity rules for pod assignment | {} | +| podSecurityContext | Security options the operator pod should run with. | {"fsGroup":65535} | +| serviceAccount.create | Specifies whether a service account should be created | true | +| serviceAccount.annotations | Annotations to add to the service account | {} | +| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" | +| apiserver.securePort | Port used by Config Syncer server | "8443" | +| apiserver.useKubeapiserverFqdnForAks | If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true) | true | +| apiserver.healthcheck.enabled | healthcheck configures the readiness and liveliness probes for the operator pod. | false | +| apiserver.servingCerts.generate | If true, generates on install/upgrade the certs that allow the kube-apiserver (and potentially ServiceMonitor) to authenticate operators pods. Otherwise specify certs in `apiserver.servingCerts.{caCrt, serverCrt, serverKey}`. | true | +| apiserver.servingCerts.caCrt | CA certficate used by serving certificate of Config Syncer server. | "" | +| apiserver.servingCerts.serverCrt | Serving certficate used by Config Syncer server. | "" | +| apiserver.servingCerts.serverKey | Private key for the serving certificate used by Config Syncer server. | "" | +| enableAnalytics | If true, sends usage analytics | true | +| config.clusterName | Set cluster-name to something meaningful to you, say, prod, prod-us-east, qa, etc. so that you can distinguish notifications sent by kubed | unicorn | +| config.configSourceNamespace | If set, configmaps and secrets from only this namespace will be synced | "" | +| config.kubeconfigContent | kubeconfig file content for configmap and secret syncer | "" | + + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example: + +```console +$ helm install kubed appscode/kubed -n kube-system --set replicaCount=1 +``` + +Alternatively, a YAML file that specifies the values for the parameters can be provided while +installing the chart. For example: + +```console +$ helm install kubed appscode/kubed -n kube-system --values values.yaml +``` diff --git a/charts/epinio/102.0.4+up1.9.0/charts/kubed/doc.yaml b/charts/epinio/102.0.4+up1.9.0/charts/kubed/doc.yaml new file mode 100644 index 0000000000..e3b2d7fae6 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/kubed/doc.yaml @@ -0,0 +1,18 @@ +project: + name: Config Syncer by AppsCode + shortName: Config Syncer + url: https://github.com/kubeops/config-syncer + description: A Kubernetes cluster manager daemon + app: a Config Syncer operator +repository: + url: https://charts.appscode.com/stable/ + name: appscode +chart: + name: kubed + values: "-- generate from values file --" + valuesExample: "-- generate from values file --" +prerequisites: +- Kubernetes 1.11+ +release: + name: kubed + namespace: kube-system diff --git a/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/NOTES.txt b/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/NOTES.txt new file mode 100644 index 0000000000..aa9281fa09 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/NOTES.txt @@ -0,0 +1,3 @@ +To verify that Config Syncer has started, run: + + kubectl get deployment --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "kubed.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" diff --git a/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/_helpers.tpl b/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/_helpers.tpl new file mode 100644 index 0000000000..cbdcb8c0df --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/_helpers.tpl @@ -0,0 +1,93 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "kubed.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubed.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubed.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "kubed.labels" -}} +helm.sh/chart: {{ include "kubed.chart" . }} +{{ include "kubed.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "kubed.selectorLabels" -}} +app.kubernetes.io/name: {{ include "kubed.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "kubed.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "kubed.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Windows cluster will add default taint for linux nodes, add below linux tolerations to +workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +beta.kubernetes.io/os: linux +{{- else -}} +kubernetes.io/os: linux +{{- end -}} +{{- end -}} + +{{/* +URL prefix for container images to be compatible with Rancher +*/}} +{{- define "registry-url" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{ trimSuffix "/" .Values.global.cattle.systemDefaultRegistry }}/ +{{- else -}} +{{ .Values.operator.registry }}/ +{{- end -}} +{{- end -}} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/apiregistration.yaml b/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/apiregistration.yaml new file mode 100644 index 0000000000..fcbf02a361 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/apiregistration.yaml @@ -0,0 +1,58 @@ +{{- $serverCrt := "" }} +{{- $serverKey := "" }} +{{- if .Values.apiserver.servingCerts.generate }} +{{- $ca := genCA "ca" 3650 }} +{{- $cn := include "kubed.fullname" . -}} +{{- $altName1 := printf "%s.%s" $cn .Release.Namespace }} +{{- $altName2 := printf "%s.%s.svc" $cn .Release.Namespace }} +{{- $server := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }} +{{- $serverCrt = b64enc $server.Cert }} +{{- $serverKey = b64enc $server.Key }} +{{- else }} +{{- $serverCrt = required "Required when apiserver.servingCerts.generate is false" .Values.apiserver.servingCerts.serverCrt }} +{{- $serverKey = required "Required when apiserver.servingCerts.generate is false" .Values.apiserver.servingCerts.serverKey }} +{{- end }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kubed.fullname" . }}-apiserver-cert + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubed.labels" . | nindent 4 }} +type: Opaque +data: + tls.crt: {{ $serverCrt }} + tls.key: {{ $serverKey }} +--- +# to read the config for terminating authentication +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "kubed.fullname" . }}-apiserver-extension-server-authentication-reader + namespace: kube-system + labels: + {{- include "kubed.labels" . | nindent 4 }} +roleRef: + kind: Role + apiGroup: rbac.authorization.k8s.io + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: {{ template "kubed.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +# to delegate authentication and authorization +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "kubed.fullname" . }}-apiserver-auth-delegator + labels: + {{- include "kubed.labels" . | nindent 4 }} +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: {{ template "kubed.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/cluster-role-binding.yaml b/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/cluster-role-binding.yaml new file mode 100644 index 0000000000..8ea05646a5 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/cluster-role-binding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "kubed.fullname" . }} + labels: + {{- include "kubed.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kubed.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "kubed.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/cluster-role.yaml b/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/cluster-role.yaml new file mode 100644 index 0000000000..95e0147902 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/cluster-role.yaml @@ -0,0 +1,24 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kubed.fullname" . }} + labels: + {{- include "kubed.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: + - configmaps + - secrets + verbs: ["get", "create", "patch", "delete", "list", "watch"] +- apiGroups: [""] + resources: + - namespaces + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: + - nodes + verbs: ["list"] +- apiGroups: [""] + resources: + - events + verbs: ["create"] diff --git a/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/deployment.yaml b/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/deployment.yaml new file mode 100644 index 0000000000..77efce771c --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/deployment.yaml @@ -0,0 +1,119 @@ +{{- $major := default "0" .Capabilities.KubeVersion.Major | trimSuffix "+" | int64 }} +{{- $minor := default "0" .Capabilities.KubeVersion.Minor | trimSuffix "+" | int64 }} +{{- $criticalAddon := and .Values.criticalAddon (or (eq .Release.Namespace "kube-system") (and (ge $major 1) (ge $minor 17))) -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubed.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubed.labels" . | nindent 4 }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "kubed.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "kubed.selectorLabels" . | nindent 8 }} + annotations: + checksum/apiregistration.yaml: {{ include (print $.Template.BasePath "/apiregistration.yaml") . | sha256sum }} + {{- if $criticalAddon }} + scheduler.alpha.kubernetes.io/critical-pod: '' + {{- end }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "kubed.serviceAccountName" . }} + containers: + - name: kubed + securityContext: + {{- toYaml .Values.operator.securityContext | nindent 10 }} + image: {{ template "registry-url" . }}{{ .Values.operator.repository }}:{{ .Values.operator.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - run + - --v={{ .Values.logLevel }} + - --secure-port={{ default "8443" .Values.apiserver.securePort }} + - --audit-log-path=- + - --tls-cert-file=/var/serving-cert/tls.crt + - --tls-private-key-file=/var/serving-cert/tls.key + - --use-kubeapiserver-fqdn-for-aks={{ .Values.apiserver.useKubeapiserverFqdnForAks }} + - --enable-analytics={{ .Values.enableAnalytics }} + {{- with .Values.config.clusterName }} + - --cluster-name={{ . }} + {{- end }} + {{- with .Values.config.configSourceNamespace }} + - --config-source-namespace={{ . }} + {{- end }} + {{- if .Values.config.kubeconfigContent }} + - --kubeconfig-file=/srv/kubed/kubeconfig + {{- end }} + {{- range .Values.config.additionalOptions }} + - {{ . }} + {{- end }} + ports: + - containerPort: {{ default "8443" .Values.apiserver.securePort }} + {{- if .Values.apiserver.healthcheck.enabled }} + readinessProbe: + httpGet: + path: /healthz + port: {{ default "8443" .Values.apiserver.securePort }} + scheme: HTTPS + initialDelaySeconds: 5 + livenessProbe: + httpGet: + path: /healthz + port: {{ default "8443" .Values.apiserver.securePort }} + scheme: HTTPS + initialDelaySeconds: 5 + {{- end }} + resources: + {{- toYaml .Values.operator.resources | nindent 10 }} + volumeMounts: + - name: config + mountPath: /srv/kubed + - name: scratch + mountPath: /tmp + - mountPath: /var/serving-cert + name: serving-cert + volumes: + - name: config + secret: + secretName: {{ template "kubed.fullname" . }} + - name: scratch + emptyDir: {} + - name: serving-cert + secret: + defaultMode: 420 + secretName: {{ template "kubed.fullname" . }}-apiserver-cert + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + tolerations: + {{- include "linux-node-tolerations" . | nindent 8 }} + {{- with .Values.tolerations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if $criticalAddon }} + - key: CriticalAddonsOnly + operator: Exists + {{- end -}} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + nodeSelector: + {{- include "linux-node-selector" . | nindent 8 }} + {{- if $criticalAddon }} + priorityClassName: system-cluster-critical + {{- end -}} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/psp.yaml b/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/psp.yaml new file mode 100644 index 0000000000..a9d936fd50 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/psp.yaml @@ -0,0 +1,86 @@ +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" -}} +{{- if .Values.serviceAccount.create }} +{{- if .Values.global.rbac.pspEnabled }} + +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "kubed.serviceAccountName" . }}-psp + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}" + app.kubernetes.io/part-of: {{ include "kubed.serviceAccountName" . }} + app: {{ include "kubed.serviceAccountName" . }} +{{- if .Values.global.rbac.pspAnnotations }} + annotations: {{ toYaml .Values.global.rbac.pspAnnotations | nindent 4 }} +{{- end }} +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Permits the container to run with root privileges as well. + rule: 'RunAsAny' + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 0 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 0 + max: 65535 + readOnlyRootFilesystem: false + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "kubed.serviceAccountName" . }}-psp + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}" + app.kubernetes.io/part-of: {{ include "kubed.serviceAccountName" . }} + app: {{ include "kubed.serviceAccountName" . }} +rules: +{{- if semverCompare "> 1.15.0-0" .Capabilities.KubeVersion.GitVersion }} +- apiGroups: ['policy'] +{{- else }} +- apiGroups: ['extensions'] +{{- end }} + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ include "kubed.serviceAccountName" . }}-psp + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "kubed.serviceAccountName" . }}-psp + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}" + app.kubernetes.io/part-of: {{ include "kubed.serviceAccountName" . }} + app: {{ include "kubed.serviceAccountName" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubed.serviceAccountName" . }}-psp +subjects: + - kind: ServiceAccount + name: {{ include "kubed.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/secret.yaml b/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/secret.yaml new file mode 100644 index 0000000000..a980ae34b4 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/secret.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kubed.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubed.labels" . | nindent 4 }} +data: + {{- if .Values.config.kubeconfigContent }} + kubeconfig: {{ .Values.config.kubeconfigContent | trim | b64enc | quote }} + {{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/service.yaml b/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/service.yaml new file mode 100644 index 0000000000..95b76cf645 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kubed.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubed.labels" . | nindent 4 }} +spec: + ports: + # Port used to expose admission webhook apiserver + - name: api + port: 443 + targetPort: {{ default "8443" .Values.apiserver.securePort }} + selector: + {{- include "kubed.selectorLabels" . | nindent 4 }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/serviceaccount.yaml b/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/serviceaccount.yaml new file mode 100644 index 0000000000..96f9c84c1b --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/kubed/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubed.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubed.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/kubed/values.yaml b/charts/epinio/102.0.4+up1.9.0/charts/kubed/values.yaml new file mode 100644 index 0000000000..0be091855c --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/kubed/values.yaml @@ -0,0 +1,101 @@ +# Default values for kubed. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# Overrides name template +nameOverride: "" +# Overrides fullname template +fullnameOverride: "" + +# Number of Config Syncer operator replicas to create (only 1 is supported) +replicaCount: 1 + +operator: + # Config Syncer operator container image + repository: rancher/mirrored-appscode-kubed + # Config Syncer operator container image tag + tag: v0.13.2 + # Compute Resources required by the operator container + resources: {} + # Security options the operator container should run with + securityContext: {} + +# Specify an array of imagePullSecrets. +# Secrets must be manually created in the namespace. +# +# Example: +# helm template charts/kubed \ +# --set imagePullSecrets[0].name=sec0 \ +# --set imagePullSecrets[1].name=sec1 +imagePullSecrets: [] + +# Container image pull policy +imagePullPolicy: IfNotPresent + +# If true, installs Config Syncer operator as critical addon +criticalAddon: false + +# Log level for operator +logLevel: 3 + +# Annotations applied to operator deployment +annotations: {} + +# Annotations passed to operator pod(s). +podAnnotations: {} + +# Node labels for pod assignment +nodeSelector: {} + +# Tolerations for pod assignment +tolerations: [] + +# Affinity rules for pod assignment +affinity: {} + +# Security options the operator pod should run with. +podSecurityContext: # +doc-gen:break + # ensure that s/a token is readable xref: https://issues.k8s.io/70679 + fsGroup: 65535 + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +apiserver: + # Port used by Config Syncer server + securePort: "8443" + # If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true) + useKubeapiserverFqdnForAks: true + healthcheck: + # healthcheck configures the readiness and liveliness probes for the operator pod. + enabled: false + servingCerts: + # If true, generates on install/upgrade the certs that allow the kube-apiserver (and potentially ServiceMonitor) + # to authenticate operators pods. Otherwise specify certs in `apiserver.servingCerts.{caCrt, serverCrt, serverKey}`. + generate: true + # CA certficate used by serving certificate of Config Syncer server. + caCrt: "" + # Serving certficate used by Config Syncer server. + serverCrt: "" + # Private key for the serving certificate used by Config Syncer server. + serverKey: "" + +# If true, sends usage analytics +enableAnalytics: true + +config: + # Set cluster-name to something meaningful to you, say, prod, prod-us-east, qa, etc. + # so that you can distinguish notifications sent by kubed + clusterName: unicorn + # If set, configmaps and secrets from only this namespace will be synced + configSourceNamespace: "" + # kubeconfig file content for configmap and secret syncer + kubeconfigContent: "" +# additionalOptions: +# - --authentication-skip-lookup diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/.helmignore b/charts/epinio/102.0.4+up1.9.0/charts/minio/.helmignore new file mode 100644 index 0000000000..a9fe727881 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# OWNERS file for Kubernetes +OWNERS \ No newline at end of file diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/Chart.yaml b/charts/epinio/102.0.4+up1.9.0/charts/minio/Chart.yaml new file mode 100644 index 0000000000..29c7fbc4ef --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +appVersion: RELEASE.2023-07-07T07-13-57Z +description: Multi-Cloud Object Storage +home: https://min.io +icon: https://min.io/resources/img/logo/MINIO_wordmark.png +keywords: +- minio +- storage +- object-storage +- s3 +- cluster +maintainers: +- email: dev@minio.io + name: MinIO, Inc +name: minio +sources: +- https://github.com/minio/minio +version: 5.0.13 diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/README.md b/charts/epinio/102.0.4+up1.9.0/charts/minio/README.md new file mode 100644 index 0000000000..6de4fb16b3 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/README.md @@ -0,0 +1,260 @@ +# MinIO Helm Chart + +[![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io) [![license](https://img.shields.io/badge/license-AGPL%20V3-blue)](https://github.com/minio/minio/blob/master/LICENSE) + +MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. It is API compatible with Amazon S3 cloud storage service. Use MinIO to build high performance infrastructure for machine learning, analytics and application data workloads. + +For more detailed documentation please visit [here](https://min.io/docs/minio/linux/index.html) + +## Introduction + +This chart bootstraps MinIO Cluster on [Kubernetes](http://kubernetes.io) using the [Helm](https://helm.sh) package manager. + +## Prerequisites + +- Helm cli with Kubernetes cluster configured. +- PV provisioner support in the underlying infrastructure. (We recommend using ) +- Use Kubernetes version v1.19 and later for best experience. + +## Configure MinIO Helm repo + +```bash +helm repo add minio https://charts.min.io/ +``` + +### Installing the Chart + +Install this chart using: + +```bash +helm install --namespace minio --set rootUser=rootuser,rootPassword=rootpass123 --generate-name minio/minio +``` + +The command deploys MinIO on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. + +### Installing the Chart (toy-setup) + +Minimal toy setup for testing purposes can be deployed using: + +```bash +helm install --set resources.requests.memory=512Mi --set replicas=1 --set persistence.enabled=false --set mode=standalone --set rootUser=rootuser,rootPassword=rootpass123 --generate-name minio/minio +``` + +### Upgrading the Chart + +You can use Helm to update MinIO version in a live release. Assuming your release is named as `my-release`, get the values using the command: + +```bash +helm get values my-release > old_values.yaml +``` + +Then change the field `image.tag` in `old_values.yaml` file with MinIO image tag you want to use. Now update the chart using + +```bash +helm upgrade -f old_values.yaml my-release minio/minio +``` + +Default upgrade strategies are specified in the `values.yaml` file. Update these fields if you'd like to use a different strategy. + +### Configuration + +Refer the [Values file](./values.yaml) for all the possible config fields. + +You can specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```bash +helm install --name my-release --set persistence.size=1Ti minio/minio +``` + +The above command deploys MinIO server with a 1Ti backing persistent volume. + +Alternately, you can provide a YAML file that specifies parameter values while installing the chart. For example, + +```bash +helm install --name my-release -f values.yaml minio/minio +``` + +### Persistence + +This chart provisions a PersistentVolumeClaim and mounts corresponding persistent volume to default location `/export`. You'll need physical storage available in the Kubernetes cluster for this to work. If you'd rather use `emptyDir`, disable PersistentVolumeClaim by: + +```bash +helm install --set persistence.enabled=false minio/minio +``` + +> *"An emptyDir volume is first created when a Pod is assigned to a Node, and exists as long as that Pod is running on that node. When a Pod is removed from a node for any reason, the data in the emptyDir is deleted forever."* + +### Existing PersistentVolumeClaim + +If a Persistent Volume Claim already exists, specify it during installation. + +1. Create the PersistentVolume +2. Create the PersistentVolumeClaim +3. Install the chart + +```bash +helm install --set persistence.existingClaim=PVC_NAME minio/minio +``` + +### NetworkPolicy + +To enable network policy for MinIO, +install [a networking plugin that implements the Kubernetes +NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), +and set `networkPolicy.enabled` to `true`. + +For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting +the DefaultDeny namespace annotation. Note: this will enforce policy for *all* pods in the namespace: + +``` +kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" +``` + +With NetworkPolicy enabled, traffic will be limited to just port 9000. + +For more precise policy, set `networkPolicy.allowExternal=true`. This will +only allow pods with the generated client label to connect to MinIO. +This label will be displayed in the output of a successful install. + +### Existing secret + +Instead of having this chart create the secret for you, you can supply a preexisting secret, much +like an existing PersistentVolumeClaim. + +First, create the secret: + +```bash +kubectl create secret generic my-minio-secret --from-literal=rootUser=foobarbaz --from-literal=rootPassword=foobarbazqux +``` + +Then install the chart, specifying that you want to use an existing secret: + +```bash +helm install --set existingSecret=my-minio-secret minio/minio +``` + +The following fields are expected in the secret: + +| .data.\ in Secret | Corresponding variable | Description | Required | +|:------------------------|:-----------------------|:---------------|:---------| +| `rootUser` | `rootUser` | Root user. | yes | +| `rootPassword` | `rootPassword` | Root password. | yes | + +All corresponding variables will be ignored in values file. + +### Configure TLS + +To enable TLS for MinIO containers, acquire TLS certificates from a CA or create self-signed certificates. While creating / acquiring certificates ensure the corresponding domain names are set as per the standard [DNS naming conventions](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-identity) in a Kubernetes StatefulSet (for a distributed MinIO setup). Then create a secret using + +```bash +kubectl create secret generic tls-ssl-minio --from-file=path/to/private.key --from-file=path/to/public.crt +``` + +Then install the chart, specifying that you want to use the TLS secret: + +```bash +helm install --set tls.enabled=true,tls.certSecret=tls-ssl-minio minio/minio +``` + +### Installing certificates from third party CAs + +MinIO can connect to other servers, including MinIO nodes or other server types such as NATs and Redis. If these servers use certificates that were not registered with a known CA, add trust for these certificates to MinIO Server by bundling these certificates into a Kubernetes secret and providing it to Helm via the `trustedCertsSecret` value. If `.Values.tls.enabled` is `true` and you're installing certificates for third party CAs, remember to include MinIO's own certificate with key `public.crt`, if it also needs to be trusted. + +For instance, given that TLS is enabled and you need to add trust for MinIO's own CA and for the CA of a Keycloak server, a Kubernetes secret can be created from the certificate files using `kubectl`: + +``` +kubectl -n minio create secret generic minio-trusted-certs --from-file=public.crt --from-file=keycloak.crt +``` + +If TLS is not enabled, you would need only the third party CA: + +``` +kubectl -n minio create secret generic minio-trusted-certs --from-file=keycloak.crt +``` + +The name of the generated secret can then be passed to Helm using a values file or the `--set` parameter: + +``` +trustedCertsSecret: "minio-trusted-certs" + +or + +--set trustedCertsSecret=minio-trusted-certs +``` + +### Create buckets after install + +Install the chart, specifying the buckets you want to create after install: + +```bash +helm install --set buckets[0].name=bucket1,buckets[0].policy=none,buckets[0].purge=false minio/minio +``` + +Description of the configuration parameters used above - + +- `buckets[].name` - name of the bucket to create, must be a string with length > 0 +- `buckets[].policy` - can be one of none|download|upload|public +- `buckets[].purge` - purge if bucket exists already + +### Create policies after install + +Install the chart, specifying the policies you want to create after install: + +```bash +helm install --set policies[0].name=mypolicy,policies[0].statements[0].resources[0]='arn:aws:s3:::bucket1',policies[0].statements[0].actions[0]='s3:ListBucket',policies[0].statements[0].actions[1]='s3:GetObject' minio/minio +``` + +Description of the configuration parameters used above - + +- `policies[].name` - name of the policy to create, must be a string with length > 0 +- `policies[].statements[]` - list of statements, includes actions and resources +- `policies[].statements[].resources[]` - list of resources that applies the statement +- `policies[].statements[].actions[]` - list of actions granted + +### Create user after install + +Install the chart, specifying the users you want to create after install: + +```bash +helm install --set users[0].accessKey=accessKey,users[0].secretKey=secretKey,users[0].policy=none,users[1].accessKey=accessKey2,users[1].secretRef=existingSecret,users[1].secretKey=password,users[1].policy=none minio/minio +``` + +Description of the configuration parameters used above - + +- `users[].accessKey` - accessKey of user +- `users[].secretKey` - secretKey of usersecretRef +- `users[].existingSecret` - secret name that contains the secretKey of user +- `users[].existingSecretKey` - data key in existingSecret secret containing the secretKey +- `users[].policy` - name of the policy to assign to user + +### Create service account after install + +Install the chart, specifying the service accounts you want to create after install: + +```bash +helm install --set svcaccts[0].accessKey=accessKey,svcaccts[0].secretKey=secretKey,svcaccts[0].user=parentUser,svcaccts[1].accessKey=accessKey2,svcaccts[1].secretRef=existingSecret,svcaccts[1].secretKey=password,svcaccts[1].user=parentUser2 minio/minio +``` + +Description of the configuration parameters used above - + +- `svcaccts[].accessKey` - accessKey of service account +- `svcaccts[].secretKey` - secretKey of svcacctsecretRef +- `svcaccts[].existingSecret` - secret name that contains the secretKey of service account +- `svcaccts[].existingSecretKey` - data key in existingSecret secret containing the secretKey +- `svcaccts[].user` - name of the parent user to assign to service account + +## Uninstalling the Chart + +Assuming your release is named as `my-release`, delete it using the command: + +```bash +helm delete my-release +``` + +or + +```bash +helm uninstall my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/NOTES.txt b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/NOTES.txt new file mode 100644 index 0000000000..7051b1e62c --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/NOTES.txt @@ -0,0 +1,43 @@ +{{- if eq .Values.service.type "ClusterIP" "NodePort" }} +MinIO can be accessed via port {{ .Values.service.port }} on the following DNS name from within your cluster: +{{ template "minio.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local + +To access MinIO from localhost, run the below commands: + + 1. export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + + 2. kubectl port-forward $POD_NAME 9000 --namespace {{ .Release.Namespace }} + +Read more about port forwarding here: http://kubernetes.io/docs/user-guide/kubectl/kubectl_port-forward/ + +You can now access MinIO server on http://localhost:9000. Follow the below steps to connect to MinIO server with mc client: + + 1. Download the MinIO mc client - https://min.io/docs/minio/linux/reference/minio-mc.html#quickstart + + 2. export MC_HOST_{{ template "minio.fullname" . }}-local=http://$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "minio.secretName" . }} -o jsonpath="{.data.rootUser}" | base64 --decode):$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "minio.secretName" . }} -o jsonpath="{.data.rootPassword}" | base64 --decode)@localhost:{{ .Values.service.port }} + + 3. mc ls {{ template "minio.fullname" . }}-local + +{{- end }} +{{- if eq .Values.service.type "LoadBalancer" }} +MinIO can be accessed via port {{ .Values.service.port }} on an external IP address. Get the service external IP address by: +kubectl get svc --namespace {{ .Release.Namespace }} -l app={{ template "minio.fullname" . }} + +Note that the public IP may take a couple of minutes to be available. + +You can now access MinIO server on http://:9000. Follow the below steps to connect to MinIO server with mc client: + + 1. Download the MinIO mc client - https://min.io/docs/minio/linux/reference/minio-mc.html#quickstart + + 2. export MC_HOST_{{ template "minio.fullname" . }}-local=http://$(kubectl get secret {{ template "minio.secretName" . }} --namespace {{ .Release.Namespace }} -o jsonpath="{.data.rootUser}" | base64 --decode):$(kubectl get secret {{ template "minio.secretName" . }} -o jsonpath="{.data.rootPassword}" | base64 --decode)@:{{ .Values.service.port }} + + 3. mc ls {{ template "minio.fullname" . }} + +Alternately, you can use your browser or the MinIO SDK to access the server - https://min.io/docs/minio/linux/reference/minio-server/minio-server.html +{{- end }} + +{{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} +Note: Since NetworkPolicy is enabled, only pods with label +{{ template "minio.fullname" . }}-client=true" +will be able to connect to this minio cluster. +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/_helper_create_bucket.txt b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/_helper_create_bucket.txt new file mode 100644 index 0000000000..ea29f334a3 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/_helper_create_bucket.txt @@ -0,0 +1,123 @@ +#!/bin/sh +set -e ; # Have script exit in the event of a failed command. + +{{- if .Values.configPathmc }} +MC_CONFIG_DIR="{{ .Values.configPathmc }}" +MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}" +{{- else }} +MC="/usr/bin/mc --insecure" +{{- end }} + +# connectToMinio +# Use a check-sleep-check loop to wait for MinIO service to be available +connectToMinio() { + SCHEME=$1 + ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts + set -e ; # fail if we can't read the keys. + ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ; + set +e ; # The connections to minio are allowed to fail. + echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ; + MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ; + $MC_COMMAND ; + STATUS=$? ; + until [ $STATUS = 0 ] + do + ATTEMPTS=`expr $ATTEMPTS + 1` ; + echo \"Failed attempts: $ATTEMPTS\" ; + if [ $ATTEMPTS -gt $LIMIT ]; then + exit 1 ; + fi ; + sleep 2 ; # 1 second intervals between attempts + $MC_COMMAND ; + STATUS=$? ; + done ; + set -e ; # reset `e` as active + return 0 +} + +# checkBucketExists ($bucket) +# Check if the bucket exists, by using the exit code of `mc ls` +checkBucketExists() { + BUCKET=$1 + CMD=$(${MC} stat myminio/$BUCKET > /dev/null 2>&1) + return $? +} + +# createBucket ($bucket, $policy, $purge) +# Ensure bucket exists, purging if asked to +createBucket() { + BUCKET=$1 + POLICY=$2 + PURGE=$3 + VERSIONING=$4 + OBJECTLOCKING=$5 + + # Purge the bucket, if set & exists + # Since PURGE is user input, check explicitly for `true` + if [ $PURGE = true ]; then + if checkBucketExists $BUCKET ; then + echo "Purging bucket '$BUCKET'." + set +e ; # don't exit if this fails + ${MC} rm -r --force myminio/$BUCKET + set -e ; # reset `e` as active + else + echo "Bucket '$BUCKET' does not exist, skipping purge." + fi + fi + +# Create the bucket if it does not exist and set objectlocking if enabled (NOTE: versioning will be not changed if OBJECTLOCKING is set because it enables versioning to the Buckets created) +if ! checkBucketExists $BUCKET ; then + if [ ! -z $OBJECTLOCKING ] ; then + if [ $OBJECTLOCKING = true ] ; then + echo "Creating bucket with OBJECTLOCKING '$BUCKET'" + ${MC} mb --with-lock myminio/$BUCKET + elif [ $OBJECTLOCKING = false ] ; then + echo "Creating bucket '$BUCKET'" + ${MC} mb myminio/$BUCKET + fi + elif [ -z $OBJECTLOCKING ] ; then + echo "Creating bucket '$BUCKET'" + ${MC} mb myminio/$BUCKET + else + echo "Bucket '$BUCKET' already exists." + fi + fi + + + # set versioning for bucket if objectlocking is disabled or not set + if [ -z $OBJECTLOCKING ] ; then + if [ ! -z $VERSIONING ] ; then + if [ $VERSIONING = true ] ; then + echo "Enabling versioning for '$BUCKET'" + ${MC} version enable myminio/$BUCKET + elif [ $VERSIONING = false ] ; then + echo "Suspending versioning for '$BUCKET'" + ${MC} version suspend myminio/$BUCKET + fi + fi + else + echo "Bucket '$BUCKET' versioning unchanged." + fi + + + # At this point, the bucket should exist, skip checking for existence + # Set policy on the bucket + echo "Setting policy of bucket '$BUCKET' to '$POLICY'." + ${MC} anonymous set $POLICY myminio/$BUCKET +} + +# Try connecting to MinIO instance +{{- if .Values.tls.enabled }} +scheme=https +{{- else }} +scheme=http +{{- end }} +connectToMinio $scheme + +{{ if .Values.buckets }} +{{ $global := . }} +# Create the buckets +{{- range .Values.buckets }} +createBucket {{ tpl .name $global }} {{ .policy | default "none" | quote }} {{ .purge | default false }} {{ .versioning | default false }} {{ .objectlocking | default false }} +{{- end }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/_helper_create_policy.txt b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/_helper_create_policy.txt new file mode 100644 index 0000000000..aa584952f8 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/_helper_create_policy.txt @@ -0,0 +1,75 @@ +#!/bin/sh +set -e ; # Have script exit in the event of a failed command. + +{{- if .Values.configPathmc }} +MC_CONFIG_DIR="{{ .Values.configPathmc }}" +MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}" +{{- else }} +MC="/usr/bin/mc --insecure" +{{- end }} + +# connectToMinio +# Use a check-sleep-check loop to wait for MinIO service to be available +connectToMinio() { + SCHEME=$1 + ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts + set -e ; # fail if we can't read the keys. + ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ; + set +e ; # The connections to minio are allowed to fail. + echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ; + MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ; + $MC_COMMAND ; + STATUS=$? ; + until [ $STATUS = 0 ] + do + ATTEMPTS=`expr $ATTEMPTS + 1` ; + echo \"Failed attempts: $ATTEMPTS\" ; + if [ $ATTEMPTS -gt $LIMIT ]; then + exit 1 ; + fi ; + sleep 2 ; # 1 second intervals between attempts + $MC_COMMAND ; + STATUS=$? ; + done ; + set -e ; # reset `e` as active + return 0 +} + +# checkPolicyExists ($policy) +# Check if the policy exists, by using the exit code of `mc admin policy info` +checkPolicyExists() { + POLICY=$1 + CMD=$(${MC} admin policy info myminio $POLICY > /dev/null 2>&1) + return $? +} + +# createPolicy($name, $filename) +createPolicy () { + NAME=$1 + FILENAME=$2 + + # Create the name if it does not exist + echo "Checking policy: $NAME (in /config/$FILENAME.json)" + if ! checkPolicyExists $NAME ; then + echo "Creating policy '$NAME'" + else + echo "Policy '$NAME' already exists." + fi + ${MC} admin policy create myminio $NAME /config/$FILENAME.json + +} + +# Try connecting to MinIO instance +{{- if .Values.tls.enabled }} +scheme=https +{{- else }} +scheme=http +{{- end }} +connectToMinio $scheme + +{{ if .Values.policies }} +# Create the policies +{{- range $idx, $policy := .Values.policies }} +createPolicy {{ $policy.name }} policy_{{ $idx }} +{{- end }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/_helper_create_svcacct.txt b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/_helper_create_svcacct.txt new file mode 100644 index 0000000000..59f51b1774 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/_helper_create_svcacct.txt @@ -0,0 +1,106 @@ +#!/bin/sh +set -e ; # Have script exit in the event of a failed command. + +{{- if .Values.configPathmc }} +MC_CONFIG_DIR="{{ .Values.configPathmc }}" +MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}" +{{- else }} +MC="/usr/bin/mc --insecure" +{{- end }} + +# AccessKey and secretkey credentials file are added to prevent shell execution errors caused by special characters. +# Special characters for example : ',",<,>,{,} +MINIO_ACCESSKEY_SECRETKEY_TMP="/tmp/accessKey_and_secretKey_svcacct_tmp" + +# connectToMinio +# Use a check-sleep-check loop to wait for MinIO service to be available +connectToMinio() { + SCHEME=$1 + ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts + set -e ; # fail if we can't read the keys. + ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ; + set +e ; # The connections to minio are allowed to fail. + echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ; + MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ; + $MC_COMMAND ; + STATUS=$? ; + until [ $STATUS = 0 ] + do + ATTEMPTS=`expr $ATTEMPTS + 1` ; + echo \"Failed attempts: $ATTEMPTS\" ; + if [ $ATTEMPTS -gt $LIMIT ]; then + exit 1 ; + fi ; + sleep 2 ; # 2 second intervals between attempts + $MC_COMMAND ; + STATUS=$? ; + done ; + set -e ; # reset `e` as active + return 0 +} + +# checkSvcacctExists () +# Check if the svcacct exists, by using the exit code of `mc admin user svcacct info` +checkSvcacctExists() { + CMD=$(${MC} admin user svcacct info myminio $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) > /dev/null 2>&1) + return $? +} + +# createSvcacct ($user) +createSvcacct () { + USER=$1 + FILENAME=$2 + #check accessKey_and_secretKey_tmp file + if [[ ! -f $MINIO_ACCESSKEY_SECRETKEY_TMP ]];then + echo "credentials file does not exist" + return 1 + fi + if [[ $(cat $MINIO_ACCESSKEY_SECRETKEY_TMP|wc -l) -ne 2 ]];then + echo "credentials file is invalid" + rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP + return 1 + fi + SVCACCT=$(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) + # Create the svcacct if it does not exist + if ! checkSvcacctExists ; then + echo "Creating svcacct '$SVCACCT'" + # Check if policy file is define + if [ -z $FILENAME ]; then + ${MC} admin user svcacct add --access-key $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) --secret-key $(tail -n1 $MINIO_ACCESSKEY_SECRETKEY_TMP) myminio $USER + else + ${MC} admin user svcacct add --access-key $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) --secret-key $(tail -n1 $MINIO_ACCESSKEY_SECRETKEY_TMP) --policy /config/$FILENAME.json myminio $USER + fi + else + echo "Svcacct '$SVCACCT' already exists." + fi + #clean up credentials files. + rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP +} + +# Try connecting to MinIO instance +{{- if .Values.tls.enabled }} +scheme=https +{{- else }} +scheme=http +{{- end }} +connectToMinio $scheme + +{{ if .Values.svcaccts }} +{{ $global := . }} +# Create the svcaccts +{{- range $idx, $svc := .Values.svcaccts }} +echo {{ tpl .accessKey $global }} > $MINIO_ACCESSKEY_SECRETKEY_TMP +{{- if .existingSecret }} +cat /config/secrets-svc/{{ tpl .existingSecret $global }}/{{ tpl .existingSecretKey $global }} >> $MINIO_ACCESSKEY_SECRETKEY_TMP +# Add a new line if it doesn't exist +sed -i '$a\' $MINIO_ACCESSKEY_SECRETKEY_TMP +{{ else }} +echo {{ .secretKey }} >> $MINIO_ACCESSKEY_SECRETKEY_TMP +{{- end }} +{{- if $svc.policy}} +createSvcacct {{ .user }} svc_policy_{{ $idx }} +{{ else }} +createSvcacct {{ .user }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/_helper_create_user.txt b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/_helper_create_user.txt new file mode 100644 index 0000000000..9f2c6a4d8f --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/_helper_create_user.txt @@ -0,0 +1,107 @@ +#!/bin/sh +set -e ; # Have script exit in the event of a failed command. + +{{- if .Values.configPathmc }} +MC_CONFIG_DIR="{{ .Values.configPathmc }}" +MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}" +{{- else }} +MC="/usr/bin/mc --insecure" +{{- end }} + +# AccessKey and secretkey credentials file are added to prevent shell execution errors caused by special characters. +# Special characters for example : ',",<,>,{,} +MINIO_ACCESSKEY_SECRETKEY_TMP="/tmp/accessKey_and_secretKey_tmp" + +# connectToMinio +# Use a check-sleep-check loop to wait for MinIO service to be available +connectToMinio() { + SCHEME=$1 + ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts + set -e ; # fail if we can't read the keys. + ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ; + set +e ; # The connections to minio are allowed to fail. + echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ; + MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ; + $MC_COMMAND ; + STATUS=$? ; + until [ $STATUS = 0 ] + do + ATTEMPTS=`expr $ATTEMPTS + 1` ; + echo \"Failed attempts: $ATTEMPTS\" ; + if [ $ATTEMPTS -gt $LIMIT ]; then + exit 1 ; + fi ; + sleep 2 ; # 1 second intervals between attempts + $MC_COMMAND ; + STATUS=$? ; + done ; + set -e ; # reset `e` as active + return 0 +} + +# checkUserExists () +# Check if the user exists, by using the exit code of `mc admin user info` +checkUserExists() { + CMD=$(${MC} admin user info myminio $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) > /dev/null 2>&1) + return $? +} + +# createUser ($policy) +createUser() { + POLICY=$1 + #check accessKey_and_secretKey_tmp file + if [[ ! -f $MINIO_ACCESSKEY_SECRETKEY_TMP ]];then + echo "credentials file does not exist" + return 1 + fi + if [[ $(cat $MINIO_ACCESSKEY_SECRETKEY_TMP|wc -l) -ne 2 ]];then + echo "credentials file is invalid" + rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP + return 1 + fi + USER=$(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) + # Create the user if it does not exist + if ! checkUserExists ; then + echo "Creating user '$USER'" + cat $MINIO_ACCESSKEY_SECRETKEY_TMP | ${MC} admin user add myminio + else + echo "User '$USER' already exists." + fi + #clean up credentials files. + rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP + + # set policy for user + if [ ! -z $POLICY -a $POLICY != " " ] ; then + echo "Adding policy '$POLICY' for '$USER'" + set +e ; # policy already attach errors out, allow it. + ${MC} admin policy attach myminio $POLICY --user=$USER + set -e + else + echo "User '$USER' has no policy attached." + fi +} + +# Try connecting to MinIO instance +{{- if .Values.tls.enabled }} +scheme=https +{{- else }} +scheme=http +{{- end }} +connectToMinio $scheme + +{{ if .Values.users }} +{{ $global := . }} +# Create the users +{{- range .Values.users }} +echo {{ tpl .accessKey $global }} > $MINIO_ACCESSKEY_SECRETKEY_TMP +{{- if .existingSecret }} +cat /config/secrets/{{ tpl .existingSecret $global }}/{{ tpl .existingSecretKey $global }} >> $MINIO_ACCESSKEY_SECRETKEY_TMP +# Add a new line if it doesn't exist +sed -i '$a\' $MINIO_ACCESSKEY_SECRETKEY_TMP +createUser {{ .policy }} +{{ else }} +echo {{ .secretKey }} >> $MINIO_ACCESSKEY_SECRETKEY_TMP +createUser {{ .policy }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/_helper_custom_command.txt b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/_helper_custom_command.txt new file mode 100644 index 0000000000..b583a7782f --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/_helper_custom_command.txt @@ -0,0 +1,58 @@ +#!/bin/sh +set -e ; # Have script exit in the event of a failed command. + +{{- if .Values.configPathmc }} +MC_CONFIG_DIR="{{ .Values.configPathmc }}" +MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}" +{{- else }} +MC="/usr/bin/mc --insecure" +{{- end }} + +# connectToMinio +# Use a check-sleep-check loop to wait for MinIO service to be available +connectToMinio() { + SCHEME=$1 + ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts + set -e ; # fail if we can't read the keys. + ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ; + set +e ; # The connections to minio are allowed to fail. + echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ; + MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ; + $MC_COMMAND ; + STATUS=$? ; + until [ $STATUS = 0 ] + do + ATTEMPTS=`expr $ATTEMPTS + 1` ; + echo \"Failed attempts: $ATTEMPTS\" ; + if [ $ATTEMPTS -gt $LIMIT ]; then + exit 1 ; + fi ; + sleep 2 ; # 1 second intervals between attempts + $MC_COMMAND ; + STATUS=$? ; + done ; + set -e ; # reset `e` as active + return 0 +} + +# runCommand ($@) +# Run custom mc command +runCommand() { + ${MC} "$@" + return $? +} + +# Try connecting to MinIO instance +{{- if .Values.tls.enabled }} +scheme=https +{{- else }} +scheme=http +{{- end }} +connectToMinio $scheme + +{{ if .Values.customCommands }} +# Run custom commands +{{- range .Values.customCommands }} +runCommand {{ .command }} +{{- end }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/_helper_policy.tpl b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/_helper_policy.tpl new file mode 100644 index 0000000000..f2150530b4 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/_helper_policy.tpl @@ -0,0 +1,28 @@ +{{- $statements_length := len .statements -}} +{{- $statements_length := sub $statements_length 1 -}} +{ + "Version": "2012-10-17", + "Statement": [ +{{- range $i, $statement := .statements }} + { + "Effect": "Allow", + "Action": [ +"{{ $statement.actions | join "\",\n\"" }}" + ]{{ if $statement.resources }}, + "Resource": [ +"{{ $statement.resources | join "\",\n\"" }}" + ]{{ end }} +{{- if $statement.conditions }} +{{- $condition_len := len $statement.conditions }} +{{- $condition_len := sub $condition_len 1 }} + , + "Condition": { + {{- range $k,$v := $statement.conditions }} + {{- range $operator,$object := $v }} + "{{ $operator }}": { {{ $object }} }{{- if lt $k $condition_len }},{{- end }} + {{- end }}{{- end }} + }{{- end }} + }{{ if lt $i $statements_length }},{{end }} +{{- end }} + ] +} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/_helpers.tpl b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/_helpers.tpl new file mode 100644 index 0000000000..3141a8a9b7 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/_helpers.tpl @@ -0,0 +1,246 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "minio.name" -}} + {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "minio.fullname" -}} + {{- if .Values.fullnameOverride -}} + {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} + {{- else -}} + {{- $name := default .Chart.Name .Values.nameOverride -}} + {{- if contains $name .Release.Name -}} + {{- .Release.Name | trunc 63 | trimSuffix "-" -}} + {{- else -}} + {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "minio.chart" -}} + {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "minio.networkPolicy.apiVersion" -}} + {{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.Version -}} + {{- print "extensions/v1beta1" -}} + {{- else if semverCompare ">=1.7-0, <1.16-0" .Capabilities.KubeVersion.Version -}} + {{- print "networking.k8s.io/v1beta1" -}} + {{- else if semverCompare "^1.16-0" .Capabilities.KubeVersion.Version -}} + {{- print "networking.k8s.io/v1" -}} + {{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "minio.deployment.apiVersion" -}} + {{- if semverCompare "<1.9-0" .Capabilities.KubeVersion.Version -}} + {{- print "apps/v1beta2" -}} + {{- else -}} + {{- print "apps/v1" -}} + {{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "minio.statefulset.apiVersion" -}} + {{- if semverCompare "<1.16-0" .Capabilities.KubeVersion.Version -}} + {{- print "apps/v1beta2" -}} + {{- else -}} + {{- print "apps/v1" -}} + {{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "minio.ingress.apiVersion" -}} + {{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} + {{- print "extensions/v1beta1" -}} + {{- else if semverCompare "<1.19-0" .Capabilities.KubeVersion.GitVersion -}} + {{- print "networking.k8s.io/v1beta1" -}} + {{- else -}} + {{- print "networking.k8s.io/v1" -}} + {{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for console ingress. +*/}} +{{- define "minio.consoleIngress.apiVersion" -}} + {{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} + {{- print "extensions/v1beta1" -}} + {{- else if semverCompare "<1.19-0" .Capabilities.KubeVersion.GitVersion -}} + {{- print "networking.k8s.io/v1beta1" -}} + {{- else -}} + {{- print "networking.k8s.io/v1" -}} + {{- end -}} +{{- end -}} + +{{/* +Determine secret name. +*/}} +{{- define "minio.secretName" -}} + {{- if .Values.existingSecret -}} + {{- .Values.existingSecret }} + {{- else -}} + {{- include "minio.fullname" . -}} + {{- end -}} +{{- end -}} + +{{/* +Determine name for scc role and rolebinding +*/}} +{{- define "minio.sccRoleName" -}} + {{- printf "%s-%s" "scc" (include "minio.fullname" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Properly format optional additional arguments to MinIO binary +*/}} +{{- define "minio.extraArgs" -}} +{{- range .Values.extraArgs -}} +{{ " " }}{{ . }} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "minio.imagePullSecrets" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +Also, we can not use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- else if .Values.imagePullSecrets }} +imagePullSecrets: + {{ toYaml .Values.imagePullSecrets }} +{{- end -}} +{{- else if .Values.imagePullSecrets }} +imagePullSecrets: + {{ toYaml .Values.imagePullSecrets }} +{{- end -}} +{{- end -}} + +{{/* +Formats volumeMount for MinIO TLS keys and trusted certs +*/}} +{{- define "minio.tlsKeysVolumeMount" -}} +{{- if .Values.tls.enabled }} +- name: cert-secret-volume + mountPath: {{ .Values.certsPath }} +{{- end }} +{{- if or .Values.tls.enabled (ne .Values.trustedCertsSecret "") }} +{{- $casPath := printf "%s/CAs" .Values.certsPath | clean }} +- name: trusted-cert-secret-volume + mountPath: {{ $casPath }} +{{- end }} +{{- end -}} + +{{/* +Formats volume for MinIO TLS keys and trusted certs +*/}} +{{- define "minio.tlsKeysVolume" -}} +{{- if .Values.tls.enabled }} +- name: cert-secret-volume + secret: + secretName: {{ tpl .Values.tls.certSecret $ }} + items: + - key: {{ .Values.tls.publicCrt }} + path: public.crt + - key: {{ .Values.tls.privateKey }} + path: private.key +{{- end }} +{{- if or .Values.tls.enabled (ne .Values.trustedCertsSecret "") }} +{{- $certSecret := eq .Values.trustedCertsSecret "" | ternary .Values.tls.certSecret .Values.trustedCertsSecret }} +{{- $publicCrt := eq .Values.trustedCertsSecret "" | ternary .Values.tls.publicCrt "" }} +- name: trusted-cert-secret-volume + secret: + secretName: {{ $certSecret }} + {{- if ne $publicCrt "" }} + items: + - key: {{ $publicCrt }} + path: public.crt + {{- end }} +{{- end }} +{{- end -}} + +{{/* +Returns the available value for certain key in an existing secret (if it exists), +otherwise it generates a random value. +*/}} +{{- define "minio.getValueFromSecret" }} + {{- $len := (default 16 .Length) | int -}} + {{- $obj := (lookup "v1" "Secret" .Namespace .Name).data -}} + {{- if $obj }} + {{- index $obj .Key | b64dec -}} + {{- else -}} + {{- randAlphaNum $len -}} + {{- end -}} +{{- end }} + +{{- define "minio.root.username" -}} + {{- if .Values.rootUser }} + {{- .Values.rootUser | toString }} + {{- else }} + {{- include "minio.getValueFromSecret" (dict "Namespace" .Release.Namespace "Name" (include "minio.fullname" .) "Length" 20 "Key" "rootUser") }} + {{- end }} +{{- end -}} + +{{- define "minio.root.password" -}} + {{- if .Values.rootPassword }} + {{- .Values.rootPassword | toString }} + {{- else }} + {{- include "minio.getValueFromSecret" (dict "Namespace" .Release.Namespace "Name" (include "minio.fullname" .) "Length" 40 "Key" "rootPassword") }} + {{- end }} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, add below linux tolerations to +workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +beta.kubernetes.io/os: linux +{{- else -}} +kubernetes.io/os: linux +{{- end -}} +{{- end -}} + +{{/* +URL prefix for container images to be compatible with Rancher +*/}} +{{- define "registry-url" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{ trimSuffix "/" .Values.global.cattle.systemDefaultRegistry }}/ +{{- end -}} +{{- end -}} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/configmap.yaml b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/configmap.yaml new file mode 100644 index 0000000000..47f64cc234 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/configmap.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "minio.fullname" . }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: + initialize: |- + {{- include (print $.Template.BasePath "/_helper_create_bucket.txt") . | nindent 4 }} + add-user: |- + {{- include (print $.Template.BasePath "/_helper_create_user.txt") . | nindent 4 }} + add-policy: |- + {{- include (print $.Template.BasePath "/_helper_create_policy.txt") . | nindent 4 }} + {{- range $idx, $policy := .Values.policies }} + # Policy: {{ $policy.name }} + policy_{{ $idx }}.json: |- + {{- include (print $.Template.BasePath "/_helper_policy.tpl") . | nindent 4 }} + {{ end }} + {{- range $idx, $svc := .Values.svcaccts }} + {{- if $svc.policy }} + # SVC: {{ $svc.accessKey }} + svc_policy_{{ $idx }}.json: |- + {{- include (print $.Template.BasePath "/_helper_policy.tpl") .policy | nindent 4 }} + {{- end }} + {{- end }} + add-svcacct: |- + {{- include (print $.Template.BasePath "/_helper_create_svcacct.txt") . | nindent 4 }} + custom-command: |- + {{- include (print $.Template.BasePath "/_helper_custom_command.txt") . | nindent 4 }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/console-ingress.yaml b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/console-ingress.yaml new file mode 100644 index 0000000000..79a2b1b58b --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/console-ingress.yaml @@ -0,0 +1,55 @@ +{{- if .Values.consoleIngress.enabled -}} +{{- $fullName := printf "%s-console" (include "minio.fullname" .) -}} +{{- $servicePort := .Values.consoleService.port -}} +{{- $ingressPath := .Values.consoleIngress.path -}} +apiVersion: {{ template "minio.consoleIngress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.consoleIngress.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.consoleIngress.annotations }} + annotations: {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.consoleIngress.ingressClassName }} + ingressClassName: {{ .Values.consoleIngress.ingressClassName }} + {{- end }} + {{- if .Values.consoleIngress.tls }} + tls: + {{- range .Values.consoleIngress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.consoleIngress.hosts }} + - http: + paths: + - path: {{ $ingressPath }} + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + pathType: Prefix + backend: + service: + name: {{ $fullName }} + port: + number: {{ $servicePort }} + {{- else }} + backend: + serviceName: {{ $fullName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- if . }} + host: {{ tpl . $ | quote }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/console-service.yaml b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/console-service.yaml new file mode 100644 index 0000000000..2bbe7e385d --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/console-service.yaml @@ -0,0 +1,43 @@ +{{ $scheme := .Values.tls.enabled | ternary "https" "http" }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "minio.fullname" . }}-console + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- if .Values.consoleService.annotations }} + annotations: {{- toYaml .Values.consoleService.annotations | nindent 4 }} + {{- end }} +spec: + {{- if (or (eq .Values.consoleService.type "ClusterIP" "") (empty .Values.consoleService.type)) }} + type: ClusterIP + {{- if not (empty .Values.consoleService.clusterIP) }} + clusterIP: {{ .Values.consoleService.clusterIP }} + {{- end }} + {{- else if eq .Values.consoleService.type "LoadBalancer" }} + type: {{ .Values.consoleService.type }} + loadBalancerIP: {{ default "" .Values.consoleService.loadBalancerIP }} + {{- else }} + type: {{ .Values.consoleService.type }} + {{- end }} + ports: + - name: {{ $scheme }} + port: {{ .Values.consoleService.port }} + protocol: TCP + {{- if (and (eq .Values.consoleService.type "NodePort") ( .Values.consoleService.nodePort)) }} + nodePort: {{ .Values.consoleService.nodePort }} + {{- else }} + targetPort: {{ .Values.minioConsolePort }} + {{- end }} + {{- if .Values.consoleService.externalIPs }} + externalIPs: + {{- range $i , $ip := .Values.consoleService.externalIPs }} + - {{ $ip }} + {{- end }} + {{- end }} + selector: + app: {{ template "minio.name" . }} + release: {{ .Release.Name }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/deployment.yaml b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/deployment.yaml new file mode 100644 index 0000000000..bbc762b6b3 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/deployment.yaml @@ -0,0 +1,198 @@ +{{- if eq .Values.mode "standalone" }} +{{ $scheme := .Values.tls.enabled | ternary "https" "http" }} +{{ $bucketRoot := or ($.Values.bucketRoot) ($.Values.mountPath) }} +apiVersion: {{ template "minio.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ template "minio.fullname" . }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- if .Values.additionalLabels }} + {{- toYaml .Values.additionalLabels | nindent 4 }} + {{- end }} + {{- if .Values.additionalAnnotations }} + annotations: {{- toYaml .Values.additionalAnnotations | nindent 4 }} + {{- end }} +spec: + strategy: + type: {{ .Values.deploymentUpdate.type }} + {{- if eq .Values.deploymentUpdate.type "RollingUpdate" }} + rollingUpdate: + maxSurge: {{ .Values.deploymentUpdate.maxSurge }} + maxUnavailable: {{ .Values.deploymentUpdate.maxUnavailable }} + {{- end }} + replicas: 1 + selector: + matchLabels: + app: {{ template "minio.name" . }} + release: {{ .Release.Name }} + template: + metadata: + name: {{ template "minio.fullname" . }} + labels: + app: {{ template "minio.name" . }} + release: {{ .Release.Name }} + {{- if .Values.podLabels }} + {{- toYaml .Values.podLabels | nindent 8 }} + {{- end }} + annotations: + {{- if not .Values.ignoreChartChecksums }} + checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.podAnnotations }} + {{- toYaml .Values.podAnnotations | trimSuffix "\n" | nindent 8 }} + {{- end }} + spec: + {{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" + {{- end }} + {{- if .Values.runtimeClassName }} + runtimeClassName: "{{ .Values.runtimeClassName }}" + {{- end }} + {{- if and .Values.securityContext.enabled .Values.persistence.enabled }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + runAsGroup: {{ .Values.securityContext.runAsGroup }} + fsGroup: {{ .Values.securityContext.fsGroup }} + {{- if and (ge .Capabilities.KubeVersion.Major "1") (ge .Capabilities.KubeVersion.Minor "20") }} + fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }} + {{- end }} + {{- end }} + {{ if .Values.serviceAccount.create }} + serviceAccountName: {{ .Values.serviceAccount.name }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ default .Values.image.registry (include "registry-url" .) }}{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - "/bin/sh" + - "-ce" + - "/usr/bin/docker-entrypoint.sh minio server {{ $bucketRoot }} -S {{ .Values.certsPath }} --address :{{ .Values.minioAPIPort }} --console-address :{{ .Values.minioConsolePort }} {{- template "minio.extraArgs" . }}" + volumeMounts: + - name: minio-user + mountPath: "/tmp/credentials" + readOnly: true + - name: export + mountPath: {{ .Values.mountPath }} + {{- if and .Values.persistence.enabled .Values.persistence.subPath }} + subPath: "{{ .Values.persistence.subPath }}" + {{- end }} + {{- if .Values.extraSecret }} + - name: extra-secret + mountPath: "/tmp/minio-config-env" + {{- end }} + {{- include "minio.tlsKeysVolumeMount" . | indent 12 }} + {{- if .Values.extraVolumeMounts }} + {{- toYaml .Values.extraVolumeMounts | nindent 12 }} + {{- end }} + ports: + - name: {{ $scheme }} + containerPort: {{ .Values.minioAPIPort }} + - name: {{ $scheme }}-console + containerPort: {{ .Values.minioConsolePort }} + env: + - name: MINIO_ROOT_USER + valueFrom: + secretKeyRef: + name: {{ template "minio.secretName" . }} + key: rootUser + - name: MINIO_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "minio.secretName" . }} + key: rootPassword + {{- if .Values.extraSecret }} + - name: MINIO_CONFIG_ENV_FILE + value: "/tmp/minio-config-env/config.env" + {{- end }} + {{- if .Values.metrics.serviceMonitor.public }} + - name: MINIO_PROMETHEUS_AUTH_TYPE + value: "public" + {{- end }} + {{- if .Values.oidc.enabled }} + - name: MINIO_IDENTITY_OPENID_CONFIG_URL + value: {{ .Values.oidc.configUrl }} + - name: MINIO_IDENTITY_OPENID_CLIENT_ID + value: {{ .Values.oidc.clientId }} + - name: MINIO_IDENTITY_OPENID_CLIENT_SECRET + value: {{ .Values.oidc.clientSecret }} + - name: MINIO_IDENTITY_OPENID_CLAIM_NAME + value: {{ .Values.oidc.claimName }} + - name: MINIO_IDENTITY_OPENID_CLAIM_PREFIX + value: {{ .Values.oidc.claimPrefix }} + - name: MINIO_IDENTITY_OPENID_SCOPES + value: {{ .Values.oidc.scopes }} + - name: MINIO_IDENTITY_OPENID_REDIRECT_URI + value: {{ .Values.oidc.redirectUri }} + - name: MINIO_IDENTITY_OPENID_COMMENT + value: {{ .Values.oidc.comment }} + {{- end }} + {{- if .Values.etcd.endpoints }} + - name: MINIO_ETCD_ENDPOINTS + value: {{ join "," .Values.etcd.endpoints | quote }} + {{- if .Values.etcd.clientCert }} + - name: MINIO_ETCD_CLIENT_CERT + value: "/tmp/credentials/etcd_client_cert.pem" + {{- end }} + {{- if .Values.etcd.clientCertKey }} + - name: MINIO_ETCD_CLIENT_CERT_KEY + value: "/tmp/credentials/etcd_client_cert_key.pem" + {{- end }} + {{- if .Values.etcd.pathPrefix }} + - name: MINIO_ETCD_PATH_PREFIX + value: {{ .Values.etcd.pathPrefix }} + {{- end }} + {{- if .Values.etcd.corednsPathPrefix }} + - name: MINIO_ETCD_COREDNS_PATH + value: {{ .Values.etcd.corednsPathPrefix }} + {{- end }} + {{- end }} + {{- range $key, $val := .Values.environment }} + - name: {{ $key }} + value: {{ tpl $val $ | quote }} + {{- end }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.extraContainers }} + {{- if eq (typeOf .) "string" }} + {{- tpl . $ | nindent 8 }} + {{- else }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + nodeSelector: + {{- include "linux-node-selector" . | nindent 8 }} + {{- include "minio.imagePullSecrets" . | indent 6 }} + {{- with .Values.affinity }} + affinity: {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: {{- toYaml . | nindent 8 }} + {{- include "linux-node-tolerations" . | nindent 8 }} + {{- with .Values.tolerations }} + {{ toYaml . | indent 8 }} + {{- end }} + volumes: + - name: export + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim | default (include "minio.fullname" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.extraSecret }} + - name: extra-secret + secret: + secretName: {{ .Values.extraSecret }} + {{- end }} + - name: minio-user + secret: + secretName: {{ template "minio.secretName" . }} + {{- include "minio.tlsKeysVolume" . | indent 8 }} + {{- if .Values.extraVolumes }} + {{ toYaml .Values.extraVolumes | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/ingress.yaml b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/ingress.yaml new file mode 100644 index 0000000000..1a564c6bce --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/ingress.yaml @@ -0,0 +1,55 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "minio.fullname" . -}} +{{- $servicePort := .Values.service.port -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: {{ template "minio.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.ingress.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.ingress.annotations }} + annotations: {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.ingress.ingressClassName }} + ingressClassName: {{ .Values.ingress.ingressClassName }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - http: + paths: + - path: {{ $ingressPath }} + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + pathType: Prefix + backend: + service: + name: {{ $fullName }} + port: + number: {{ $servicePort }} + {{- else }} + backend: + serviceName: {{ $fullName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- if . }} + host: {{ tpl . $ | quote }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/networkpolicy.yaml b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/networkpolicy.yaml new file mode 100644 index 0000000000..7ebc2aa739 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/networkpolicy.yaml @@ -0,0 +1,26 @@ +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ template "minio.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "minio.fullname" . }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "minio.name" . }} + release: {{ .Release.Name }} + ingress: + - ports: + - port: {{ .Values.minioAPIPort }} + - port: {{ .Values.minioConsolePort }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "minio.name" . }}-client: "true" + {{- end }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/poddisruptionbudget.yaml b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..a5f90a0808 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/poddisruptionbudget.yaml @@ -0,0 +1,17 @@ +{{- if .Values.podDisruptionBudget.enabled }} +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodDisruptionBudget" }} +apiVersion: policy/v1beta1 +{{- else }} +apiVersion: policy/v1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: minio + labels: + app: {{ template "minio.name" . }} +spec: + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + app: {{ template "minio.name" . }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/post-job.yaml b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/post-job.yaml new file mode 100644 index 0000000000..8bb37b7f35 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/post-job.yaml @@ -0,0 +1,256 @@ +{{- if or .Values.buckets .Values.users .Values.policies .Values.customCommands .Values.svcaccts }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "minio.fullname" . }}-post-job + labels: + app: {{ template "minio.name" . }}-post-job + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + {{- with .Values.postJob.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + template: + metadata: + labels: + app: {{ template "minio.name" . }}-job + release: {{ .Release.Name }} + {{- if .Values.podLabels }} + {{- toYaml .Values.podLabels | nindent 8 }} + {{- end }} + {{- if .Values.postJob.podAnnotations }} + annotations: {{- toYaml .Values.postJob.podAnnotations | nindent 8 }} + {{- end }} + spec: + restartPolicy: OnFailure + {{- include "minio.imagePullSecrets" . | indent 6 }} + nodeSelector: + {{- include "linux-node-selector" . | nindent 8 }} + {{- with .Values.postJob.affinity }} + affinity: {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + {{- include "linux-node-tolerations" . | nindent 8 }} + {{- with .Values.postJob.tolerations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.postJob.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.postJob.securityContext.runAsUser }} + runAsGroup: {{ .Values.postJob.securityContext.runAsGroup }} + fsGroup: {{ .Values.postJob.securityContext.fsGroup }} + {{- end }} + volumes: + - name: etc-path + emptyDir: {} + - name: tmp + emptyDir: {} + - name: minio-configuration + projected: + sources: + - configMap: + name: {{ template "minio.fullname" . }} + - secret: + name: {{ template "minio.secretName" . }} + {{- range (concat .Values.users (default (list) .Values.svcaccts)) }} + {{- if .existingSecret }} + - secret: + name: {{ tpl .existingSecret $ }} + items: + - key: {{ .existingSecretKey }} + path: secrets/{{ tpl .existingSecret $ }}/{{ tpl .existingSecretKey $ }} + {{- end }} + {{- end }} + {{- range ( default list .Values.svcaccts ) }} + {{- if .existingSecret }} + - secret: + name: {{ tpl .existingSecret $ }} + items: + - key: {{ .existingSecretKey }} + path: secrets-svc/{{ tpl .existingSecret $ }}/{{ tpl .existingSecretKey $ }} + {{- end }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: cert-secret-volume-mc + secret: + secretName: {{ .Values.tls.certSecret }} + items: + - key: {{ .Values.tls.publicCrt }} + path: CAs/public.crt + {{- end }} + {{- if .Values.serviceAccount.create }} + serviceAccountName: {{ .Values.serviceAccount.name }} + {{- end }} + {{- if .Values.policies }} + initContainers: + - name: minio-make-policy + image: "{{ default .Values.mcImage.registry (include "registry-url" .) }}{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}" + {{- if .Values.makePolicyJob.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.makePolicyJob.securityContext.runAsUser }} + runAsGroup: {{ .Values.makePolicyJob.securityContext.runAsGroup }} + {{- end }} + imagePullPolicy: {{ .Values.mcImage.pullPolicy }} + {{- if .Values.makePolicyJob.exitCommand }} + command: [ "/bin/sh", "-c" ] + args: [ "/bin/sh /config/add-policy; EV=$?; {{ .Values.makePolicyJob.exitCommand }} && exit $EV" ] + {{- else }} + command: [ "/bin/sh", "/config/add-policy" ] + {{- end }} + env: + - name: MINIO_ENDPOINT + value: {{ template "minio.fullname" . }} + - name: MINIO_PORT + value: {{ .Values.service.port | quote }} + volumeMounts: + - name: etc-path + mountPath: /etc/minio/mc + - name: tmp + mountPath: /tmp + - name: minio-configuration + mountPath: /config + {{- if .Values.tls.enabled }} + - name: cert-secret-volume-mc + mountPath: {{ .Values.configPathmc }}certs + {{- end }} + resources: {{- toYaml .Values.makePolicyJob.resources | nindent 12 }} + {{- end }} + containers: + {{- if .Values.buckets }} + - name: minio-make-bucket + image: "{{ default .Values.mcImage.registry (include "registry-url" .) }}{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}" + {{- if .Values.makeBucketJob.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.makeBucketJob.securityContext.runAsUser }} + runAsGroup: {{ .Values.makeBucketJob.securityContext.runAsGroup }} + {{- end }} + imagePullPolicy: {{ .Values.mcImage.pullPolicy }} + {{- if .Values.makeBucketJob.exitCommand }} + command: [ "/bin/sh", "-c" ] + args: [ "/bin/sh /config/initialize; EV=$?; {{ .Values.makeBucketJob.exitCommand }} && exit $EV" ] + {{- else }} + command: [ "/bin/sh", "/config/initialize" ] + {{- end }} + env: + - name: MINIO_ENDPOINT + value: {{ template "minio.fullname" . }} + - name: MINIO_PORT + value: {{ .Values.service.port | quote }} + volumeMounts: + - name: etc-path + mountPath: /etc/minio/mc + - name: tmp + mountPath: /tmp + - name: minio-configuration + mountPath: /config + {{- if .Values.tls.enabled }} + - name: cert-secret-volume-mc + mountPath: {{ .Values.configPathmc }}certs + {{- end }} + resources: {{- toYaml .Values.makeBucketJob.resources | nindent 12 }} + {{- end }} + {{- if .Values.users }} + - name: minio-make-user + image: "{{ default .Values.mcImage.registry (include "registry-url" .) }}{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}" + {{- if .Values.makeUserJob.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.makeUserJob.securityContext.runAsUser }} + runAsGroup: {{ .Values.makeUserJob.securityContext.runAsGroup }} + {{- end }} + imagePullPolicy: {{ .Values.mcImage.pullPolicy }} + {{- if .Values.makeUserJob.exitCommand }} + command: [ "/bin/sh", "-c" ] + args: [ "/bin/sh /config/add-user; EV=$?; {{ .Values.makeUserJob.exitCommand }} && exit $EV" ] + {{- else }} + command: [ "/bin/sh", "/config/add-user" ] + {{- end }} + env: + - name: MINIO_ENDPOINT + value: {{ template "minio.fullname" . }} + - name: MINIO_PORT + value: {{ .Values.service.port | quote }} + volumeMounts: + - name: etc-path + mountPath: /etc/minio/mc + - name: tmp + mountPath: /tmp + - name: minio-configuration + mountPath: /config + {{- if .Values.tls.enabled }} + - name: cert-secret-volume-mc + mountPath: {{ .Values.configPathmc }}certs + {{- end }} + resources: {{- toYaml .Values.makeUserJob.resources | nindent 12 }} + {{- end }} + {{- if .Values.customCommands }} + - name: minio-custom-command + image: "{{ default .Values.mcImage.registry (include "registry-url" .) }}{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}" + {{- if .Values.customCommandJob.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.customCommandJob.securityContext.runAsUser }} + runAsGroup: {{ .Values.customCommandJob.securityContext.runAsGroup }} + {{- end }} + imagePullPolicy: {{ .Values.mcImage.pullPolicy }} + {{- if .Values.customCommandJob.exitCommand }} + command: [ "/bin/sh", "-c" ] + args: [ "/bin/sh /config/custom-command; EV=$?; {{ .Values.customCommandJob.exitCommand }} && exit $EV" ] + {{- else }} + command: [ "/bin/sh", "/config/custom-command" ] + {{- end }} + env: + - name: MINIO_ENDPOINT + value: {{ template "minio.fullname" . }} + - name: MINIO_PORT + value: {{ .Values.service.port | quote }} + volumeMounts: + - name: etc-path + mountPath: /etc/minio/mc + - name: tmp + mountPath: /tmp + - name: minio-configuration + mountPath: /config + {{- if .Values.tls.enabled }} + - name: cert-secret-volume-mc + mountPath: {{ .Values.configPathmc }}certs + {{- end }} + resources: {{- toYaml .Values.customCommandJob.resources | nindent 12 }} + {{- end }} + {{- if .Values.svcaccts }} + - name: minio-make-svcacct + image: "{{ default .Values.mcImage.registry (include "registry-url" .) }}{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}" + {{- if .Values.makeServiceAccountJob.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.makeServiceAccountJob.securityContext.runAsUser }} + runAsGroup: {{ .Values.makeServiceAccountJob.securityContext.runAsGroup }} + {{- end }} + imagePullPolicy: {{ .Values.mcImage.pullPolicy }} + {{- if .Values.makeServiceAccountJob.exitCommand }} + command: [ "/bin/sh", "-c" ] + args: ["/bin/sh /config/add-svcacct; EV=$?; {{ .Values.makeServiceAccountJob.exitCommand }} && exit $EV" ] + {{- else }} + command: ["/bin/sh", "/config/add-svcacct"] + {{- end }} + env: + - name: MINIO_ENDPOINT + value: {{ template "minio.fullname" . }} + - name: MINIO_PORT + value: {{ .Values.service.port | quote }} + volumeMounts: + - name: etc-path + mountPath: /etc/minio/mc + - name: tmp + mountPath: /tmp + - name: minio-configuration + mountPath: /config + {{- if .Values.tls.enabled }} + - name: cert-secret-volume-mc + mountPath: {{ .Values.configPathmc }}certs + {{- end }} + resources: {{- toYaml .Values.makeServiceAccountJob.resources | nindent 12 }} + {{- end }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/psp.yaml b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/psp.yaml new file mode 100644 index 0000000000..7b30c45e0a --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/psp.yaml @@ -0,0 +1,86 @@ +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" -}} +{{- if .Values.serviceAccount.create }} +{{- if .Values.global.rbac.pspEnabled }} + +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ printf "%s-psp" .Values.serviceAccount.name | quote }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}" + app.kubernetes.io/part-of: {{ .Values.serviceAccount.name | quote }} + app: {{ .Values.serviceAccount.name | quote }} +{{- if .Values.global.rbac.pspAnnotations }} + annotations: {{ toYaml .Values.global.rbac.pspAnnotations | nindent 4 }} +{{- end }} +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Permits the container to run with root privileges as well. + rule: 'RunAsAny' + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 0 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 0 + max: 65535 + readOnlyRootFilesystem: false + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ printf "%s-psp" .Values.serviceAccount.name | quote }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}" + app.kubernetes.io/part-of: {{ .Values.serviceAccount.name | quote }} + app: {{ .Values.serviceAccount.name | quote }} +rules: +{{- if semverCompare "> 1.15.0-0" .Capabilities.KubeVersion.GitVersion }} +- apiGroups: ['policy'] +{{- else }} +- apiGroups: ['extensions'] +{{- end }} + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ printf "%s-psp" .Values.serviceAccount.name | quote }} + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ printf "%s-psp" .Values.serviceAccount.name | quote }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}" + app.kubernetes.io/part-of: {{ .Values.serviceAccount.name | quote }} + app: {{ .Values.serviceAccount.name | quote }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ printf "%s-psp" .Values.serviceAccount.name | quote }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.name | quote }} + namespace: {{ .Release.Namespace }} + +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/pvc.yaml b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/pvc.yaml new file mode 100644 index 0000000000..60f5267b0c --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/pvc.yaml @@ -0,0 +1,32 @@ +{{- if eq .Values.mode "standalone" }} +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ template "minio.fullname" . }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- if .Values.persistence.annotations }} + annotations: {{- toYaml .Values.persistence.annotations | nindent 4 }} + {{- end }} +spec: + accessModes: + - {{ .Values.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- if .Values.persistence.storageClass }} + {{- if (eq "-" .Values.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.persistence.storageClass }}" + {{- end }} + {{- end }} + {{- if .Values.persistence.volumeName }} + volumeName: "{{ .Values.persistence.volumeName }}" + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/secrets.yaml b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/secrets.yaml new file mode 100644 index 0000000000..476c3da512 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/secrets.yaml @@ -0,0 +1,21 @@ +{{- if not .Values.existingSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "minio.secretName" . }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +type: Opaque +data: + rootUser: {{ include "minio.root.username" . | b64enc | quote }} + rootPassword: {{ include "minio.root.password" . | b64enc | quote }} + {{- if .Values.etcd.clientCert }} + etcd_client.crt: {{ .Values.etcd.clientCert | toString | b64enc | quote }} + {{- end }} + {{- if .Values.etcd.clientCertKey }} + etcd_client.key: {{ .Values.etcd.clientCertKey | toString | b64enc | quote }} + {{- end }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/securitycontextconstraints.yaml b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/securitycontextconstraints.yaml new file mode 100644 index 0000000000..4bac7e3728 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/securitycontextconstraints.yaml @@ -0,0 +1,45 @@ +{{- if and .Values.securityContext.enabled .Values.persistence.enabled (.Capabilities.APIVersions.Has "security.openshift.io/v1") }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "minio.fullname" . }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: [] +readOnlyRootFilesystem: false +defaultAddCapabilities: [] +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +fsGroup: + type: MustRunAs + ranges: + - max: {{ .Values.securityContext.fsGroup }} + min: {{ .Values.securityContext.fsGroup }} +runAsUser: + type: MustRunAs + uid: {{ .Values.securityContext.runAsUser }} +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/service.yaml b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/service.yaml new file mode 100644 index 0000000000..ba1f3feaa5 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/service.yaml @@ -0,0 +1,44 @@ +{{ $scheme := .Values.tls.enabled | ternary "https" "http" }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "minio.fullname" . }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + monitoring: "true" + {{- if .Values.service.annotations }} + annotations: {{- toYaml .Values.service.annotations | nindent 4 }} + {{- end }} +spec: + {{- if (or (eq .Values.service.type "ClusterIP" "") (empty .Values.service.type)) }} + type: ClusterIP + {{- if not (empty .Values.service.clusterIP) }} + clusterIP: {{ .Values.service.clusterIP }} + {{- end }} + {{- else if eq .Values.service.type "LoadBalancer" }} + type: {{ .Values.service.type }} + loadBalancerIP: {{ default "" .Values.service.loadBalancerIP }} + {{- else }} + type: {{ .Values.service.type }} + {{- end }} + ports: + - name: {{ $scheme }} + port: {{ .Values.service.port }} + protocol: TCP + {{- if (and (eq .Values.service.type "NodePort") ( .Values.service.nodePort)) }} + nodePort: {{ .Values.service.nodePort }} + {{- else }} + targetPort: {{ .Values.minioAPIPort }} + {{- end }} + {{- if .Values.service.externalIPs }} + externalIPs: + {{- range $i , $ip := .Values.service.externalIPs }} + - {{ $ip }} + {{- end }} + {{- end }} + selector: + app: {{ template "minio.name" . }} + release: {{ .Release.Name }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/serviceaccount.yaml b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/serviceaccount.yaml new file mode 100644 index 0000000000..07840153d9 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/serviceaccount.yaml @@ -0,0 +1,6 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.name | quote }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/servicemonitor.yaml b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/servicemonitor.yaml new file mode 100644 index 0000000000..f875a850ed --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/servicemonitor.yaml @@ -0,0 +1,112 @@ +{{- if and .Values.metrics.serviceMonitor.enabled .Values.metrics.serviceMonitor.includeNode }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "minio.fullname" . }} + {{- if .Values.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.metrics.serviceMonitor.namespace }} + {{- end }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- if .Values.metrics.serviceMonitor.additionalLabels }} + {{- toYaml .Values.metrics.serviceMonitor.additionalLabels | nindent 4 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.annotations }} + annotations: {{- toYaml .Values.metrics.serviceMonitor.annotations | nindent 4 }} + {{- end }} +spec: + endpoints: + {{- if .Values.tls.enabled }} + - port: https + scheme: https + tlsConfig: + ca: + secret: + name: {{ .Values.tls.certSecret }} + key: {{ .Values.tls.publicCrt }} + serverName: {{ template "minio.fullname" . }} + {{- else }} + - port: http + scheme: http + {{- end }} + path: /minio/v2/metrics/node + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelConfigs }} + {{- toYaml .Values.metrics.serviceMonitor.relabelConfigs | nindent 6 }} + {{- end }} + {{- if not .Values.metrics.serviceMonitor.public }} + bearerTokenSecret: + name: {{ template "minio.fullname" . }}-prometheus + key: token + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace | quote }} + selector: + matchLabels: + app: {{ include "minio.name" . }} + release: {{ .Release.Name }} + monitoring: "true" +{{- end }} +{{- if .Values.metrics.serviceMonitor.enabled }} +--- +apiVersion: monitoring.coreos.com/v1 +kind: Probe +metadata: + name: {{ template "minio.fullname" . }}-cluster + {{- if .Values.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.metrics.serviceMonitor.namespace }} + {{- end }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- if .Values.metrics.serviceMonitor.additionalLabels }} + {{- toYaml .Values.metrics.serviceMonitor.additionalLabels | nindent 4 }} + {{- end }} +spec: + jobName: {{ template "minio.fullname" . }} + {{- if .Values.tls.enabled }} + tlsConfig: + ca: + secret: + name: {{ .Values.tls.certSecret }} + key: {{ .Values.tls.publicCrt }} + serverName: {{ template "minio.fullname" . }} + {{- end }} + prober: + url: {{ template "minio.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.port }} + path: /minio/v2/metrics/cluster + {{- if .Values.tls.enabled }} + scheme: https + {{- else }} + scheme: http + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelConfigsCluster }} + {{- toYaml .Values.metrics.serviceMonitor.relabelConfigsCluster | nindent 2 }} + {{- end }} + targets: + staticConfig: + static: + - {{ template "minio.fullname" . }}.{{ .Release.Namespace }} + {{- if not .Values.metrics.serviceMonitor.public }} + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + bearerTokenSecret: + name: {{ template "minio.fullname" . }}-prometheus + key: token + {{- end }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/statefulset.yaml b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/statefulset.yaml new file mode 100644 index 0000000000..33f40095da --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/templates/statefulset.yaml @@ -0,0 +1,248 @@ +{{- if eq .Values.mode "distributed" }} +{{ $poolCount := .Values.pools | int }} +{{ $nodeCount := .Values.replicas | int }} +{{ $replicas := mul $poolCount $nodeCount }} +{{ $drivesPerNode := .Values.drivesPerNode | int }} +{{ $scheme := .Values.tls.enabled | ternary "https" "http" }} +{{ $mountPath := .Values.mountPath }} +{{ $bucketRoot := or ($.Values.bucketRoot) ($.Values.mountPath) }} +{{ $subPath := .Values.persistence.subPath }} +{{ $penabled := .Values.persistence.enabled }} +{{ $accessMode := .Values.persistence.accessMode }} +{{ $storageClass := .Values.persistence.storageClass }} +{{ $psize := .Values.persistence.size }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "minio.fullname" . }}-svc + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + publishNotReadyAddresses: true + clusterIP: None + ports: + - name: {{ $scheme }} + port: {{ .Values.service.port }} + protocol: TCP + targetPort: {{ .Values.minioAPIPort }} + selector: + app: {{ template "minio.name" . }} + release: {{ .Release.Name }} +--- +apiVersion: {{ template "minio.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ template "minio.fullname" . }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- if .Values.additionalLabels }} + {{- toYaml .Values.additionalLabels | nindent 4 }} + {{- end }} + {{- if .Values.additionalAnnotations }} + annotations: {{- toYaml .Values.additionalAnnotations | nindent 4 }} + {{- end }} +spec: + updateStrategy: + type: {{ .Values.statefulSetUpdate.updateStrategy }} + podManagementPolicy: "Parallel" + serviceName: {{ template "minio.fullname" . }}-svc + replicas: {{ $replicas }} + selector: + matchLabels: + app: {{ template "minio.name" . }} + release: {{ .Release.Name }} + template: + metadata: + name: {{ template "minio.fullname" . }} + labels: + app: {{ template "minio.name" . }} + release: {{ .Release.Name }} + {{- if .Values.podLabels }} + {{- toYaml .Values.podLabels | nindent 8 }} + {{- end }} + annotations: + {{- if not .Values.ignoreChartChecksums }} + checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.podAnnotations }} + {{- toYaml .Values.podAnnotations | nindent 8 }} + {{- end }} + spec: + {{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" + {{- end }} + {{- if .Values.runtimeClassName }} + runtimeClassName: "{{ .Values.runtimeClassName }}" + {{- end }} + {{- if and .Values.securityContext.enabled .Values.persistence.enabled }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + runAsGroup: {{ .Values.securityContext.runAsGroup }} + fsGroup: {{ .Values.securityContext.fsGroup }} + {{- if and (ge .Capabilities.KubeVersion.Major "1") (ge .Capabilities.KubeVersion.Minor "20") }} + fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }} + {{- end }} + {{- end }} + {{- if .Values.serviceAccount.create }} + serviceAccountName: {{ .Values.serviceAccount.name }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ default .Values.image.registry (include "registry-url" .) }}{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: [ + "/bin/sh", + "-ce", + "/usr/bin/docker-entrypoint.sh minio server {{- range $i := until $poolCount }}{{ $factor := mul $i $nodeCount }}{{ $endIndex := add $factor $nodeCount }}{{ $beginIndex := mul $i $nodeCount }} {{ $scheme }}://{{ template `minio.fullname` $ }}-{{ `{` }}{{ $beginIndex }}...{{ sub $endIndex 1 }}{{ `}`}}.{{ template `minio.fullname` $ }}-svc.{{ $.Release.Namespace }}.svc.{{ $.Values.clusterDomain }}{{if (gt $drivesPerNode 1)}}{{ $bucketRoot }}-{{ `{` }}0...{{ sub $drivesPerNode 1 }}{{ `}` }}{{ else }}{{ $bucketRoot }}{{end }}{{- end }} -S {{ .Values.certsPath }} --address :{{ .Values.minioAPIPort }} --console-address :{{ .Values.minioConsolePort }} {{- template `minio.extraArgs` . }}" + ] + volumeMounts: + {{- if $penabled }} + {{- if (gt $drivesPerNode 1) }} + {{- range $i := until $drivesPerNode }} + - name: export-{{ $i }} + mountPath: {{ $mountPath }}-{{ $i }} + {{- if and $penabled $subPath }} + subPath: {{ $subPath }} + {{- end }} + {{- end }} + {{- else }} + - name: export + mountPath: {{ $mountPath }} + {{- if and $penabled $subPath }} + subPath: {{ $subPath }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.extraSecret }} + - name: extra-secret + mountPath: "/tmp/minio-config-env" + {{- end }} + {{- include "minio.tlsKeysVolumeMount" . | indent 12 }} + {{- if .Values.extraVolumeMounts }} + {{- toYaml .Values.extraVolumeMounts | nindent 12 }} + {{- end }} + ports: + - name: {{ $scheme }} + containerPort: {{ .Values.minioAPIPort }} + - name: {{ $scheme }}-console + containerPort: {{ .Values.minioConsolePort }} + env: + - name: MINIO_ROOT_USER + valueFrom: + secretKeyRef: + name: {{ template "minio.secretName" . }} + key: rootUser + - name: MINIO_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "minio.secretName" . }} + key: rootPassword + {{- if .Values.extraSecret }} + - name: MINIO_CONFIG_ENV_FILE + value: "/tmp/minio-config-env/config.env" + {{- end }} + {{- if .Values.metrics.serviceMonitor.public }} + - name: MINIO_PROMETHEUS_AUTH_TYPE + value: "public" + {{- end }} + {{- if .Values.oidc.enabled }} + - name: MINIO_IDENTITY_OPENID_CONFIG_URL + value: {{ .Values.oidc.configUrl }} + - name: MINIO_IDENTITY_OPENID_CLIENT_ID + value: {{ .Values.oidc.clientId }} + - name: MINIO_IDENTITY_OPENID_CLIENT_SECRET + value: {{ .Values.oidc.clientSecret }} + - name: MINIO_IDENTITY_OPENID_CLAIM_NAME + value: {{ .Values.oidc.claimName }} + - name: MINIO_IDENTITY_OPENID_CLAIM_PREFIX + value: {{ .Values.oidc.claimPrefix }} + - name: MINIO_IDENTITY_OPENID_SCOPES + value: {{ .Values.oidc.scopes }} + - name: MINIO_IDENTITY_OPENID_REDIRECT_URI + value: {{ .Values.oidc.redirectUri }} + - name: MINIO_IDENTITY_OPENID_COMMENT + value: {{ .Values.oidc.comment }} + {{- end }} + {{- range $key, $val := .Values.environment }} + - name: {{ $key }} + value: {{ tpl $val $ | quote }} + {{- end }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.extraContainers }} + {{- if eq (typeOf .) "string" }} + {{- tpl . $ | nindent 8 }} + {{- else }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + nodeSelector: + {{- include "linux-node-selector" . | nindent 8 }} + {{- include "minio.imagePullSecrets" . | indent 6 }} + {{- with .Values.affinity }} + affinity: {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + {{- include "linux-node-tolerations" . | nindent 8 }} + {{- with .Values.tolerations }} + {{ toYaml . | indent 8 }} + {{- end }} + {{- if and (gt $replicas 1) (ge .Capabilities.KubeVersion.Major "1") (ge .Capabilities.KubeVersion.Minor "19") }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + volumes: + - name: minio-user + secret: + secretName: {{ template "minio.secretName" . }} + {{- if .Values.extraSecret }} + - name: extra-secret + secret: + secretName: {{ .Values.extraSecret }} + {{- end }} + {{- include "minio.tlsKeysVolume" . | indent 8 }} + {{- if .Values.extraVolumes }} + {{- toYaml .Values.extraVolumes | nindent 8 }} + {{- end }} + {{- if .Values.persistence.enabled }} + volumeClaimTemplates: + {{- if gt $drivesPerNode 1 }} + {{- range $diskId := until $drivesPerNode}} + - metadata: + name: export-{{ $diskId }} + {{- if $.Values.persistence.annotations }} + annotations: {{- toYaml $.Values.persistence.annotations | nindent 10 }} + {{- end }} + spec: + accessModes: [ {{ $accessMode | quote }} ] + {{- if $storageClass }} + storageClassName: {{ $storageClass }} + {{- end }} + resources: + requests: + storage: {{ $psize }} + {{- end }} + {{- else }} + - metadata: + name: export + {{- if $.Values.persistence.annotations }} + annotations: {{- toYaml $.Values.persistence.annotations | nindent 10 }} + {{- end }} + spec: + accessModes: [ {{ $accessMode | quote }} ] + {{- if $storageClass }} + storageClassName: {{ $storageClass }} + {{- end }} + resources: + requests: + storage: {{ $psize }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/minio/values.yaml b/charts/epinio/102.0.4+up1.9.0/charts/minio/values.yaml new file mode 100644 index 0000000000..fbdc9be546 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/minio/values.yaml @@ -0,0 +1,542 @@ +## Provide a name in place of minio for `app:` labels +## +nameOverride: "" + +## Provide a name to substitute for the full names of resources +## +fullnameOverride: "" + +## set kubernetes cluster domain where minio is running +## +clusterDomain: cluster.local + +## Set default image, imageTag, and imagePullPolicy. mode is used to indicate the +## +image: + repository: rancher/mirrored-minio-minio + tag: RELEASE.2023-07-07T07-13-57Z + pullPolicy: IfNotPresent + +imagePullSecrets: [] +# - name: "image-pull-secret" + +## Set default image, imageTag, and imagePullPolicy for the `mc` (the minio +## client used to create a default bucket). +## +mcImage: + repository: rancher/mirrored-minio-mc + tag: RELEASE.2023-06-28T21-54-17Z + pullPolicy: IfNotPresent + +## minio mode, i.e. standalone or distributed +mode: distributed ## other supported values are "standalone" + +## Additional labels to include with deployment or statefulset +additionalLabels: {} + +## Additional annotations to include with deployment or statefulset +additionalAnnotations: {} + +## Typically the deployment/statefulset includes checksums of secrets/config, +## So that when these change on a subsequent helm install, the deployment/statefulset +## is restarted. This can result in unnecessary restarts under GitOps tooling such as +## flux, so set to "true" to disable this behaviour. +ignoreChartChecksums: false + +## Additional arguments to pass to minio binary +extraArgs: [] + +## Additional volumes to minio container +extraVolumes: [] + +## Additional volumeMounts to minio container +extraVolumeMounts: [] + +## Additional sidecar containers +extraContainers: [] + +## Internal port number for MinIO S3 API container +## Change service.port to change external port number +minioAPIPort: "9000" + +## Internal port number for MinIO Browser Console container +## Change consoleService.port to change external port number +minioConsolePort: "9001" + +## Update strategy for Deployments +deploymentUpdate: + type: RollingUpdate + maxUnavailable: 0 + maxSurge: 100% + +## Update strategy for StatefulSets +statefulSetUpdate: + updateStrategy: RollingUpdate + +## Pod priority settings +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +## +priorityClassName: "" + +## Pod runtime class name +## ref https://kubernetes.io/docs/concepts/containers/runtime-class/ +## +runtimeClassName: "" + +## Set default rootUser, rootPassword +## AccessKey and secretKey is generated when not set +## Distributed MinIO ref: https://min.io/docs/minio/linux/operations/install-deploy-manage/deploy-minio-multi-node-multi-drive.html +## +rootUser: "" +rootPassword: "" + +## Use existing Secret that store following variables: +## +## | Chart var | .data. in Secret | +## |:----------------------|:-------------------------| +## | rootUser | rootUser | +## | rootPassword | rootPassword | +## +## All mentioned variables will be ignored in values file. +## .data.rootUser and .data.rootPassword are mandatory, +## others depend on enabled status of corresponding sections. +existingSecret: "" + +## Directory on the MinIO pof +certsPath: "/etc/minio/certs/" +configPathmc: "/etc/minio/mc/" + +## Path where PV would be mounted on the MinIO Pod +mountPath: "/export" +## Override the root directory which the minio server should serve from. +## If left empty, it defaults to the value of {{ .Values.mountPath }} +## If defined, it must be a sub-directory of the path specified in {{ .Values.mountPath }} +## +bucketRoot: "" + +# Number of drives attached to a node +drivesPerNode: 1 +# Number of MinIO containers running +replicas: 16 +# Number of expanded MinIO clusters +pools: 1 + +## TLS Settings for MinIO +tls: + enabled: false + ## Create a secret with private.key and public.crt files and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret + certSecret: "" + publicCrt: public.crt + privateKey: private.key + +## Trusted Certificates Settings for MinIO. Ref: https://min.io/docs/minio/linux/operations/network-encryption.html#third-party-certificate-authorities +## Bundle multiple trusted certificates into one secret and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret +## When using self-signed certificates, remember to include MinIO's own certificate in the bundle with key public.crt. +## If certSecret is left empty and tls is enabled, this chart installs the public certificate from .Values.tls.certSecret. +trustedCertsSecret: "" + +## Enable persistence using Persistent Volume Claims +## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +## +persistence: + enabled: true + annotations: {} + + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: "" + + ## minio data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + ## Storage class of PV to bind. By default it looks for standard storage class. + ## If the PV uses a different storage class, specify that here. + storageClass: "" + volumeName: "" + accessMode: ReadWriteOnce + size: 500Gi + + ## If subPath is set mount a sub folder of a volume instead of the root of the volume. + ## This is especially handy for volume plugins that don't natively support sub mounting (like glusterfs). + ## + subPath: "" + +## Expose the MinIO service to be accessed from outside the cluster (LoadBalancer service). +## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it. +## ref: http://kubernetes.io/docs/user-guide/services/ +## +service: + type: ClusterIP + clusterIP: ~ + port: "9000" + nodePort: 32000 + loadBalancerIP: ~ + externalIPs: [] + annotations: {} + +## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/ +## + +ingress: + enabled: false + ingressClassName: ~ + labels: {} + # node-role.kubernetes.io/ingress: platform + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # kubernetes.io/ingress.allow-http: "false" + # kubernetes.io/ingress.global-static-ip-name: "" + # nginx.ingress.kubernetes.io/secure-backends: "true" + # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0 + path: / + hosts: + - minio-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +consoleService: + type: ClusterIP + clusterIP: ~ + port: "9001" + nodePort: 32001 + loadBalancerIP: ~ + externalIPs: [] + annotations: {} + +consoleIngress: + enabled: false + ingressClassName: ~ + labels: {} + # node-role.kubernetes.io/ingress: platform + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # kubernetes.io/ingress.allow-http: "false" + # kubernetes.io/ingress.global-static-ip-name: "" + # nginx.ingress.kubernetes.io/secure-backends: "true" + # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0 + path: / + hosts: + - console.minio-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +tolerations: [] +affinity: {} +topologySpreadConstraints: [] + +## Add stateful containers to have security context, if enabled MinIO will run as this +## user and group NOTE: securityContext is only enabled if persistence.enabled=true +securityContext: + enabled: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + fsGroupChangePolicy: "OnRootMismatch" + +# Additational pod annotations +podAnnotations: {} + +# Additional pod labels +podLabels: {} + +## Configure resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: + requests: + memory: 16Gi + +## List of policies to be created after minio install +## +## In addition to default policies [readonly|readwrite|writeonly|consoleAdmin|diagnostics] +## you can define additional policies with custom supported actions and resources +policies: [] +## writeexamplepolicy policy grants creation or deletion of buckets with name +## starting with example. In addition, grants objects write permissions on buckets starting with +## example. +# - name: writeexamplepolicy +# statements: +# - resources: +# - 'arn:aws:s3:::example*/*' +# actions: +# - "s3:AbortMultipartUpload" +# - "s3:GetObject" +# - "s3:DeleteObject" +# - "s3:PutObject" +# - "s3:ListMultipartUploadParts" +# - resources: +# - 'arn:aws:s3:::example*' +# actions: +# - "s3:CreateBucket" +# - "s3:DeleteBucket" +# - "s3:GetBucketLocation" +# - "s3:ListBucket" +# - "s3:ListBucketMultipartUploads" +## readonlyexamplepolicy policy grants access to buckets with name starting with example. +## In addition, grants objects read permissions on buckets starting with example. +# - name: readonlyexamplepolicy +# statements: +# - resources: +# - 'arn:aws:s3:::example*/*' +# actions: +# - "s3:GetObject" +# - resources: +# - 'arn:aws:s3:::example*' +# actions: +# - "s3:GetBucketLocation" +# - "s3:ListBucket" +# - "s3:ListBucketMultipartUploads" +## conditionsexample policy creates all access to example bucket with aws:username="johndoe" and source ip range 10.0.0.0/8 and 192.168.0.0/24 only +# - name: conditionsexample +# statements: +# - resources: +# - 'arn:aws:s3:::example/*' +# actions: +# - 's3:*' +# conditions: +# - StringEquals: '"aws:username": "johndoe"' +# - IpAddress: | +# "aws:SourceIp": [ +# "10.0.0.0/8", +# "192.168.0.0/24" +# ] +# +## Additional Annotations for the Kubernetes Job makePolicyJob +makePolicyJob: + securityContext: + enabled: false + runAsUser: 1000 + runAsGroup: 1000 + resources: + requests: + memory: 128Mi + # Command to run after the main command on exit + exitCommand: "" + +## List of users to be created after minio install +## +users: + ## Username, password and policy to be assigned to the user + ## Default policies are [readonly|readwrite|writeonly|consoleAdmin|diagnostics] + ## Add new policies as explained here https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management.html#access-management + ## NOTE: this will fail if LDAP is enabled in your MinIO deployment + ## make sure to disable this if you are using LDAP. + - accessKey: console + secretKey: console123 + policy: consoleAdmin + # Or you can refer to specific secret + #- accessKey: externalSecret + # existingSecret: my-secret + # existingSecretKey: password + # policy: readonly + +## Additional Annotations for the Kubernetes Job makeUserJob +makeUserJob: + securityContext: + enabled: false + runAsUser: 1000 + runAsGroup: 1000 + resources: + requests: + memory: 128Mi + # Command to run after the main command on exit + exitCommand: "" + +## List of service accounts to be created after minio install +## +svcaccts: [] + ## accessKey, secretKey and parent user to be assigned to the service accounts + ## Add new service accounts as explained here https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management/minio-user-management.html#service-accounts + # - accessKey: console-svcacct + # secretKey: console123 + # user: console + ## Or you can refer to specific secret + # - accessKey: externalSecret + # existingSecret: my-secret + # existingSecretKey: password + # user: console + ## You also can pass custom policy + # - accessKey: console-svcacct + # secretKey: console123 + # user: console + # policy: + # statements: + # - resources: + # - 'arn:aws:s3:::example*/*' + # actions: + # - "s3:AbortMultipartUpload" + # - "s3:GetObject" + # - "s3:DeleteObject" + # - "s3:PutObject" + # - "s3:ListMultipartUploadParts" + +makeServiceAccountJob: + securityContext: + enabled: false + runAsUser: 1000 + runAsGroup: 1000 + resources: + requests: + memory: 128Mi + # Command to run after the main command on exit + exitCommand: "" + +## List of buckets to be created after minio install +## +buckets: [] + # # Name of the bucket + # - name: bucket1 + # # Policy to be set on the + # # bucket [none|download|upload|public] + # policy: none + # # Purge if bucket exists already + # purge: false + # # set versioning for + # # bucket [true|false] + # versioning: false + # # set objectlocking for + # # bucket [true|false] NOTE: versioning is enabled by default if you use locking + # objectlocking: false + # - name: bucket2 + # policy: none + # purge: false + # versioning: true + # # set objectlocking for + # # bucket [true|false] NOTE: versioning is enabled by default if you use locking + # objectlocking: false + +## Additional Annotations for the Kubernetes Job makeBucketJob +makeBucketJob: + securityContext: + enabled: false + runAsUser: 1000 + runAsGroup: 1000 + resources: + requests: + memory: 128Mi + # Command to run after the main command on exit + exitCommand: "" + +## List of command to run after minio install +## NOTE: the mc command TARGET is always "myminio" +customCommands: + # - command: "admin policy attach myminio consoleAdmin --group='cn=ops,cn=groups,dc=example,dc=com'" + +## Additional Annotations for the Kubernetes Job customCommandJob +customCommandJob: + securityContext: + enabled: false + runAsUser: 1000 + runAsGroup: 1000 + resources: + requests: + memory: 128Mi + # Command to run after the main command on exit + exitCommand: "" + +## Merge jobs +postJob: + podAnnotations: {} + annotations: {} + securityContext: + enabled: false + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + nodeSelector: {} + tolerations: [] + affinity: {} + +## Use this field to add environment variables relevant to MinIO server. These fields will be passed on to MinIO container(s) +## when Chart is deployed +environment: + ## Please refer for comprehensive list https://min.io/docs/minio/linux/reference/minio-server/minio-server.html + ## MINIO_SUBNET_LICENSE: "License key obtained from https://subnet.min.io" + ## MINIO_BROWSER: "off" + +## The name of a secret in the same kubernetes namespace which contain secret values +## This can be useful for LDAP password, etc +## The key in the secret must be 'config.env' +## +extraSecret: ~ + +## OpenID Identity Management +## The following section documents environment variables for enabling external identity management using an OpenID Connect (OIDC)-compatible provider. +## See https://min.io/docs/minio/linux/operations/external-iam/configure-openid-external-identity-management.html for a tutorial on using these variables. +oidc: + enabled: false + configUrl: "https://identity-provider-url/.well-known/openid-configuration" + clientId: "minio" + clientSecret: "" + claimName: "policy" + scopes: "openid,profile,email" + redirectUri: "https://console-endpoint-url/oauth_callback" + # Can leave empty + claimPrefix: "" + comment: "" + +networkPolicy: + enabled: false + allowExternal: true + +## PodDisruptionBudget settings +## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ +## +podDisruptionBudget: + enabled: false + maxUnavailable: 1 + +## Specify the service account to use for the MinIO pods. If 'create' is set to 'false' +## and 'name' is left unspecified, the account 'default' will be used. +serviceAccount: + create: true + ## The name of the service account to use. If 'create' is 'true', a service account with that name + ## will be created. + name: "minio-sa" + +metrics: + serviceMonitor: + enabled: false + # scrape each node/pod individually for additional metrics + includeNode: false + public: true + additionalLabels: {} + annotations: {} + # for node metrics + relabelConfigs: {} + # for cluster metrics + relabelConfigsCluster: {} + # metricRelabelings: + # - regex: (server|pod) + # action: labeldrop + namespace: ~ + # Scrape interval, for example `interval: 30s` + interval: ~ + # Scrape timeout, for example `scrapeTimeout: 10s` + scrapeTimeout: ~ + +## ETCD settings: https://github.com/minio/minio/blob/master/docs/sts/etcd.md +## Define endpoints to enable this section. +etcd: + endpoints: [] + pathPrefix: "" + corednsPathPrefix: "" + clientCert: "" + clientCertKey: "" diff --git a/charts/epinio/102.0.4+up1.9.0/charts/s3gw/Chart.yaml b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/Chart.yaml new file mode 100644 index 0000000000..2f7e740459 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/Chart.yaml @@ -0,0 +1,23 @@ +annotations: + app.aquarist-labs.io/name: s3gw +apiVersion: v2 +appVersion: latest +description: 'Easy-to-use Open Source and Cloud Native S3 service for use on Rancher''s + Kubernetes. ' +home: https://github.com/aquarist-labs/s3gw +icon: https://raw.githubusercontent.com/aquarist-labs/aquarium-website/gh-pages/images/logo-xl.png +keywords: +- storage +- s3 +kubeVersion: '>=1.14' +maintainers: +- email: s3gw@suse.com + name: s3gw maintainers + url: https://github.com/orgs/aquarist-labs/projects/5 +name: s3gw +sources: +- https://github.com/aquarist-labs/s3gw-charts +- https://github.com/aquarist-labs/s3gw +- https://github.com/aquarist-labs/ceph +type: application +version: 0.14.0 diff --git a/charts/epinio/102.0.4+up1.9.0/charts/s3gw/README.md b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/README.md new file mode 100644 index 0000000000..33fc51ad3e --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/README.md @@ -0,0 +1,61 @@ +# [s3gw][s3gw-url] + +s3gw is an S3-compatible service focused on deployments in a Kubernetes +environment backed by any PVC, including Longhorn. Since its inception, the +primary focus has been on cloud native deployments. However, the s3gw can be +deployed in a myriad of scenarios, provided some form of storage is attached. + +s3gw is based on Ceph’s RADOSGW (RGW) but runs as a stand–alone service without +the RADOS cluster and relies on a storage backend still under heavy development +by the storage team at SUSE. A web-based UI for management and an object +explorer are also part of s3gw. + +## Quickstart + +To install s3gw using Helm add the chart to your Helm repository and then run +`helm install`: + +```bash +helm add repo s3gw https://aquarist-labs.github.io/s3gw-charts/ +helm \ + --namespace s3gw-system \ + install s3gw \ + s3gw/s3gw \ + --create-namespace \ + -f /path/to/your/custom/values.yaml +``` + +## Rancher + +Installing s3gw via the Rancher App Catalog is made easy, the steps are as +follows: + +- Cluster -> Projects/Namespaces - create the `s3gw` namespace. +- Apps -> Repositories -> Create `s3gw` using the s3gw-charts Git URL + and the `main` branch. +- Apps -> Charts -> Install `Traefik`. +- Apps -> Charts -> Install `s3gw`. Select the `s3gw` namespace previously + created. A `pvc` for `s3gw` will be created automatically during installation. + +## Documentation + +You can access our documentation [here][docs-url]. + +## License + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use licensed files except in compliance with the License. +You may obtain a copy of the License at + + + +or the LICENSE file in this repository. + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +[s3gw-url]: https://s3gw.io +[docs-url]: https://s3gw-docs.readthedocs.io/en/latest/helm-charts/ diff --git a/charts/epinio/102.0.4+up1.9.0/charts/s3gw/app-readme.md b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/app-readme.md new file mode 100644 index 0000000000..3ad286f2a1 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/app-readme.md @@ -0,0 +1,16 @@ +# s3gw + +s3gw is an easy-to-use Open Source and Cloud Native S3 service running on +Rancher's Kubernetes. + +* It complements the Rancher portfolio by offering an S3 service for Longhorn + volume backups, Harvester backups, Epinio backups and OPNI models. +* It is deployed on a single pod, ideal for development, Edge, IoT and smaller + on-prem deployments. +* It leverages the feature-rich S3 gateway from Ceph but without the rest of + the Ceph stack. + +For more information, see the [manual][1] and the [chart documentation][2]. + +[1]: https://s3gw-docs.readthedocs.io +[2]: https://github.com/aquarist-labs/s3gw-charts/blob/main/README.md diff --git a/charts/epinio/102.0.4+up1.9.0/charts/s3gw/questions.yaml b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/questions.yaml new file mode 100644 index 0000000000..5733cbf864 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/questions.yaml @@ -0,0 +1,293 @@ +--- +questions: + # General settings + + - variable: useCertManager + label: Use cert-manager + default: "true" + description: "Use cert-manager to provision TLS certificates" + type: boolean + group: "General" + + - variable: tls.publicDomain.crt + show_if: "useCertManager=false" + description: "S3 TLS certificate (Public Domain)" + label: "S3 TLS certificate (Public Domain)" + type: string + group: "General" + + - variable: tls.publicDomain.key + show_if: "useCertManager=false" + description: "S3 TLS key (Public Domain)" + label: "S3 TLS key (Public Domain)" + type: string + group: "General" + + - variable: tls.privateDomain.crt + show_if: "useCertManager=false" + description: "S3 TLS certificate (Private Domain)" + label: "S3 TLS certificate (Private Domain)" + type: string + group: "General" + + - variable: tls.privateDomain.key + show_if: "useCertManager=false" + description: "S3 TLS key (Private Domain)" + label: "S3 TLS key (Private Domain)" + type: string + group: "General" + + - variable: tls.ui.publicDomain.crt + show_if: "useCertManager=false" + description: "UI TLS certificate" + label: "UI TLS certificate" + type: string + group: "General" + + - variable: tls.ui.publicDomain.key + show_if: "useCertManager=false" + description: "UI TLS key" + label: "UI TLS key" + type: string + group: "General" + + - variable: certManagerNamespace + show_if: "useCertManager=true" + label: cert-manager's namespace + default: "cert-manager" + description: "cert-manager's namespace" + type: string + required: false + + - variable: useCustomTlsIssuer + show_if: "useCertManager=true" + label: Use your own TLS issuer + default: "false" + description: "Use your own TLS issuer" + type: boolean + group: "General" + show_subquestion_if: true + subquestions: + - variable: customTlsIssuer + label: Custom TLS issuer + description: "Name of the custom TLS issuer to use" + type: string + required: false + + - variable: tlsIssuer + show_if: "useCertManager=true&&useCustomTlsIssuer=false" + label: TLS issuer + description: "Name of the predefined TLS issuer to use" + type: enum + required: false + group: "General" + options: + - "s3gw-issuer" + - "s3gw-letsencrypt-issuer" + + - variable: email + show_if: "useCertManager=true&&tlsIssuer=s3gw-letsencrypt-issuer" + label: email address to use with s3gw-letsencrypt-issuer + description: "email address to use with s3gw-letsencrypt-issuer" + type: string + required: false + group: "General" + + - variable: serviceName + default: s3gw + description: "S3 Service Name" + label: "S3 Service Name" + required: true + type: string + group: "General" + + - variable: defaultUserCredentialsSecret + default: s3gw-creds + description: | + "The name of the secret containing the + S3 credentials for the default user" + type: string + group: "General" + + - variable: useExistingSecret + default: false + description: | + "Check this to use a preexisting secret + containing the S3 credentials for the default user" + type: boolean + group: "General" + + - variable: accessKey + show_if: "useExistingSecret=false" + default: test + description: | + "Set this as the empty string to make the Chart + to compute a random alphanumeric value" + label: "S3 Access Key" + type: string + group: "General" + + - variable: secretKey + show_if: "useExistingSecret=false" + default: test + description: | + "Set this as the empty string to make the Chart + to compute a random alphanumeric value" + label: "S3 Secret Key" + type: string + group: "General" + + - variable: ingress.enabled + default: true + description: "Deploy an Ingress (Required for TLS and UI)" + label: "Enable Ingress" + required: true + type: boolean + group: "General" + + - variable: publicDomain + show_if: ingress.enabled=true + default: be.127.0.0.1.omg.howdoi.website + description: "Public domain of the S3 Service used by the Ingress" + label: "Public Domain" + required: true + type: string + group: "General" + + - variable: privateDomain + default: svc.cluster.local + description: "Private domain of the S3 Service used inside the Kubernetes cluster" + label: "Private Domain" + required: true + type: string + group: "General" + + - variable: ui.enabled + default: false + description: "UI Enabled" + label: "UI Enabled" + required: true + type: boolean + group: "General" + + - variable: ui.serviceName + default: s3gw-ui + description: "UI Service Name" + label: "UI Service Name" + required: true + type: string + group: "General" + + - variable: ui.publicDomain + show_if: ingress.enabled=true + default: fe.127.0.0.1.omg.howdoi.website + description: "Public domain of the UI Service used by the Ingress" + label: "UI Public Domain" + required: true + type: string + group: "General" + + # Storage + - variable: storageSize + description: "Storage Size" + type: string + default: 10Gi + label: "Storage Size" + group: "Storage" + + - variable: storageClass.name + description: "Storage Class Name" + type: string + default: "longhorn-single" + required: true + label: "Storage Class" + group: "Storage" + + - variable: storageClass.create + description: | + Create a new opinionated storage class backed by longhorn.io + type: boolean + default: true + label: "Create Storage Class" + group: "Storage" + + # Advanced Options + - variable: imageRegistry + default: + description: "Image Registry" + label: "Image Registry" + required: false + type: string + group: "Advanced" + + - variable: imageCredentials.username + default: + description: "Registry Username" + label: "Username" + required: false + type: string + group: "Advanced" + + - variable: imageCredentials.password + default: + description: "Registry Password" + label: "Password" + required: false + type: string + group: "Advanced" + + - variable: imageCredentials.email + default: + description: "Registry Email" + label: "Email" + required: false + type: string + group: "Advanced" + + - variable: imagePullPolicy + default: + description: "Image Pull Policy" + label: "Image Pull Policy" + required: false + type: string + group: "Advanced" + + - variable: imageName + default: + description: "Gateway Image Name" + label: "Image Name" + required: false + type: string + group: "Advanced" + + - variable: imageTag + default: + description: "Image Tag" + label: "Image Tag" + required: false + type: string + group: "Advanced" + + - variable: ui.imageName + default: + description: "UI Image Name" + label: "UI Image Name" + required: false + type: string + group: "Advanced" + + - variable: ui.imageTag + default: + description: "UI Image Tag" + label: "UI Image Tag" + required: false + type: string + group: "Advanced" + + - variable: logLevel + default: "1" + description: "s3gw pod log level, lower values are less verbose" + label: "s3gw pod log level" + required: false + type: string + group: "Advanced" diff --git a/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/NOTES.txt b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/NOTES.txt new file mode 100644 index 0000000000..d27381295f --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/NOTES.txt @@ -0,0 +1,16 @@ +Thank you for installing {{ .Chart.Name }} {{ printf "v%s" .Chart.Version }} + +The S3 endpoint is available at: + +{{ printf "%s.%s" .Values.serviceName .Values.publicDomain | indent 4 }} +{{ if .Values.ui.enabled}} +and the web interface is available at: + +{{ printf "%s.%s" .Values.ui.serviceName .Values.ui.publicDomain | indent 4 }} +{{- end }} +{{ if and (not .Values.useExistingSecret) (empty .Values.accessKey) }} +An access key has been generated: {{ include "s3gw.defaultAccessKey" . | quote }} +{{- end }} +{{- if and (not .Values.useExistingSecret) (empty .Values.secretKey) }} +A secret key has been generated: {{ include "s3gw.defaultSecretKey" . | quote }} +{{ end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/_helpers.tpl b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/_helpers.tpl new file mode 100644 index 0000000000..4afd684757 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/_helpers.tpl @@ -0,0 +1,140 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "s3gw.name" -}} +{{- .Chart.Name }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "s3gw.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "s3gw.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "s3gw.labels" -}} +helm.sh/chart: {{ include "s3gw.chart" . }} +{{ include "s3gw.commonSelectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{- define "s3gw.commonSelectorLabels" -}} +app.kubernetes.io/name: {{ include "s3gw.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{- define "s3gw.selectorLabels" -}} +{{ include "s3gw.commonSelectorLabels" . }} +app.kubernetes.io/component: gateway +{{- end }} + +{{- define "s3gw-ui.selectorLabels" -}} +{{ include "s3gw.commonSelectorLabels" . }} +app.kubernetes.io/component: ui +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "s3gw.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "s3gw.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Version helpers for the image tag +*/}} +{{- define "s3gw.image" -}} +{{- $defaulttag := printf "v%s" .Chart.Version }} +{{- $tag := default $defaulttag .Values.image.tag }} +{{- $name := default "s3gw/s3gw" .Values.image.repository }} +{{- $registry := include "registry-url" . }} +{{- printf "%s%s:%s" $registry $name $tag }} +{{- end }} + +{{- define "s3gw-ui.image" -}} +{{- $tag := default (printf "v%s" .Chart.Version) .Values.ui.image.tag }} +{{- $name := default "s3gw/s3gw-ui" .Values.ui.image.repository }} +{{- $registry := include "registry-url" . }} +{{- printf "%s%s:%s" $registry $name $tag }} +{{- end }} + +{{/* +Image Pull Secret +*/}} +{{- define "s3gw.imagePullSecret" -}} +{{- $un := .Values.imageCredentials.username }} +{{- $pw := .Values.imageCredentials.password }} +{{- $em := .Values.imageCredentials.email }} +{{- $rg := include "registry-url" . }} +{{- $au := (printf "%s:%s" $un $pw | b64enc) }} +{{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" $rg $un $pw $em $au | b64enc}} +{{- end }} + + +{{/* +Default Access Credentials +*/}} +{{- define "s3gw.defaultAccessKey" -}} +{{- $key := default (randAlphaNum 32) .Values.accessKey }} +{{- printf "%s" $key }} +{{- end }} +{{- define "s3gw.defaultSecretKey" -}} +{{- $key := default (randAlphaNum 32) .Values.secretKey }} +{{- printf "%s" $key }} +{{- end }} + +{{/* +Windows cluster will add default taint for linux nodes, add below linux tolerations to +workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +beta.kubernetes.io/os: linux +{{- else -}} +kubernetes.io/os: linux +{{- end -}} +{{- end -}} + +{{/* +URL prefix for container images to be compatible with Rancher +*/}} +{{- define "registry-url" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{ trimSuffix "/" .Values.global.cattle.systemDefaultRegistry }}/ +{{- end -}} +{{- end -}} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/certificate.yaml b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/certificate.yaml new file mode 100644 index 0000000000..e44a3380c9 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/certificate.yaml @@ -0,0 +1,38 @@ +{{- if .Values.useCertManager }} +--- +# s3gw-ca root certificate +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: s3gw-ca-cert + namespace: {{ .Values.certManagerNamespace }} + labels: +{{ include "s3gw.labels" . | indent 4}} +spec: + commonName: s3gw-ca + isCA: true + issuerRef: + kind: ClusterIssuer + name: s3gw-self-signed-issuer + privateKey: + algorithm: ECDSA + size: 256 + secretName: s3gw-ca-root +--- +# s3gw internal service certificate (private domain) +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: s3gw-cluster-ip-cert + namespace: {{ .Release.Namespace }} + labels: +{{ include "s3gw.labels" . | indent 4}} +spec: + dnsNames: + - '{{ .Values.serviceName }}.{{ .Release.Namespace }}.{{ .Values.privateDomain }}' + - '*.{{ .Values.serviceName }}.{{ .Release.Namespace }}.{{ .Values.privateDomain }}' + issuerRef: + kind: ClusterIssuer + name: s3gw-issuer + secretName: s3gw-cluster-ip-tls +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/configmap.yaml b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/configmap.yaml new file mode 100644 index 0000000000..c6f27c9ba7 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/configmap.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: s3gw-config + namespace: {{ .Release.Namespace }} + labels: +{{ include "s3gw.labels" . | indent 4}} +data: +{{- if .Values.ui.enabled }} + RGW_SERVICE_URL: 'https://{{ .Values.serviceName }}.{{ .Values.publicDomain }}' +{{- end }} + RGW_DEFAULT_USER_SYSTEM: "1" diff --git a/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/deployment.yaml b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/deployment.yaml new file mode 100644 index 0000000000..d67f6ca540 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/deployment.yaml @@ -0,0 +1,111 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Chart.Name }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "s3gw.labels" . | indent 4 }} +spec: + replicas: 1 + selector: + matchLabels: +{{ include "s3gw.selectorLabels" . | indent 6 }} + strategy: + type: Recreate + template: + metadata: + labels: +{{ include "s3gw.selectorLabels" . | indent 8 }} + spec: +{{- if .Values.imageCredentials }} + imagePullSecrets: + - name: {{ .Chart.Name }}-image-pull-secret +{{- end }} + serviceAccountName: {{ include "s3gw.serviceAccountName" . }} + containers: + - name: {{ .Chart.Name }} + image: {{ include "s3gw.image" . | quote }} + imagePullPolicy: {{ default "IfNotPresent" .Values.imagePullPolicy }} + args: + - "--rgw-dns-name" +{{- if .Values.ingress.enabled }} + - {{ .Values.serviceName }}.{{ .Values.publicDomain }}, + {{ .Values.serviceName }}.{{ .Release.Namespace }}.{{ .Values.privateDomain }} +{{- else}} + - {{ .Values.serviceName }}.{{ .Release.Namespace }}.{{ .Values.privateDomain }} +{{- end }} + - "--rgw-backend-store" + - sfs + - "--debug-rgw" + - '{{ .Values.logLevel }}' + - "--rgw_frontends" + - "beast port=7480 ssl_port=7481 + ssl_certificate=/s3gw-cluster-ip-tls/tls.crt + ssl_private_key=/s3gw-cluster-ip-tls/tls.key" + ports: + - containerPort: 7480 + name: s3 + - containerPort: 7481 + name: s3-tls + envFrom: + - secretRef: + name: {{ .Values.defaultUserCredentialsSecret }} + volumeMounts: + - name: s3gw-lh-store + mountPath: /data + - name: s3gw-cluster-ip-tls + mountPath: /s3gw-cluster-ip-tls + nodeSelector: + {{- include "linux-node-selector" . | nindent 8 }} + tolerations: + {{- include "linux-node-tolerations" . | nindent 8 }} + volumes: + - name: s3gw-lh-store + persistentVolumeClaim: + claimName: {{ .Release.Name }}-pvc + - name: s3gw-cluster-ip-tls + secret: + secretName: s3gw-cluster-ip-tls + optional: false +{{- if .Values.ui.enabled }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: '{{ .Chart.Name }}-ui' + namespace: {{ .Release.Namespace }} + labels: +{{ include "s3gw.labels" . | indent 4 }} +spec: + replicas: 1 + selector: + matchLabels: +{{ include "s3gw-ui.selectorLabels" . | indent 6 }} + strategy: {} + template: + metadata: + labels: +{{ include "s3gw-ui.selectorLabels" . | indent 8}} + spec: +{{- if .Values.imageCredentials }} + imagePullSecrets: + - name: {{ .Chart.Name }}-image-pull-secret +{{- end }} + serviceAccountName: {{ include "s3gw.serviceAccountName" . }} + containers: + - name: s3gw-ui + image: {{ include "s3gw-ui.image" . | quote }} + imagePullPolicy: {{ default "IfNotPresent" .Values.ui.imagePullPolicy }} + ports: + - containerPort: 8080 + envFrom: + - configMapRef: + name: s3gw-config + - secretRef: + name: {{ .Values.defaultUserCredentialsSecret }} + nodeSelector: + {{- include "linux-node-selector" . | nindent 8 }} + tolerations: + {{- include "linux-node-tolerations" . | nindent 8 }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/ingress-traefik.yaml b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/ingress-traefik.yaml new file mode 100644 index 0000000000..094ddc67a7 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/ingress-traefik.yaml @@ -0,0 +1,157 @@ +{{- if .Values.ingress.enabled }} +--- +# S3 Ingress +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: '{{ .Chart.Name }}' + namespace: {{ .Release.Namespace }} + labels: +{{ include "s3gw.labels" . | indent 4 }} + annotations: + traefik.ingress.kubernetes.io/router.tls: "true" + traefik.ingress.kubernetes.io/router.middlewares: + '{{ .Release.Namespace }}-cors-header@kubernetescrd' + cert-manager.io/cluster-issuer: {{ default .Values.tlsIssuer .Values.customTlsIssuer | quote }} +spec: + tls: + - hosts: + - '{{ .Values.serviceName }}.{{ .Values.publicDomain }}' + - '*.{{ .Values.serviceName }}.{{ .Values.publicDomain }}' + secretName: s3gw-ingress-tls + rules: + - host: '{{ .Values.serviceName }}.{{ .Values.publicDomain }}' + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: '{{ .Values.serviceName }}' + port: + number: 80 + - host: '*.{{ .Values.serviceName }}.{{ .Values.publicDomain }}' + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: '{{ .Values.serviceName }}' + port: + number: 80 +--- +# S3 No TLS Ingress +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: '{{ .Chart.Name }}-no-tls' + namespace: {{ .Release.Namespace }} + labels: +{{ include "s3gw.labels" . | indent 4 }} + annotations: + traefik.ingress.kubernetes.io/router.middlewares: + '{{ .Release.Namespace }}-cors-header@kubernetescrd' +spec: + rules: + - host: '{{ .Values.serviceName }}.{{ .Values.publicDomain }}' + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: '{{ .Values.serviceName }}' + port: + number: 80 + - host: '*.{{ .Values.serviceName }}.{{ .Values.publicDomain }}' + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: '{{ .Values.serviceName }}' + port: + number: 80 +{{- if .Values.ui.enabled }} +--- +# UI Ingress +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: '{{ .Chart.Name }}-ui' + namespace: {{ .Release.Namespace }} + labels: +{{ include "s3gw.labels" . | indent 4 }} + annotations: + traefik.ingress.kubernetes.io/router.tls: "true" + traefik.ingress.kubernetes.io/router.middlewares: + '{{ .Release.Namespace }}-cors-header@kubernetescrd' + cert-manager.io/cluster-issuer: {{ default .Values.tlsIssuer .Values.customTlsIssuer | quote }} +spec: + tls: + - hosts: + - '{{ .Values.ui.serviceName }}.{{ .Values.ui.publicDomain }}' + secretName: s3gw-ui-ingress-tls + rules: + - host: '{{ .Values.ui.serviceName }}.{{ .Values.ui.publicDomain }}' + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: '{{ .Values.ui.serviceName }}' + port: + number: 80 +--- +# UI No TLS Ingress +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: '{{ .Chart.Name }}-ui-no-tls' + namespace: {{ .Release.Namespace }} + labels: +{{ include "s3gw.labels" . | indent 4 }} + annotations: + traefik.ingress.kubernetes.io/router.middlewares: + '{{ .Release.Namespace }}-cors-header@kubernetescrd' +spec: + rules: + - host: '{{ .Values.ui.serviceName }}.{{ .Values.ui.publicDomain }}' + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: '{{ .Values.ui.serviceName }}' + port: + number: 80 +{{- end }} +--- +# Middleware for Traefik +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: cors-header + namespace: {{ .Release.Namespace }} + labels: +{{ include "s3gw.labels" . | indent 4 }} +spec: + headers: + accessControlAllowMethods: + - "DELETE" + - "GET" + - "HEAD" + - "POST" + - "PUT" + - "OPTIONS" + accessControlAllowOriginList: + - "*" + accessControlAllowHeaders: + - "*" + accessControlExposeHeaders: + - "*" +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/psp.yaml b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/psp.yaml new file mode 100644 index 0000000000..f48bb00046 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/psp.yaml @@ -0,0 +1,86 @@ +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" -}} +{{- if .Values.serviceAccount.create }} +{{- if .Values.global.rbac.pspEnabled }} + +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "s3gw.serviceAccountName" . }}-psp + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}" + app.kubernetes.io/part-of: {{ include "s3gw.serviceAccountName" . }} + app: {{ include "s3gw.serviceAccountName" . }} +{{- if .Values.global.rbac.pspAnnotations }} + annotations: {{ toYaml .Values.global.rbac.pspAnnotations | nindent 4 }} +{{- end }} +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Permits the container to run with root privileges as well. + rule: 'RunAsAny' + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 0 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 0 + max: 65535 + readOnlyRootFilesystem: false + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "s3gw.serviceAccountName" . }}-psp + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}" + app.kubernetes.io/part-of: {{ include "s3gw.serviceAccountName" . }} + app: {{ include "s3gw.serviceAccountName" . }} +rules: +{{- if semverCompare "> 1.15.0-0" .Capabilities.KubeVersion.GitVersion }} +- apiGroups: ['policy'] +{{- else }} +- apiGroups: ['extensions'] +{{- end }} + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ include "s3gw.serviceAccountName" . }}-psp + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "s3gw.serviceAccountName" . }}-psp + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}" + app.kubernetes.io/part-of: {{ include "s3gw.serviceAccountName" . }} + app: {{ include "s3gw.serviceAccountName" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "s3gw.serviceAccountName" . }}-psp +subjects: + - kind: ServiceAccount + name: {{ include "s3gw.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/secret.yaml b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/secret.yaml new file mode 100644 index 0000000000..cdf13e1a73 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/secret.yaml @@ -0,0 +1,27 @@ +{{- if not .Values.useExistingSecret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: '{{ .Values.defaultUserCredentialsSecret }}' + namespace: {{ .Release.Namespace }} + labels: +{{ include "s3gw.labels" . | indent 4 }} +type: Opaque +stringData: + RGW_DEFAULT_USER_ACCESS_KEY: {{ include "s3gw.defaultAccessKey" . | quote }} + RGW_DEFAULT_USER_SECRET_KEY: {{ include "s3gw.defaultSecretKey" . | quote }} +{{- end }} +{{- if .Values.imageCredentials }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: '{{ .Chart.Name }}-image-pull-secret' + namespace: {{ .Release.Namespace }} + labels: +{{ include "s3gw.labels" . | indent 4 }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ template "s3gw.imagePullSecret" . }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/service.yaml b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/service.yaml new file mode 100644 index 0000000000..d9e72ac82c --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/service.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: '{{ .Values.serviceName }}' + namespace: {{ .Release.Namespace }} + labels: +{{ include "s3gw.labels" . | indent 4 }} +spec: + selector: +{{ include "s3gw.selectorLabels" . | indent 4 }} + ports: + - name: s3 + protocol: TCP + port: 80 + targetPort: s3 + - name: s3-tls + protocol: TCP + port: 443 + targetPort: s3-tls +{{- if .Values.ui.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: '{{ .Values.ui.serviceName }}' + namespace: {{ .Release.Namespace }} + labels: +{{ include "s3gw.labels" . | indent 4 }} +spec: + selector: +{{ include "s3gw-ui.selectorLabels" . | indent 4 }} + ports: + - name: webui + protocol: TCP + port: 80 + targetPort: 8080 +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/serviceaccount.yaml b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/serviceaccount.yaml new file mode 100644 index 0000000000..7cf194a35b --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "s3gw.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "s3gw.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/storage.yaml b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/storage.yaml new file mode 100644 index 0000000000..36e87c721e --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/storage.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: '{{ .Release.Name }}-pvc' + namespace: {{ .Release.Namespace }} + labels: +{{ include "s3gw.labels" . | indent 4 }} +spec: + storageClassName: {{ .Values.storageClass.name }} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.storageSize }} +{{- if (or .Values.storageClass.create .Values.storageClass.local) }} +--- +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: {{ .Values.storageClass.name }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "s3gw.labels" . | indent 4 }} +volumeBindingMode: Immediate +{{- if .Values.storageClass.local }} +provisioner: kubernetes.io/no-provisioner +{{- else }} +provisioner: driver.longhorn.io +allowVolumeExpansion: true +reclaimPolicy: Delete +parameters: + fsType: ext4 + numberOfReplicas: "1" + staleReplicaTimeout: "2880" + fromBackup: "" +{{- end }} +{{- if .Values.storageClass.local }} +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: '{{ .Release.Name }}.{{ .Release.Namespace }}-local-pv' + labels: +{{ include "s3gw.labels" . | indent 4 }} + type: local +spec: + storageClassName: {{ .Values.storageClass.name }} + capacity: + storage: {{ .Values.storageSize }} + accessModes: + - ReadWriteOnce + hostPath: + path: {{ .Values.storageClass.localPath }} +{{- end }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/tests/smoke-bucket-create.yaml b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/tests/smoke-bucket-create.yaml new file mode 100644 index 0000000000..e1aa7df926 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/tests/smoke-bucket-create.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: 'smoke-{{ .Chart.Name }}-bucket-create' + namespace: '{{ .Release.Namespace }}' + annotations: + helm.sh/hook: test +spec: + template: + spec: + containers: + - name: create-bucket + image: opensuse/tumbleweed:latest + command: + - /bin/sh + - -exc + - zypper -n install --no-recommends libs3-tools; + + s3 -u -t 50 create testbucket; + + s3 -u -t 50 list | grep testbucket + env: + - name: S3_ACCESS_KEY_ID + value: {{ .Values.accessKey | quote }} + - name: S3_SECRET_ACCESS_KEY + value: {{ .Values.secretKey | quote }} + - name: S3_HOSTNAME + value: + '{{ .Values.serviceName }}.{{ .Release.Namespace }}.{{ .Values.privateDomain }}' + restartPolicy: Never + backoffLimit: 3 diff --git a/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/tls-issuer.yaml b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/tls-issuer.yaml new file mode 100644 index 0000000000..4471597723 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/tls-issuer.yaml @@ -0,0 +1,46 @@ +{{- if .Values.useCertManager }} +--- +# Self-signed issuer +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: s3gw-self-signed-issuer + labels: +{{ include "s3gw.labels" . | indent 4}} +spec: + selfSigned: {} +--- +# Private s3gw-ca issuer +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: s3gw-issuer + labels: +{{ include "s3gw.labels" . | indent 4}} +spec: + ca: + secretName: s3gw-ca-root +--- +# Let's encrypt production issuer +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: s3gw-letsencrypt-issuer + labels: +{{ include "s3gw.labels" . | indent 4}} +spec: + acme: + email: {{ .Values.email }} + preferredChain: "" + privateKeySecretRef: + name: s3gw-letsencrypt + server: https://acme-v02.api.letsencrypt.org/directory + solvers: + - http01: + ingress: + ingressTemplate: + metadata: + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/tls-secret.yaml b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/tls-secret.yaml new file mode 100644 index 0000000000..c5ab4f6278 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/templates/tls-secret.yaml @@ -0,0 +1,46 @@ +{{- if not .Values.useCertManager }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: s3gw-ingress-tls + namespace: {{ .Release.Namespace }} + labels: +{{ include "s3gw.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + tls.crt: | + {{ .Values.tls.publicDomain.crt }} + tls.key: | + {{ .Values.tls.publicDomain.key }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: s3gw-cluster-ip-tls + namespace: {{ .Release.Namespace }} + labels: +{{ include "s3gw.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + tls.crt: | + {{ .Values.tls.privateDomain.crt }} + tls.key: | + {{ .Values.tls.privateDomain.key }} +{{- if .Values.ui.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: s3gw-ui-ingress-tls + namespace: {{ .Release.Namespace }} + labels: +{{ include "s3gw.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + tls.crt: | + {{ .Values.tls.ui.publicDomain.crt }} + tls.key: | + {{ .Values.tls.ui.publicDomain.key }} +{{- end }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/charts/s3gw/values.yaml b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/values.yaml new file mode 100644 index 0000000000..cdf89e7460 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/charts/s3gw/values.yaml @@ -0,0 +1,112 @@ +--- + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the s3gw.fullname template + name: "" + +# Ingress configuration. +ingress: + # 'enabled' will deploy an ingress resource to the cluster if set to `true`. + enabled: true + +# Use cert-manager +useCertManager: true +# cert-manager namespace +certManagerNamespace: cert-manager +# The name of the predefined TLS issuer to use (s3gw-issuer, s3gw-letsencrypt-issuer). +tlsIssuer: "s3gw-issuer" +# The email address you are planning to use for getting notifications +# about your certificates. Fill this if you are using the 's3gw-letsencrypt-issuer'. +email: "epinio@suse.com" + +# When not using cert-manager you have to manually specify +# TLS certificate/key pairs for all the services. +# Specify values in Base64 encoded in one line. +tls: + publicDomain: + crt: "" + key: "" + privateDomain: + crt: "" + key: "" + ui: + publicDomain: + crt: "" + key: "" + +# S3 user interface +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# Note, the UI will not be able to access the RGW AdminOps API when +# using HTTPS and self-signed certificates because of CORS issues. +# To workaround that, please open the URL https:// in the +# browser and accept the SSL certificate before accessing the UI +# via https://. +# Check https://github.com/aquarist-labs/s3gw/issues/31 to get more +# information about the CORS issues. +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +ui: + # 'enabled' will deploy the S3GW user interface if set to `true`. + enabled: true + # 'serviceName' is the service name of the S3GW user interface. + serviceName: "s3gw-ui" + # 'publicDomain' is the public domain of the UI Service used by the Ingress. + publicDomain: "fe.127.0.0.1.omg.howdoi.website" + + # --- Developer Options --- + # imageName: "aquarist-labs/s3gw-ui" + # imageTag: "v0.0.0" + +# S3 Service +# +# 'serviceName' is the service name of S3GW. +serviceName: "s3gw" +# 'useExistingSecret' use an existing secret containing the S3 credentials +# for the default user +useExistingSecret: false +# 'defaultUserCredentialsSecret' the name of the secret containing +# the S3 Access Key and the S3 Secret Key for the default user. +defaultUserCredentialsSecret: "s3gw-creds" +# 'accessKey' is the S3 Access Key; the value is used when useExistingSecret: false. +# Set this as the empty string to make the Chart to compute a random alphanumeric value. +accessKey: "test" +# 'secretKey' is the S3 Secret Key; the value is used when useExistingSecret: false +# Set this as the empty string to make the Chart to compute a random alphanumeric value. +secretKey: "test" +# 'publicDomain' is the public domain of S3GW used by the Ingress +publicDomain: "be.127.0.0.1.omg.howdoi.website" +# 'privateDomain' is the private domain of S3GW used inside the Kubernetes cluster +privateDomain: "svc.cluster.local" + +# Backing storage. +# Name the storage class to use. If create is true, an opinionated storage class +# will be created. This assumes the Longhorn storage driver is installed. +storageSize: 10Gi +storageClass: + name: "longhorn-single" + create: true +# For testing only: +# local: false +# localPath: /var/lib/local-storage + +# --- Developer Options --- +# +# Image settings: +# imagePullPolicy: "Always" +# image.registry: "" +image: + repository: "rancher/mirrored-s3gw-s3gw" + tag: "v0.14.0" +# imageCredentials: +# username: foo +# password: bar +# email: foobar@suse.com + +# s3gw pod log level. +# Valid values are positive integers starting from 0. +# Higher values are more verbose. +logLevel: "1" diff --git a/charts/epinio/102.0.4+up1.9.0/questions.yml b/charts/epinio/102.0.4+up1.9.0/questions.yml new file mode 100644 index 0000000000..faf15396d9 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/questions.yml @@ -0,0 +1,186 @@ +questions: +- variable: global.rbac.pspEnabled + default: "false" + description: "Flag to enable or disable the installation of PodSecurityPolicies by this chart in the target cluster. If the cluster is running Kubernetes 1.25+, you must update this value to false." + label: "Enable PodSecurityPolicies" + type: boolean + group: "Security Settings" +- variable: global.tlsIssuerEmail + label: Issuer Email Receiver + description: "Email address to receive the certificate notification emails send by the `letsencrypt-production` issuer" + type: string + required: false + group: "General settings" +- variable: certManagerNamespace + label: Cert-manager namespace + description: "Namespace where cert-manager is installed in" + type: string + required: false + group: "Advanced settings" +- variable: ingress.ingressClassName + label: Ingress class name for the server + description: "Set a class name to select the ingress controller you want to use for the server" + type: string + group: "Advanced settings" +- variable: server.ingressClassName + label: Ingress class name for apps + description: "Set a class name to select the ingress controller you want to use for your apps" + type: string + group: "Advanced settings" +- variable: server.disableTracking + label: Disable tracking + description: "Disable tracking of the running Epinio and Kubernetes versions" + type: boolean + group: "Advanced settings" +- variable: serviceCatalog.enableDevServices + label: Enable catalog services for development + default: "true" + description: "Enables services in the Epinio service catalog, meant to be used in development (because they are running in-cluster)" + type: boolean + group: "Advanced settings" +- variable: useCustomTlsIssuer + label: Use your own TLS issuer + default: "false" + description: "Use your own TLS issuer" + type: boolean + group: "General settings" + show_subquestion_if: true + subquestions: + - variable: customTlsIssuer + label: TLS issuer + description: "Name of the cluster issuer to use" + type: string + required: false +- variable: global.tlsIssuer + show_if: "useCustomTlsIssuer=false" + label: TLS issuer + description: "Name of the predefined cluster issuer to use" + type: enum + required: false + group: "General settings" + options: + - "epinio-ca" + - "selfsigned-issuer" + - "letsencrypt-production" +- variable: api.username + label: API username + description: "The user name for authenticating all API requests" + type: string + required: false + group: "General settings" +- variable: api.passwordBcrypt + label: API password + description: "The password for authenticating all API requests (hashed with Bcrypt)" + type: password + required: false + group: "General settings" +- variable: global.domain + label: Domain + description: "Domain for the application" + type: string + required: true + group: "General settings" +- variable: server.accessControlAllowOrigin + label: Access control allow origin + description: "Domain which serves the Rancher UI (to access the API)" + type: string + required: false + group: "General settings" +- variable: kubed.enabled + label: Install kubed + description: "Deploy kubed or skip it if you get it installed already" + type: boolean + group: "Advanced settings" +- variable: containerregistry.enabled + description: "Disable local container registry to configure an external registry." + label: Install local container registry + type: boolean + show_subquestion_if: false + group: "External registry" + subquestions: + - variable: global.registryURL + label: External registry url + description: "URL of your external registry" + type: string + required: false + - variable: global.registryUsername + label: External registry username + description: "Username to authenticate to the external registry" + type: string + required: false + - variable: global.registryPassword + label: External registry password + description: "Password to authenticate to the external registry" + type: password + required: false + - variable: global.registryNamespace + label: External registry namespace + description: "The organization part of the registry path for an external registry where you have push access" + type: string + required: false + - variable: containerregistry.certificateSecret + label: External registry certificate secret + description: | + Name of Secret in Epinio's main namespace with PEM formatted certificate found at key 'tls.crt'. + Necessary for validating external registry used by Epinio's staging jobs. + Must be also trusted by kubelet in the cluster. + type: string + required: false +- variable: minio.enabled + label: Install Minio + description: "Disable Minio to either use s3gw or to configure an external s3 storage." + type: boolean + group: "S3 storage" + show_subquestion_if: false + subquestions: + - variable: s3gw.enabled + label: Install s3gw + description: "Disable s3gw to configure an external s3 storage." + type: boolean + show_subquestion_if: false + group: "S3 storage" + subquestions: + - variable: s3.endpoint + label: S3 endpoint + description: "Endpoint of your S3 storage" + type: string + required: false + - variable: s3.accessKeyID + label: S3 access key id + description: "Access key id to authenticate to your S3 storage" + type: string + required: false + - variable: s3.secretAccessKey + label: S3 access key secret + description: "Secret access key to authenticate to your S3 storage" + type: password + required: false + - variable: s3.bucket + label: S3 bucket + description: "Bucket of your S3 storage" + type: string + required: false + - variable: s3.region + label: S3 region + description: "Region of your S3 storage" + type: string + required: false + - variable: s3.useSSL + label: S3 use SSL + type: boolean + required: false + - variable: s3.certificateSecret + label: Self signed certificate for S3 + description: Set it to an existing secret if s3 is using a self signed certificate + type: string + required: false +- variable: server.traceLevel + label: Epinio API Log Level + required: false + type: string + group: "Debugging" +- variable: server.timeoutMultiplier + label: Timeout Multiplier + required: false + type: string + group: "Debugging" diff --git a/charts/epinio/102.0.4+up1.9.0/templates/NOTES.txt b/charts/epinio/102.0.4+up1.9.0/templates/NOTES.txt new file mode 100644 index 0000000000..f0c1dd2bad --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/NOTES.txt @@ -0,0 +1,12 @@ +To interact with your Epinio installation download the latest epinio binary from https://github.com/epinio/epinio/releases/latest. + +Login to the cluster with any of +{{ range .Values.api.users }} + `epinio login -u {{ .username }} https://epinio.{{ $.Values.global.domain }}` +{{- end }} + +or go to the dashboard at: https://epinio.{{ .Values.global.domain }} + +If you didn't specify a password the default one is `password`. + +For more information about Epinio, feel free to checkout https://epinio.io/ and https://docs.epinio.io/. diff --git a/charts/epinio/102.0.4+up1.9.0/templates/_helpers.tpl b/charts/epinio/102.0.4+up1.9.0/templates/_helpers.tpl new file mode 100644 index 0000000000..7b9955b02f --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/_helpers.tpl @@ -0,0 +1,196 @@ +{{/* +URL prefix for container images to be compatible with Rancher +*/}} +{{- define "registry-url" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{ trimSuffix "/" .Values.global.cattle.systemDefaultRegistry }}/ +{{- end -}} +{{- end -}} + +{{/* +URL of the registry epinio uses to store workload images +*/}} +{{- define "epinio.registry-url" -}} +{{- if .Values.containerregistry.enabled -}} +{{- printf "registry.%s.svc.cluster.local:5000" .Release.Namespace }} +{{- else -}} +{{- .Values.global.registryURL }} +{{- end -}} +{{- end -}} + +{{/* +URL of the minio epinio installed +*/}} +{{- define "epinio.minio-url" -}} +{{- if .Values.minio.enabled -}} +{{- printf "%s.%s.svc.cluster.local:9000" .Values.minio.fullnameOverride .Release.Namespace }} +{{- else -}} +{{- .Values.s3.endpoint }} +{{- end -}} +{{- end -}} + +{{/* +Host name of the minio epinio installed +*/}} +{{- define "epinio.minio-hostname" -}} +{{- printf "%s.%s.svc.cluster.local" .Values.minio.fullnameOverride .Release.Namespace }} +{{- end -}} + +{{/* +URL of the s3gw epinio installed +*/}} +{{- define "epinio.s3gw-url" -}} +{{- if .Values.s3gw.enabled -}} +{{- printf "%s.%s.svc.cluster.local" .Values.s3gw.serviceName .Release.Namespace }} +{{- else -}} +{{- .Values.s3.endpoint }} +{{- end -}} +{{- end -}} + +{{/* +Host name of the s3gw epinio installed +*/}} +{{- define "epinio.s3gw-hostname" -}} +{{- printf "%s.%s.svc.cluster.local" .Values.s3gw.serviceName .Release.Namespace }} +{{- end -}} + +{{/* +PVC cleanup hooks for bitnami helm chart based catalog services +# https://github.com/epinio/epinio/issues/1386 +# https://docs.bitnami.com/kubernetes/apps/aspnet-core/administration/deploy-extra-resources/ +*/}} +{{- define "epinio.catalog-service-values" -}} +{{ printf ` +extraDeploy: + - | + # Create a service account, role and binding to allow to list, get and + # delete PVCs. It should be used by the job below. + + # To ensure the resources are deleted, use this annotation: + # + # annotations: + # "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + + # https://helm.sh/docs/topics/charts_hooks/#hook-resources-are-not-managed-with-corresponding-releases + # https://helm.sh/docs/topics/charts_hooks/#hook-deletion-policies + + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + name: "pvc-deleter-{{ .Release.Name }}" + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook": post-delete + "helm.sh/hook-weight": "-6" + + --- + apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} + kind: Role + metadata: + name: "pvc-deleter-{{ .Release.Name }}" + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook": post-delete + "helm.sh/hook-weight": "-6" + rules: + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - delete + - list + + --- + kind: RoleBinding + apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} + metadata: + name: "pvc-deleter-{{ .Release.Name }}" + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook": post-delete + "helm.sh/hook-weight": "-5" + subjects: + - kind: ServiceAccount + name: "pvc-deleter-{{ .Release.Name }}" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "pvc-deleter-{{ .Release.Name }}" + + --- + apiVersion: batch/v1 + kind: Job + metadata: + name: "pvc-deleter-{{ .Release.Name }}" + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": post-delete + "helm.sh/hook-weight": "-4" + "helm.sh/hook-delete-policy": hook-succeeded + spec: + template: + metadata: + name: "pvc-deleter-{{ .Release.Name }}" + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + spec: + restartPolicy: Never + serviceAccountName: "pvc-deleter-{{ .Release.Name }}" + containers: + - name: post-install-job + image: "%s" + command: ["kubectl", "delete", "pvc", "-n", "{{ .Release.Namespace }}", "-l", "app.kubernetes.io/instance={{ .Release.Name }}"] +` (print (include "registry-url" .) .Values.image.kubectl.repository ":" .Values.image.kubectl.tag) | indent 4}} +{{- end -}} + +{{/* +Removes characters that are invalid for kubernetes resource names from the +given string +*/}} +{{- define "epinio-name-sanitize" -}} +{{ regexReplaceAll "[^-a-z0-9]*" . "" }} +{{- end }} + +{{/* +Resource name sanitization and truncation. +- Always suffix the sha1sum (40 characters long) +- Always add an "r" prefix to make sure we don't have leading digits +- The rest of the characters up to 63 are the original string with invalid +character removed. +*/}} +{{- define "epinio-truncate" -}} +{{ print "r" (trunc 21 (include "epinio-name-sanitize" .)) "-" (sha1sum .) }} +{{- end }} + +{{/* +Windows cluster will add default taint for linux nodes, add below linux tolerations to +workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +beta.kubernetes.io/os: linux +{{- else -}} +kubernetes.io/os: linux +{{- end -}} +{{- end -}} diff --git a/charts/epinio/102.0.4+up1.9.0/templates/assets.yaml b/charts/epinio/102.0.4+up1.9.0/templates/assets.yaml new file mode 100644 index 0000000000..3614c7a967 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/assets.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + namespace: {{ .Release.Namespace }} + name: epinio-assets + labels: + app.kubernetes.io/component: epinio + app.kubernetes.io/name: epinio-assets + app.kubernetes.io/part-of: epinio + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: Opaque +data: +{{ (.Files.Glob "assets/*").AsSecrets | indent 2 }} diff --git a/charts/epinio/102.0.4+up1.9.0/templates/certificate.yaml b/charts/epinio/102.0.4+up1.9.0/templates/certificate.yaml new file mode 100644 index 0000000000..0256415331 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/certificate.yaml @@ -0,0 +1,50 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: epinio + namespace: {{ .Release.Namespace }} +spec: + dnsNames: + - epinio.{{ .Values.global.domain }} + issuerRef: + kind: ClusterIssuer + name: {{ default .Values.global.tlsIssuer .Values.global.customTlsIssuer | quote }} + secretName: epinio-tls + +{{- if .Values.minio.enabled }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: minio-cert + namespace: {{ .Release.Namespace }} +spec: + dnsNames: + - {{ include "epinio.minio-hostname" . }} + issuerRef: + kind: ClusterIssuer + # We always trust the CA for minio so we can always use selfsigned certs + # Because Letsencrypt doesn't create certs for non public domains + name: epinio-ca + secretName: minio-tls + secretTemplate: + annotations: + kubed.appscode.com/sync: "kubed-s3-tls-from={{ .Release.Namespace }}" +{{- end }} + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: epinio-ca + namespace: {{ .Values.certManagerNamespace }} +spec: + commonName: epinio-ca + isCA: true + issuerRef: + kind: ClusterIssuer + name: selfsigned-issuer + privateKey: + algorithm: ECDSA + size: 256 + secretName: epinio-ca-root diff --git a/charts/epinio/102.0.4+up1.9.0/templates/chart-validations.yaml b/charts/epinio/102.0.4+up1.9.0/templates/chart-validations.yaml new file mode 100644 index 0000000000..e9dd50869c --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/chart-validations.yaml @@ -0,0 +1,6 @@ +{{- if (and .Values.minio.enabled .Values.s3gw.enabled) }} +{{- fail "use either minio or s3gw" }} +{{- end }} +{{- if (empty .Values.global.domain) }} +{{- fail "domain cannot be empty" }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/templates/cluster-issuers.yaml b/charts/epinio/102.0.4+up1.9.0/templates/cluster-issuers.yaml new file mode 100644 index 0000000000..c9d38a9f47 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/cluster-issuers.yaml @@ -0,0 +1,44 @@ +--- +# Self-signed issuer +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: selfsigned-issuer +spec: + selfSigned: {} + +--- +# Let's encrypt production issuer +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + email: {{ .Values.global.tlsIssuerEmail | default .Values.email | quote }} + preferredChain: "" + privateKeySecretRef: + name: letsencrypt-production + server: https://acme-v02.api.letsencrypt.org/directory + solvers: + - http01: + ingress: + {{- if .Values.ingress.ingressClassName }} + class: "{{ .Values.ingress.ingressClassName }}" + {{- end }} + ingressTemplate: + metadata: + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" + +--- +# Private CA (epinio-ca) issuer +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: epinio-ca +spec: + ca: + secretName: epinio-ca-root + diff --git a/charts/epinio/102.0.4+up1.9.0/templates/container-registry.yaml b/charts/epinio/102.0.4+up1.9.0/templates/container-registry.yaml new file mode 100644 index 0000000000..d6d23d3525 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/container-registry.yaml @@ -0,0 +1,193 @@ +{{- if .Values.containerregistry.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: auth + namespace: {{ .Release.Namespace }} +stringData: + # The only supported password format is bcrypt + htpasswd: {{ htpasswd .Values.global.registryUsername .Values.global.registryPassword | quote }} + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: epinio-registry + namespace: {{ .Release.Namespace }} +spec: + dnsNames: + - registry.{{ .Release.Namespace }}.svc.cluster.local + ipAddresses: + - 127.0.0.1 + issuerRef: + kind: ClusterIssuer + name: epinio-ca + secretName: epinio-registry-tls + +--- +apiVersion: v1 +kind: Service +metadata: + name: registry + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "epinio-registry" + app.kubernetes.io/instance: "epinio-registry" +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: "epinio-registry" + app.kubernetes.io/instance: "epinio-registry" + ports: + - name: registry + port: 5000 + targetPort: 5000 + +{{ if .Values.containerregistry.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: registry-node + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "epinio-registry" + app.kubernetes.io/instance: "epinio-registry" +spec: + type: NodePort + selector: + app.kubernetes.io/name: "epinio-registry" + app.kubernetes.io/instance: "epinio-registry" + ports: + - name: registry-sidecar + port: 30500 + targetPort: 30500 + nodePort: 30500 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: nginx-conf + namespace: {{ .Release.Namespace }} +data: + nginx.conf: | + server { + listen 30500 default_server; + server_name 127.0.0.1; + + location / { + proxy_pass https://localhost:5000/; + } + } +{{- end }} + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: registry + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "epinio-registry" + app.kubernetes.io/instance: "epinio-registry" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: "epinio-registry" + app.kubernetes.io/instance: "epinio-registry" + template: + metadata: + labels: + app.kubernetes.io/name: "epinio-registry" + app.kubernetes.io/instance: "epinio-registry" + spec: + containers: +{{ if .Values.containerregistry.enabled }} + - name: nginx + image: "{{ template "registry-url" . }}{{ .Values.containerregistry.image.nginx.repository}}:{{ .Values.containerregistry.image.nginx.tag }}" + imagePullPolicy: IfNotPresent + securityContext: + runAsUser: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + livenessProbe: + tcpSocket: + port: 5000 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + tcpSocket: + port: 5000 + volumeMounts: + - mountPath: /etc/nginx/conf.d + name: nginx-conf + - mountPath: /var/cache/nginx/ + name: nginx-run + - mountPath: /var/run/ + name: nginx-run +{{- end }} + - name: registry + image: "{{ template "registry-url" . }}{{ .Values.containerregistry.image.registry.repository}}:{{ .Values.containerregistry.image.registry.tag }}" + imagePullPolicy: {{ .Values.containerregistry.imagePullPolicy }} + env: + - name: REGISTRY_AUTH + value: htpasswd + - name: REGISTRY_AUTH_HTPASSWD_REALM + value: Registry Realm + - name: REGISTRY_AUTH_HTPASSWD_PATH + value: /etc/registry/auth/htpasswd + - name: REGISTRY_HTTP_TLS_CERTIFICATE + value: "/certs/tls.crt" + - name: REGISTRY_HTTP_TLS_KEY + value: "/certs/tls.key" + - name: REGISTRY_STORAGE_DELETE_ENABLED + value: "true" + volumeMounts: + - name: registry + mountPath: /var/lib/registry + readOnly: false + - name: auth + mountPath: /etc/registry/auth + readOnly: true + - name: certs + mountPath: /certs + readOnly: true + securityContext: + runAsUser: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + livenessProbe: + httpGet: + port: 5000 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + port: 5000 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 5 + volumes: + - name: registry + emptyDir: {} + - name: auth + secret: + secretName: auth + - name: certs + secret: + secretName: epinio-registry-tls +{{ if .Values.containerregistry.enabled }} + - name: nginx-conf + configMap: + name: nginx-conf + - name: nginx-cache + emptyDir: {} + - name: nginx-run + emptyDir: {} +{{- end }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/templates/default-app-chart.yaml b/charts/epinio/102.0.4+up1.9.0/templates/default-app-chart.yaml new file mode 100644 index 0000000000..79ade1aed5 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/default-app-chart.yaml @@ -0,0 +1,19 @@ +apiVersion: application.epinio.io/v1 +kind: AppChart +metadata: + namespace: {{ .Release.Namespace }} + name: standard + labels: + app.kubernetes.io/component: epinio + app.kubernetes.io/instance: default + app.kubernetes.io/name: epinio-standard-app-chart + app.kubernetes.io/part-of: epinio + app.kubernetes.io/version: {{ default .Chart.AppVersion .Values.image.epinio.tag }} +spec: + shortDescription: Epinio standard deployment + description: Epinio standard support chart for application deployment + helmChart: {{ .Values.appChart.default | quote }} + settings: + appListeningPort: + type: 'integer' + minimum: '0' diff --git a/charts/epinio/102.0.4+up1.9.0/templates/default-user.yaml b/charts/epinio/102.0.4+up1.9.0/templates/default-user.yaml new file mode 100644 index 0000000000..0929de38ae --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/default-user.yaml @@ -0,0 +1,17 @@ +{{- range .Values.api.users }} +--- +apiVersion: v1 +kind: Secret +type: BasicAuth +metadata: + labels: + epinio.io/api-user-credentials: "true" + epinio.io/role: {{ .role }} + name: {{ include "epinio-truncate" (print "user-" .username) }} + namespace: {{ $.Release.Namespace }} +stringData: + username: {{ .username | quote }} + password: {{ .passwordBcrypt | quote }} + namespaces: | + {{ join "\n" .workspaces -}} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/templates/dex.yaml b/charts/epinio/102.0.4+up1.9.0/templates/dex.yaml new file mode 100644 index 0000000000..19bfe5c39c --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/dex.yaml @@ -0,0 +1,103 @@ +{{- if .Values.global.dex.enabled -}} + +{{- $dexSecret := (lookup "v1" "Secret" .Release.Namespace "dex-config").data | default dict -}} +{{- $prevUiClientSecret := (get $dexSecret "uiClientSecret") -}} +{{- $uiClientSecret := empty $prevUiClientSecret | ternary (randAlphaNum 32) (b64dec $prevUiClientSecret) -}} + +--- +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + annotations: + name: dex-config + namespace: {{ .Release.Namespace }} +stringData: + issuer: "https://auth.{{ .Values.global.domain }}" + endpoint: {{ printf "http://%s.%s.svc.cluster.local:5556" .Values.dex.fullnameOverride .Release.Namespace }} + uiClientSecret: {{ $uiClientSecret }} + config.yaml: |- + issuer: "https://auth.{{ .Values.global.domain }}" + storage: + type: kubernetes + config: + inCluster: true + enablePasswordDB: true + staticPasswords: + - email: "admin@epinio.io" + # bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2) + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + username: "admin" + userID: "08a8684b-db88-4b73-90a9-3cd1661f5466" + - email: "epinio@epinio.io" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + userID: "08a8684b-db88-4b73-90a9-3cd1661f5467" + + staticClients: + - id: epinio-api + name: 'Epinio API' + public: true + # The 'Epinio API' lets the 'Epinio cli' issue ID tokens on its behalf. + # https://dexidp.io/docs/custom-scopes-claims-clients/#cross-client-trust-and-authorized-party + trustedPeers: + - epinio-cli + - epinio-ui + + - id: epinio-cli + name: 'Epinio cli' + public: true + + - id: epinio-ui + name: 'Epinio UI' + secret: {{ $uiClientSecret | quote }} + # Shouldn't be public, https://dexidp.io/docs/custom-scopes-claims-clients/#public-clients + redirectURIs: + - {{ .Values.dex.ui.redirectURI | default (printf "https://epinio.%s/auth/verify/" .Values.global.domain) | quote }} + +--- +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + labels: + epinio.io/api-user-credentials: "true" + epinio.io/role: "admin" + name: {{ include "epinio-truncate" (print "user-" "admin@epinio.io") }} + namespace: {{ .Release.Namespace }} +stringData: + username: "admin@epinio.io" + +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: dex + namespace: {{ .Release.Namespace }} + annotations: + cert-manager.io/cluster-issuer: {{ default .Values.global.tlsIssuer .Values.global.customTlsIssuer | quote }} + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} +spec: + {{- if .Values.ingress.ingressClassName }} + ingressClassName: "{{ .Values.ingress.ingressClassName }}" + {{- end }} + rules: + - host: "auth.{{ .Values.global.domain }}" + http: + paths: + - backend: + service: + name: dex + port: + number: 5556 + path: / + pathType: Prefix + tls: + - hosts: + - "auth.{{ .Values.global.domain }}" + secretName: dex-tls + +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/templates/ingress.yaml b/charts/epinio/102.0.4+up1.9.0/templates/ingress.yaml new file mode 100644 index 0000000000..ae08585c42 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/ingress.yaml @@ -0,0 +1,58 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" + nginx.ingress.kubernetes.io/ssl-redirect: {{ .Values.ingress.nginxSSLRedirect | quote }} + nginx.ingress.kubernetes.io/proxy-body-size: 100m + nginx.org/websocket-service: "epinio-server" + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + labels: + app.kubernetes.io/name: epinio + name: epinio + namespace: {{ .Release.Namespace }} +spec: + {{- if .Values.ingress.ingressClassName }} + ingressClassName: "{{ .Values.ingress.ingressClassName }}" + {{- end }} + rules: + - host: "epinio.{{ .Values.global.domain }}" + http: + paths: + - backend: + service: + name: epinio-server + port: + number: 80 + path: /api + pathType: Prefix + - backend: + service: + name: epinio-server + port: + number: 80 + path: /wapi + pathType: Prefix + - backend: + service: + name: epinio-server + port: + number: 80 + path: /ready + pathType: Exact + {{- if ".Values.epinio-ui.enabled" }} + - backend: + service: + name: epinio-ui + port: + number: 80 + path: / + pathType: Prefix + {{- end }} + tls: + - hosts: + - "epinio.{{ .Values.global.domain }}" + secretName: epinio-tls diff --git a/charts/epinio/102.0.4+up1.9.0/templates/psp.yaml b/charts/epinio/102.0.4+up1.9.0/templates/psp.yaml new file mode 100644 index 0000000000..f4097a1137 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/psp.yaml @@ -0,0 +1,83 @@ +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" -}} +{{- if .Values.global.rbac.pspEnabled }} + +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: epinio-server-psp + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}" + app.kubernetes.io/part-of: epinio-server + app: epinio-server +{{- if .Values.global.rbac.pspAnnotations }} + annotations: {{ toYaml .Values.global.rbac.pspAnnotations | nindent 4 }} +{{- end }} +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Permits the container to run with root privileges as well. + rule: 'RunAsAny' + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 0 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 0 + max: 65535 + readOnlyRootFilesystem: false + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: epinio-server-psp + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}" + app.kubernetes.io/part-of: epinio-server + app: epinio-server +rules: +{{- if semverCompare "> 1.15.0-0" .Capabilities.KubeVersion.GitVersion }} +- apiGroups: ['policy'] +{{- else }} +- apiGroups: ['extensions'] +{{- end }} + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - epinio-server-psp + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: epinio-server-psp + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}" + app.kubernetes.io/part-of: epinio-server + app: epinio-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: epinio-server-psp +subjects: + - kind: ServiceAccount + name: epinio-server + namespace: {{ .Release.Namespace }} + +{{- end }} +{{- end -}} diff --git a/charts/epinio/102.0.4+up1.9.0/templates/registry-secret.yaml b/charts/epinio/102.0.4+up1.9.0/templates/registry-secret.yaml new file mode 100644 index 0000000000..6539d35032 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/registry-secret.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + annotations: + epinio.io/registry-namespace: {{ .Values.global.registryNamespace }} + kubed.appscode.com/sync: kubed-sync=registry-creds + name: registry-creds + namespace: {{ .Release.Namespace }} +stringData: + .dockerconfigjson: |- + { + "auths": { + "{{ template "epinio.registry-url" . }}": { + "auth":"{{ printf "%s:%s" .Values.global.registryUsername .Values.global.registryPassword | b64enc }}", + "username":"{{ .Values.global.registryUsername }}", + "password":"{{ .Values.global.registryPassword }}" + } {{- if .Values.containerregistry.enabled }} , + "127.0.0.1:30500": { + "auth":"{{ printf "%s:%s" .Values.global.registryUsername .Values.global.registryPassword | b64enc }}", + "username":"{{ .Values.global.registryUsername }}", + "password":"{{ .Values.global.registryPassword }}" + } + {{- end -}} + } + } diff --git a/charts/epinio/102.0.4+up1.9.0/templates/s3-secret.yaml b/charts/epinio/102.0.4+up1.9.0/templates/s3-secret.yaml new file mode 100644 index 0000000000..f787761005 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/s3-secret.yaml @@ -0,0 +1,80 @@ +# defaulting s3 config with the user provided values +{{- $s3Endpoint := .Values.s3.endpoint }} +{{- $s3AccessKey := .Values.s3.accessKeyID }} +{{- $s3SecretKey := .Values.s3.secretAccessKey }} +{{- $s3Bucket := .Values.s3.bucket }} +{{- $s3UseSSL := .Values.s3.useSSL }} +{{- $s3Region := .Values.s3.region }} +# minio values if minio is enabled +{{- if .Values.minio.enabled }} +# Generated credentials for minio. Used only if minio is enabled. +{{- $oldkeys := (lookup "v1" "Secret" .Release.Namespace "minio-creds").data -}} +{{- $accessKey := empty $oldkeys | ternary (randAlphaNum 16) (b64dec (default "" $oldkeys.accesskey)) -}} +{{- $secretKey := empty $oldkeys | ternary (randAlphaNum 16) (b64dec (default "" $oldkeys.secretkey)) -}} +{{- $s3Endpoint = include "epinio.minio-url" . -}} +{{- $s3AccessKey = $accessKey }} +{{- $s3SecretKey = $secretKey }} +{{- $s3UseSSL = true }} +# s3gw values if s3gw is enabled +{{- else if .Values.s3gw.enabled }} +# Generated credentials for s3gw. Used only if s3gw is enabled. +{{- $oldkeys := (lookup "v1" "Secret" .Release.Namespace .Values.s3gw.defaultUserCredentialsSecret).data -}} +{{- $accessKey := empty $oldkeys | ternary (randAlphaNum 32) (b64dec (default "" $oldkeys.RGW_DEFAULT_USER_ACCESS_KEY)) -}} +{{- $secretKey := empty $oldkeys | ternary (randAlphaNum 32) (b64dec (default "" $oldkeys.RGW_DEFAULT_USER_SECRET_KEY)) -}} +{{- $s3Endpoint = include "epinio.s3gw-url" . -}} +{{- $s3AccessKey = $accessKey }} +{{- $s3SecretKey = $secretKey }} +{{- $s3UseSSL = true }} +{{- end }} + +--- +# The S3 connection details as required by the staging Job (in "ini" format) +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: epinio-s3-connection-details + namespace: {{ .Release.Namespace }} +stringData: + bucket: {{ $s3Bucket }} + config: |- + [default] + region={{ $s3Region }} + credentials: |- + [default] + aws_access_key_id={{ $s3AccessKey }} + aws_secret_access_key={{ $s3SecretKey }} + endpoint: {{ $s3Endpoint | quote }} + useSSL: {{ $s3UseSSL | quote }} + +# Secrets get created first so Minio and s3gw should find them there when they needs them. +# https://github.com/helm/helm/blob/release-3.0/pkg/releaseutil/kind_sorter.go + +{{- if .Values.minio.enabled }} +# The S3 connection details as required by Minio deployment +# https://github.com/minio/minio/blob/8ae46bce937567e682d14f7fe845b8ff67e549d2/helm/minio/values.yaml#L81 +--- +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: minio-creds + namespace: {{ .Release.Namespace }} +stringData: + rootUser: {{ $s3AccessKey | quote }} + rootPassword: {{ $s3SecretKey | quote }} + accesskey: {{ $s3AccessKey | quote }} + secretkey: {{ $s3SecretKey | quote }} +{{- else if .Values.s3gw.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: '{{ .Values.s3gw.defaultUserCredentialsSecret }}' + namespace: {{ .Release.Namespace }} + labels: +type: Opaque +stringData: + RGW_DEFAULT_USER_ACCESS_KEY: {{ $s3AccessKey | quote }} + RGW_DEFAULT_USER_SECRET_KEY: {{ $s3SecretKey | quote }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/templates/server.yaml b/charts/epinio/102.0.4+up1.9.0/templates/server.yaml new file mode 100644 index 0000000000..ee6ff89866 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/server.yaml @@ -0,0 +1,418 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: epinio-server + namespace: {{ .Release.Namespace }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: epinio-server-cluster-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: epinio-server + namespace: {{ .Release.Namespace }} + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: epinio-server +rules: +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - create + - delete + - list +- apiGroups: + - "" + resources: + - nodes + verbs: + - list +- apiGroups: + - "" + resources: + - services + verbs: + - create + - get + - update + - delete +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - get + - post +- apiGroups: + - "" + resources: + - pods/portforward + verbs: + - get +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - create + - update + - delete + - get + - list +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - update + - patch +- apiGroups: + - servicecatalog.k8s.io + resources: + - servicebindings + verbs: + - create + - get + - delete + - list +- apiGroups: + - servicecatalog.k8s.io + resources: + - serviceinstances + verbs: + - create + - delete + - get + - list +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - create + - delete +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - delete +- apiGroups: + - "cert-manager.io" + resources: + - certificates + verbs: + - create +- apiGroups: + - application.epinio.io + resources: + - apps + verbs: + - get + - list + - create + - delete + - patch + - update +- apiGroups: + - "metrics.k8s.io" + resources: + - pods + verbs: + - list +- apiGroups: + - apps + resources: + - replicasets + verbs: + - list + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: epinio-server-cluster-role +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: epinio-server +subjects: +- kind: ServiceAccount + name: epinio-server + namespace: {{ .Release.Namespace }} + +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: epinio-server + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - batch + resources: + - jobs + verbs: + - get + - create + - delete + - list +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: epinio-server-role + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: epinio-server +subjects: +- kind: ServiceAccount + name: epinio-server + namespace: {{ .Release.Namespace }} + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: epinio + app.kubernetes.io/instance: default + app.kubernetes.io/name: epinio-server + app.kubernetes.io/part-of: epinio + app.kubernetes.io/version: {{ default .Chart.AppVersion .Values.image.epinio.tag }} + name: epinio-server + namespace: {{ .Release.Namespace }} +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: epinio-server + app.kubernetes.io/instance: default + app.kubernetes.io/name: epinio-server + app.kubernetes.io/part-of: epinio + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/component: epinio-server + app.kubernetes.io/instance: default + app.kubernetes.io/name: epinio-server + app.kubernetes.io/part-of: epinio + app.kubernetes.io/version: {{ default .Chart.AppVersion .Values.image.epinio.tag }} + name: epinio-server + spec: + tolerations: + {{- include "linux-node-tolerations" . | nindent 8 }} + nodeSelector: + {{- include "linux-node-selector" . | nindent 8 }} + serviceAccountName: epinio-server + volumes: + - name: asset-volume + secret: + secretName: epinio-assets + - name: tmp-volume + emptyDir: {} + - name: image-export-volume + persistentVolumeClaim: + claimName: image-export-pvc +{{- if .Values.global.dex.enabled }} + - name: dex-tls + secret: + secretName: dex-tls + optional: false +{{- end }} + containers: + - command: ["/epinio", "server"] + args: ["--port", "8030"] + env: + - name: EPINIO_SETTINGS + value: /tmp/settings.yaml + - name: NAMESPACE + value: "{{ .Release.Namespace }}" + - name: ACCESS_CONTROL_ALLOW_ORIGIN + value: "{{ .Values.server.accessControlAllowOrigin }}" + - name: EPINIO_TIMEOUT_MULTIPLIER + value: "{{ .Values.server.timeoutMultiplier }}" + - name: TLS_ISSUER + value: "{{ .Values.global.tlsIssuer }}" + - name: TRACE_LEVEL + value: "{{ .Values.server.traceLevel }}" + - name: CHART_VERSION + value: "{{ .Chart.Version }}" + {{- $imageSkopeo := .Values.image.skopeo -}} + {{- if $imageSkopeo }} + - name: APP_IMAGE_EXPORTER + value: "{{ default $imageSkopeo.registry (include "registry-url" .) }}{{ $imageSkopeo.repository}}:{{ $imageSkopeo.tag }}" + {{- end }} + {{- if .Values.server.disableTracking }} + - name: DISABLE_TRACKING + value: "true" + {{- end }} + {{- if .Values.minio.enabled }} + - name: S3_CERTIFICATE_SECRET + value: {{ default "minio-tls" .Values.s3.certificateSecret }} + {{- else if .Values.s3gw.enabled }} + - name: S3_CERTIFICATE_SECRET + value: {{ default "s3gw-cluster-ip-tls" .Values.s3.certificateSecret }} + {{- else if .Values.s3.certificateSecret }} + - name: S3_CERTIFICATE_SECRET + value: {{ .Values.s3.certificateSecret }} + {{- end }} + {{- if .Values.containerregistry.enabled }} + - name: REGISTRY_CERTIFICATE_SECRET + value: "epinio-registry-tls" + {{- else if .Values.containerregistry.certificateSecret }} + - name: REGISTRY_CERTIFICATE_SECRET + value: {{ .Values.containerregistry.certificateSecret }} + {{- end }} + {{- if .Values.server.ingressClassName }} + - name: INGRESS_CLASS_NAME + value: "{{ .Values.server.ingressClassName }}" + {{- else if .Values.ingress.ingressClassName }} + - name: INGRESS_CLASS_NAME + value: "{{ .Values.ingress.ingressClassName }}" + {{- end }} + {{- if .Values.server.stagingServiceAccountName }} + - name: STAGING_SERVICE_ACCOUNT_NAME + value: "{{ .Values.server.stagingServiceAccountName }}" + {{- end }} + {{- with .Values.server.stagingResourceRequests }} + {{- with .cpu }} + - name: STAGING_RESOURCE_CPU + value: "{{ . }}" + {{- end }} + {{- with .memory }} + - name: STAGING_RESOURCE_MEMORY + value: "{{ . }}" + {{- end }} + {{- end }} + {{- if .Values.extraEnv }} + {{- toYaml .Values.extraEnv | nindent 12 -}} + {{- end }} + image: "{{ default .Values.image.epinio.registry (include "registry-url" .) }}{{ .Values.image.epinio.repository }}:{{ default .Chart.AppVersion .Values.image.epinio.tag }}" + livenessProbe: + httpGet: + path: /ready + port: 8030 + name: epinio-server + ports: + - containerPort: 8030 + volumeMounts: + - name: asset-volume + mountPath: /assets + - name: tmp-volume + mountPath: /tmp + - name: image-export-volume + mountPath: /image-export +{{- if .Values.global.dex.enabled }} + - name: dex-tls + mountPath: /etc/ssl/certs/dex-tls.pem + subPath: tls.crt +{{- end }} + readinessProbe: + httpGet: + path: /ready + port: 8030 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 3000 + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: image-export-pvc + namespace: {{ .Release.Namespace }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: epinio + app.kubernetes.io/instance: default + app.kubernetes.io/name: epinio-server + app.kubernetes.io/part-of: epinio + app.kubernetes.io/version: {{ default .Chart.AppVersion .Values.image.epinio.tag }} + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + name: epinio-server + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 8030 + selector: + app.kubernetes.io/name: epinio-server diff --git a/charts/epinio/102.0.4+up1.9.0/templates/service-catalog.yaml b/charts/epinio/102.0.4+up1.9.0/templates/service-catalog.yaml new file mode 100644 index 0000000000..7391c9c382 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/service-catalog.yaml @@ -0,0 +1,118 @@ +# These are three simple Services to fill the Service Catalog +{{ if .Values.serviceCatalog.enableDevServices }} +--- +apiVersion: application.epinio.io/v1 +kind: Service +metadata: + name: postgresql-dev + namespace: {{ .Release.Namespace }} +spec: + name: postgresql-dev + shortDescription: A PostgreSQL service that can be used during development + description: | + This service is going to deploy a simple default Bitnami PostreSQL db instance. + You can find more info at https://github.com/bitnami/charts/tree/master/bitnami/postgresql/. + This database is running inside the cluster so it's probably not a good choice for production + environments, at least with this default configuration. + chart: postgresql + chartVersion: 12.1.6 + serviceIcon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-220x234.png + appVersion: 15.1.0 + helmRepo: + name: bitnami + url: "https://charts.bitnami.com/bitnami" + values: |- + {{- template "epinio.catalog-service-values" . }} +--- +apiVersion: application.epinio.io/v1 +kind: Service +metadata: + name: mysql-dev + namespace: {{ .Release.Namespace }} +spec: + name: mysql-dev + shortDescription: A MySQL service that can be used during development + description: | + This service is going to deploy a simple default Bitnami MySQL db instance. + You can find more info at https://github.com/bitnami/charts/tree/master/bitnami/mysql/. + This database is running inside the cluster so it's probably not a good choice for production + environments, at least with this default configuration. + chart: mysql + chartVersion: 9.4.5 + serviceIcon: https://bitnami.com/assets/stacks/mysql/img/mysql-stack-220x234.png + appVersion: 8.0.31 + helmRepo: + name: bitnami + url: "https://charts.bitnami.com/bitnami" + values: |- + {{- template "epinio.catalog-service-values" . }} +--- +apiVersion: application.epinio.io/v1 +kind: Service +metadata: + name: redis-dev + namespace: {{ .Release.Namespace }} +spec: + name: redis-dev + shortDescription: A Redis service that can be used during development + description: | + This service is going to deploy a simple default Bitnami Redis instance. + You can find more info at https://github.com/bitnami/charts/tree/master/bitnami/redis/. + This database is running inside the cluster so it's probably not a good choice for production + environments, at least with this default configuration. + chart: redis + chartVersion: 17.3.17 + serviceIcon: https://bitnami.com/assets/stacks/redis/img/redis-stack-220x234.png + appVersion: 7.0.7 + helmRepo: + name: bitnami + url: "https://charts.bitnami.com/bitnami" + values: |- + {{- template "epinio.catalog-service-values" . }} +--- +apiVersion: application.epinio.io/v1 +kind: Service +metadata: + name: rabbitmq-dev + namespace: {{ .Release.Namespace }} +spec: + name: rabbitmq-dev + shortDescription: A RabbitMQ service that can be used during development + description: | + This service is going to deploy a simple default Bitnami RabbitMQ instance. + You can find more info at https://github.com/bitnami/charts/tree/master/bitnami/rabbitmq/. + This instance is running inside the cluster so it's probably not a good choice for production + environments, at least with this default configuration. + chart: rabbitmq + chartVersion: 11.2.2 + serviceIcon: https://bitnami.com/assets/stacks/rabbitmq/img/rabbitmq-stack-220x234.png + appVersion: 3.11.5 + helmRepo: + name: bitnami + url: https://charts.bitnami.com/bitnami + values: |- + {{- template "epinio.catalog-service-values" . }} +--- +apiVersion: application.epinio.io/v1 +kind: Service +metadata: + name: mongodb-dev + namespace: {{ .Release.Namespace }} +spec: + name: mongodb-dev + shortDescription: A MongoDB service that can be used during development + description: | + This service is going to deploy a simple default Bitnami MongoDB instance. + You can find more info at https://github.com/bitnami/charts/tree/master/bitnami/mongodb/. + This instance is running inside the cluster so it's probably not a good choice for production + environments, at least with this default configuration. + chart: mongodb + chartVersion: 13.6.2 + serviceIcon: https://bitnami.com/assets/stacks/mongodb/img/mongodb-stack-220x234.png + appVersion: 6.0.3 + helmRepo: + name: bitnami + url: https://charts.bitnami.com/bitnami + values: |- + {{- template "epinio.catalog-service-values" . }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/templates/stage-scripts.yaml b/charts/epinio/102.0.4+up1.9.0/templates/stage-scripts.yaml new file mode 100644 index 0000000000..4c17f53253 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/stage-scripts.yaml @@ -0,0 +1,99 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: epinio-stage-scripts + namespace: {{ .Release.Namespace }} +data: + builderImage: "{{ default .Values.image.builder.registry (include "registry-url" .) }}{{ .Values.image.builder.repository}}:{{ .Values.image.builder.tag }}" + downloadImage: "{{ default .Values.image.awscli.registry (include "registry-url" .) }}{{ .Values.image.awscli.repository}}:{{ .Values.image.awscli.tag }}" + unpackImage: "{{ default .Values.image.bash.registry (include "registry-url" .) }}{{ .Values.image.bash.repository}}:{{ default .Chart.AppVersion .Values.image.bash.tag }}" + download: |- + # Parameters + # - PROTOCOL # s3 protocol + # - ENDPOINT # s3 endpoint + # - BUCKET # s3 bucket + # - BLOBID # blob id / file name for source archive + # + # This data is set in the chart only for an external s3. For + # internal s3 the chart has no information. Therefore we cannot + # use helm templating to insert these. + echo By _ _ __ ___ _____ $(whoami) $(pwd) + cat /etc/ssl/certs/ca-bundle.crt > /tmp/ca-bundle.pem + test -f /certs/ca.crt && cat /certs/ca.crt >> /tmp/ca-bundle.pem + test -f /certs/tls.crt && cat /certs/tls.crt >> /tmp/ca-bundle.pem + aws --ca-bundle /tmp/ca-bundle.pem --endpoint-url "${PROTOCOL}://${ENDPOINT}" s3 cp "s3://${BUCKET}/${BLOBID}" "/workspace/source/${BLOBID}" + echo _ _ __ ___ _____ Done + unpack: |- + # Parameters + # - BLOBID # blob id / file name for source archive + # + # Attempting to unpack the sources as, in order: + # .tar - epinio cli + # .zip - epinio UI + # -z .tar.gz + # -j .tar.bz2 + # -J .tar.xz + # + # __Note__: While it would have been nicer, IMNSHO, to use `file` to determine the + # type of the file and then directly dispatch to the proper unpacker, the `file` + # command is not available in the `bash` image. The code as written now relies on each + # unpacker to recognize/reject input properly. + # + echo By _ _ __ ___ _____ $(whoami) $(pwd) + if test ! -f "/workspace/source/${BLOBID}" ; then + echo Nothing to unpack + exit + fi + mkdir /workspace/source/app + ( cd /workspace/source/app + ( echo Tar? ; tar -xvf "../${BLOBID}" ) || \ + ( echo Zip? ; unzip "../${BLOBID}" ) || \ + ( echo Tgz? ; tar -xvzf "../${BLOBID}" ) || \ + ( echo Tbz? ; tar -xvjf "../${BLOBID}" ) || \ + ( echo Txz? ; tar -xvJf "../${BLOBID}" ) || \ + ( echo "Unable to unpack. No supported archive file format found" ; exit 1 ) + echo OK + ) + rm "/workspace/source/${BLOBID}" + mkdir -p /workspace/source/env + cp -vL /workspace/source/appenv/* /workspace/source/env + chown -R 1000:1000 /workspace 2> /dev/null + find /workspace + echo _ _ __ ___ _____ Done + build: |- + # Important doc references + # - BP general: https://github.com/buildpacks/spec/blob/main/platform.md + # - Env setup.: https://github.com/buildpacks/spec/blob/main/platform.md#user-provided-variables + # Parameters + # - PREIMAGE # url of previous image + # - APPIMAGE # url of application image + # + # ATTENTION: The `curl localhost:4191` command is used to stop the linkerd proxy + # container gracefully. We use `|| true` in case linkerd is not deployed. Further, it + # is placed into a trap to ensure that it will always run, even for a staging failure. + # Error output generated when linkerd is not present/up is squashed (dev/null). + # These messages are irrelevant, the situation is not an error, and allowing them through + # would confuse users (readers of app staging logs). + set -e + trap "curl -X POST http://localhost:4191/shutdown 2> /dev/null || true" EXIT + echo By _ _ __ ___ _____ $(whoami) $(pwd) + if test ! -d "/workspace/source/app" ; then + echo Nothing to build + sleep 60 # linkerd is a pain - If we exit to quickly, with the sidecar not ready our curl to shut it down does nothing, and then the sidecar comes up and prevents the pod from ending + exit 1 + fi + find /workspace + for path in /workspace/source/env/* ; do export $(basename ${path})=$(cat $path) ; done + /cnb/lifecycle/creator \ + -app=/workspace/source/app \ + -cache-dir=/workspace/cache \ + -uid=1000 \ + -gid=1000 \ + -layers=/layers \ + -platform=/workspace/source \ + -report=/layers/report.toml \ + -process-type=web \ + -skip-restore=false \ + "-previous-image=${PREIMAGE}" \ + "${APPIMAGE}" + echo _ _ __ ___ _____ Done diff --git a/charts/epinio/102.0.4+up1.9.0/templates/ui/certificate.yaml b/charts/epinio/102.0.4+up1.9.0/templates/ui/certificate.yaml new file mode 100644 index 0000000000..87f2c5e993 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/ui/certificate.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.epinioUI.enabled .Values.epinioUI.ingress.enabled }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: epinio-ui + namespace: {{ .Release.Namespace }} +spec: + dnsNames: + - {{ .Values.global.domain }} + issuerRef: + kind: ClusterIssuer + name: {{ .Values.global.tlsIssuer }} + secretName: epinio-ui-tls +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/templates/ui/deployment.yaml b/charts/epinio/102.0.4+up1.9.0/templates/ui/deployment.yaml new file mode 100644 index 0000000000..20a2d9128c --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/ui/deployment.yaml @@ -0,0 +1,121 @@ +{{- if .Values.epinioUI.enabled }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: epinio-ui + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: epinio-ui + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: epinio-ui + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: epinio-ui + app.kubernetes.io/instance: {{ .Release.Name }} + spec: + nodeSelector: + {{- include "linux-node-selector" . | nindent 8 }} + tolerations: + {{- include "linux-node-tolerations" . | nindent 8 }} +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} +{{- if .Values.global.rbac.pspEnabled }} + serviceAccountName: epinio-ui +{{- end }} +{{- end }} + containers: + - name: epinio-ui + {{ $epinioUiImage := index .Values "image" "epinio-ui" -}} + image: "{{ default $epinioUiImage.registry (include "registry-url" .) }}{{ $epinioUiImage.repository }}:{{ $epinioUiImage.tag }}" + imagePullPolicy: {{ .Values.epinioUI.imagePullPolicy }} + workingDir: /db + + env: + - name: ALLOWED_ORIGINS + value: {{ default (printf "https://epinio.%s" .Values.global.domain) .Values.epinioUI.allowedOrigins }} + - name: EPINIO_API_URL + value: {{ default (printf "http://epinio-server.%s.svc.cluster.local" .Release.Namespace) .Values.epinioUI.apiURL }} + - name: EPINIO_WSS_URL + value: {{ default (printf "ws://epinio-server.%s.svc.cluster.local" .Release.Namespace) .Values.epinioUI.wssURL }} + - name: EPINIO_UI_URL + value: {{ default (printf "https://epinio.%s" .Values.global.domain) .Values.epinioUI.uiURL }} + - name: EPINIO_API_SKIP_SSL + value: {{ (default "false" .Values.epinioUI.apiSkipSSL) | quote }} + - name: EPINIO_THEME + value: {{ (default "light" .Values.epinioUI.theme) | quote }} + {{- if .Values.global.dex.enabled }} + - name: EPINIO_DEX_AUTH_URL + value: {{ default (printf "http://dex.%s.svc.cluster.local:5556" .Release.Namespace) .Values.epinioUI.dexURL }} + - name: EPINIO_DEX_ISSUER + value: {{ printf "https://auth.%s" .Values.global.domain }} + - name: EPINIO_DEX_ENABLED + value: "true" + - name: EPINIO_DEX_SECRET + valueFrom: + secretKeyRef: + name: dex-config + key: uiClientSecret + {{- end }} + - name: HTTP_CLIENT_TIMEOUT_IN_SECS + value: "120" + - name: SESSION_STORE_SECRET + valueFrom: + secretKeyRef: + name: epinio-ui + key: sessionSecret + - name: SESSION_STORE_EXPIRY + value: "1440" + - name: UI_PATH + value: "/ui" + - name: AUTH_ENDPOINT_TYPE + value: epinio + - name: ENCRYPTION_KEY + valueFrom: + secretKeyRef: + name: epinio-ui + key: encryptionKey + + - name: DATABASE_PROVIDER + value: sqlite + - name: HTTPS + value: "false" + - name: CONSOLE_PROXY_TLS_ADDRESS + value: 0.0.0.0:8000 + - name: LOG_LEVEL + value: {{ .Values.epinioUI.logLevel | quote }} + volumeMounts: + - name: tmp + mountPath: /tmp + readOnly: false + - name: db + mountPath: /db + readOnly: false + + securityContext: + runAsUser: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + livenessProbe: + tcpSocket: + port: 8000 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + tcpSocket: + port: 8000 + initialDelaySeconds: 5 + periodSeconds: 5 + volumes: + - name: tmp + emptyDir: {} + - name: db + emptyDir: {} + +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/templates/ui/ingress.yaml b/charts/epinio/102.0.4+up1.9.0/templates/ui/ingress.yaml new file mode 100644 index 0000000000..6ebd31ca55 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/ui/ingress.yaml @@ -0,0 +1,30 @@ +{{- if and .Values.epinioUI.enabled .Values.epinioUI.ingress.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" + name: epinio-ui + namespace: {{ .Release.Namespace }} +spec: + {{- if .Values.epinioUI.ingress.ingressClassName }} + ingressClassName: "{{ .Values.ingress.ingressClassName }}" + {{- end }} + rules: + - host: {{ .Values.global.domain }} + http: + paths: + - backend: + service: + name: epinio-ui + port: + number: 80 + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - {{ .Values.global.domain }} + secretName: epinio-ui-tls +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/templates/ui/secret.yaml b/charts/epinio/102.0.4+up1.9.0/templates/ui/secret.yaml new file mode 100644 index 0000000000..6d10abe656 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/ui/secret.yaml @@ -0,0 +1,17 @@ +{{- if .Values.epinioUI.enabled }} + +{{- $secret := (lookup "v1" "Secret" .Release.Namespace "epinio-ui").data -}} +{{- $encryptionKey := empty $secret | ternary (printf "%x" (randAscii 32)) (b64dec (default "" $secret.encryptionKey)) -}} +{{- $sessionSecret := empty $secret | ternary (randAlphaNum 16) (b64dec (default "" $secret.sessionSecret)) -}} + +--- +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: epinio-ui + namespace: {{ .Release.Namespace }} +stringData: + encryptionKey: {{ $encryptionKey }} + sessionSecret: {{ $sessionSecret }} +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/templates/ui/security.yaml b/charts/epinio/102.0.4+up1.9.0/templates/ui/security.yaml new file mode 100644 index 0000000000..1ef8bc5c16 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/ui/security.yaml @@ -0,0 +1,90 @@ +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" -}} +{{- if .Values.global.rbac.pspEnabled }} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: epinio-ui + namespace: {{ .Release.Namespace }} + +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: epinio-ui-psp + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}" + app.kubernetes.io/part-of: epinio-ui + app: epinio-ui +{{- if .Values.global.rbac.pspAnnotations }} + annotations: {{ toYaml .Values.global.rbac.pspAnnotations | nindent 4 }} +{{- end }} +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Permits the container to run with root privileges as well. + rule: 'RunAsAny' + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 0 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 0 + max: 65535 + readOnlyRootFilesystem: false + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: epinio-ui-psp + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}" + app.kubernetes.io/part-of: epinio-ui + app: epinio-ui +rules: +{{- if semverCompare "> 1.15.0-0" .Capabilities.KubeVersion.GitVersion }} +- apiGroups: ['policy'] +{{- else }} +- apiGroups: ['extensions'] +{{- end }} + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - epinio-ui-psp + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: epinio-ui-psp + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}" + app.kubernetes.io/part-of: epinio-ui + app: epinio-ui +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: epinio-ui-psp +subjects: + - kind: ServiceAccount + name: epinio-ui + namespace: {{ .Release.Namespace }} + +{{- end }} +{{- end -}} diff --git a/charts/epinio/102.0.4+up1.9.0/templates/ui/service.yaml b/charts/epinio/102.0.4+up1.9.0/templates/ui/service.yaml new file mode 100644 index 0000000000..27b10fd932 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/ui/service.yaml @@ -0,0 +1,24 @@ +{{- if .Values.epinioUI.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: epinio-ui + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: epinio-ui + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.epinioUI.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: epinio-ui + app.kubernetes.io/instance: {{ .Release.Name }} + ports: + - name: ui + port: 80 + targetPort: 8000 +{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/templates/validate-cert-manager-crd.yaml b/charts/epinio/102.0.4+up1.9.0/templates/validate-cert-manager-crd.yaml new file mode 100644 index 0000000000..87e12c558c --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/validate-cert-manager-crd.yaml @@ -0,0 +1,19 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "acme.cert-manager.io/v1/Challenge" false -}} +# {{- set $found "acme.cert-manager.io/v1/Order" false -}} +# {{- set $found "cert-manager.io/v1/CertificateRequest" false -}} +# {{- set $found "cert-manager.io/v1/Certificate" false -}} +# {{- set $found "cert-manager.io/v1/ClusterIssuer" false -}} +# {{- set $found "cert-manager.io/v1/Issuer" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/epinio/102.0.4+up1.9.0/templates/validate-install-crd.yaml b/charts/epinio/102.0.4+up1.9.0/templates/validate-install-crd.yaml new file mode 100644 index 0000000000..afa6e4fb4d --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/validate-install-crd.yaml @@ -0,0 +1,16 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "application.epinio.io/v1/App" false -}} +# {{- set $found "application.epinio.io/v1/AppChart" false -}} +# {{- set $found "application.epinio.io/v1/Service" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/epinio/102.0.4+up1.9.0/templates/validate-psp-install.yaml b/charts/epinio/102.0.4+up1.9.0/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..28adb785e2 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.rbac.pspEnabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/epinio/102.0.4+up1.9.0/values.schema.json b/charts/epinio/102.0.4+up1.9.0/values.schema.json new file mode 100644 index 0000000000..477cef9ef5 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/values.schema.json @@ -0,0 +1,506 @@ +{ + "$schema": "https://json-schema.org/draft-07/schema#", + "title": "Values", + "type": "object", + "properties": { + "image": { + "type": "object", + "properties": { + "epinio": { + "type": "object", + "properties": { + "registry": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "bash": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "awscli": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "kubectl": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + } + } + }, + "server": { + "description": "server configuration", + "type": "object", + "properties": { + "accessControlAllowOrigin": { + "type": "string" + }, + "timeoutMultiplier": { + "type": "integer" + }, + "traceLevel": { + "type": "integer" + }, + "disableTracking": { + "type": "boolean" + }, + "registryCertificateSecret": { + "type": "string" + }, + "ingressClassName": { + "type": "string" + }, + "stagingServiceAccountName": { + "type": "string" + }, + "stagingResourceRequests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + } + } + }, + "ingress": { + "ingressClassName": { + "type": "string" + }, + "annotations": { + "type": "object" + }, + "nginxSSLRedirect": { + "type": "string" + } + }, + "s3": { + "description": "s3 connection details", + "type": "object", + "properties": { + "endpoint": { + "type": "string" + }, + "bucket": { + "type": "string" + }, + "region": { + "type": "string" + }, + "accessKeyID": { + "type": "string" + }, + "secretAccessKey": { + "type": "string" + }, + "certificateSecret": { + "type": "string" + }, + "useSSL": { + "type": "boolean" + } + }, + "required": [ + "endpoint", + "bucket", + "accessKeyID", + "secretAccessKey" + ] + }, + "api": { + "description": "API access configuration", + "type": "object", + "properties": { + "users": { + "description": "Default Epinio users", + "type": "array", + "items": { + "type": "object", + "properties": { + "username": { + "type": "string" + }, + "passwordBcrypt": { + "type": "string" + }, + "role": { + "type": "string" + }, + "workspaces": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "username", + "passwordBcrypt", + "role" + ] + } + } + } + }, + "certManagerNamespace": { + "description": "the namespace there cert-manager controller is deployed", + "type": "string" + }, + "domain": { + "description": "the domain that will be used to access the Epinio API", + "type": "string" + }, + "global": { + "type": "object", + "properties": { + "cattle": { + "type": "object", + "properties": { + "systemDefaultRegistry": { + "type": "string" + } + } + }, + "domain": { + "type": "string" + }, + "tlsIssuer": { + "type": "string" + }, + "tlsIssuerMail": { + "type": "string" + }, + "registryURL": { + "type": "string" + }, + "registryUsername": { + "type": "string" + }, + "registryPassword": { + "type": "string" + }, + "registryNamespace": { + "type": "string" + } + }, + "required": [ + "domain" + ] + }, + "containerregistry": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "image": { + "type": "object", + "properties": { + "nginx": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "registry": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + } + }, + "required": [ + "nginx", + "registry" + ] + }, + "imagePullPolicy": { + "type": "string" + }, + "ingressClassName": { + "type": "string" + } + }, + "required": [ + "enabled", + "image", + "imagePullPolicy", + "ingressClassName" + ] + }, + "dex": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "fullnameOverride": { + "type": "string" + }, + "configSecret": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "name": { + "type": "string" + } + }, + "required": [ + "create", + "name" + ] + } + }, + "required": [ + "configSecret", + "fullnameOverride" + ] + }, + "epinio-ui": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "ingress": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled" + ] + } + }, + "required": [ + "enabled", + "ingress" + ] + }, + "kubed": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "enableAnalytics": { + "type": "boolean" + }, + "fullnameOverride": { + "type": "string" + } + }, + "required": [ + "enabled", + "enableAnalytics", + "fullnameOverride" + ] + }, + "minio": { + "type": "object", + "properties": { + "drivesPerNode": { + "type": "integer" + }, + "enabled": { + "type": "boolean" + }, + "existingSecret": { + "type": "string" + }, + "fullnameOverride": { + "type": "string" + }, + "makeUserJob": { + "type": "object", + "properties": { + "podAnnotations": { + "type": "object" + } + }, + "required": [ + "podAnnotations" + ] + }, + "persistence": { + "type": "object", + "properties": { + "size": { + "type": "string" + } + }, + "required": [ + "size" + ] + }, + "replicas": { + "type": "integer" + }, + "resources": { + "type": "object", + "properties": { + "requests": { + "type": "object", + "properties": { + "memory": { + "type": "string" + } + }, + "required": [ + "memory" + ] + } + }, + "required": [ + "requests" + ] + }, + "tls": { + "type": "object", + "properties": { + "certSecret": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "privateKey": { + "type": "string" + }, + "publicCrt": { + "type": "string" + } + }, + "required": [ + "certSecret", + "enabled", + "privateKey", + "publicCrt" + ] + } + }, + "required": [ + "drivesPerNode", + "enabled", + "existingSecret", + "fullnameOverride", + "makeUserJob", + "persistence", + "replicas", + "resources", + "tls" + ] + }, + "s3gw": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "ingress": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled" + ] + }, + "ui": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled" + ] + }, + "serviceName": { + "type": "string" + }, + "useExistingSecret": { + "type": "boolean" + }, + "storageSize": { + "type": "string" + }, + "storageClass": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "name": { + "type": "string" + } + }, + "required": [ + "create", + "name" + ] + } + }, + "required": [ + "enabled", + "ingress", + "ui", + "serviceName", + "useExistingSecret", + "storageSize", + "storageClass" + ] + } + }, + "required": [ + "certManagerNamespace", + "s3" + ] +} diff --git a/charts/epinio/102.0.4+up1.9.0/values.yaml b/charts/epinio/102.0.4+up1.9.0/values.yaml new file mode 100644 index 0000000000..0c31b0bbd1 --- /dev/null +++ b/charts/epinio/102.0.4+up1.9.0/values.yaml @@ -0,0 +1,216 @@ +## Default values for Epinio Helm Chart. +## This is a YAML-formatted file. +## Declare variables to be passed into your templates. +# Fall back email address to receive notifications from the `letsencrypt-production` issuer. +# +# __SUPERCEDED__ by `global.tlsIssuerMail`. +# +# Kept for backward compatibility, here and in the templates. +email: "epinio@suse.com" +image: + epinio: + repository: rancher/mirrored-epinio-epinio-server + tag: v1.9.0 + epinio-ui: + repository: rancher/mirrored-epinio-epinio-ui + tag: v1.9.0-0.0.3 + bash: + repository: rancher/mirrored-epinio-epinio-unpacker + tag: v1.9.0 + awscli: + repository: rancher/mirrored-amazon-aws-cli + tag: 2.9.14 + skopeo: + repository: rancher/mirrored-skopeo-skopeo + tag: v1.10.0 + kubectl: + repository: rancher/kubectl + tag: v1.22.6 + builder: + repository: rancher/mirrored-paketobuildpacks-builder + tag: 0.2.441-full +appChart: + default: /assets/epinio-application-0.1.26.tgz +server: + # Domain which serves the Rancher UI (to access the API) + accessControlAllowOrigin: "" + # increase this value to increase all timeouts by the same factor + timeoutMultiplier: 1 + # Increase this value to instruct the API server to produce more debug output + traceLevel: 0 + # The ingressClassName is used to select the ingress controller for apps. + # If empty ingress.ingressClassName (see below) is used + ingressClassName: "" + # Disable tracking of the Epinio and Kubernetes cluster version + disableTracking: false + # Name of the Service Account used by the staging job + stagingServiceAccountName: "" + # Resources to allocate to the staging job. Default: unbounded + stagingResourceRequests: + cpu: "" + memory: "" +ingress: + # The ingressClassName is used to select the ingress controller for the server. If empty no class will be added to the ingresses. + ingressClassName: "" + # Annotations to add to the API ingress + # e.g.: --set 'ingress.annotations.nginx\.ingress\.kubernetes\.io/ssl-redirect=false' + annotations: {} + # nginxSSLRedirect to controll https->http redirects + nginxSSLRedirect: "true" +service: + # -- Annotations to be added to the Epinio service. + annotations: {} +# The strategy used to deploy the Epinio server. +# If you are using a RWO storage the following will avoid a Multi-Attach error during an `helm upgrade`. +# See https://github.com/epinio/epinio/issues/2253. +strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 +certManagerNamespace: cert-manager +# Connection details for the S3 storage +s3: + endpoint: s3.amazonaws.com + bucket: "epinio" + region: "" + accessKeyID: "" + secretAccessKey: "" + useSSL: true + # Set it to an existing secret if S3 is using a self signed cert + certificateSecret: "" +api: + # Default users + users: + - username: admin + passwordBcrypt: "$2a$10$6bCi5NMstMK781In7JGiL.B44pgoplUb330FQvm6mVXMppbXBPiXS" + role: admin + - username: epinio + passwordBcrypt: "$2a$10$6bCi5NMstMK781In7JGiL.B44pgoplUb330FQvm6mVXMppbXBPiXS" + role: user + workspaces: + - workspace +# Dex subchart values -- None for now, and sub chart disabled +dex: + # hardcode this, to avoid problems with release name + fullnameOverride: "dex" + configSecret: + create: false + name: "dex-config" + ui: + # secret should be supplied by dex automatically, this is just a fall back + secret: "" + # Defaults to https://epinio.{{ .Values.global.domain }}/auth/verify/ + redirectURI: "" + service: + # -- Annotations to be added to the Epinio service. + annotations: {} +# Extra environment variables passed to the epinio-server pod. +# extraEnv: +# - name: MY_ENV_VAR +# value: "1.0" +# Minio subchart values +minio: + enabled: true + # hardcode this, to avoid problems with release name + fullnameOverride: minio + existingSecret: minio-creds + tls: + enabled: true + certSecret: minio-tls + publicCrt: tls.crt + privateKey: tls.key + persistence: + size: 2Gi + drivesPerNode: 4 + replicas: 1 + resources: + requests: + memory: 1Gi + makeUserJob: + podAnnotations: + linkerd.io/inject: disabled +epinioUI: + enabled: true + # UI theme, either 'light' or 'dark' + theme: light + imagePullPolicy: IfNotPresent + # API URL of epinio instance, for proxied connections, defaults to http://epinio-server.%s.svc.cluster.local" + apiURL: "" + wssURL: "" + dexURL: "" + uiURL: "" + # Skip checking for valid SSL cert when making requests to `EPINIO_API_URL` + apiSkipSSL: "true" + logLevel: info + # Domain that will serve the UI and be the origin of browser requests, used by CORS process + allowedOrigins: "" + ingress: + enabled: false + # The ingressClassName is used to select the ingress controller. If empty no class will be added to the ingresses. + ingressClassName: "" + service: + # -- Annotations to be added to the service. + annotations: {} +kubed: + enabled: true + fullnameOverride: kubed + enableAnalytics: false +# s3gw subchart values +s3gw: + enabled: false + ingress: + enabled: false + ui: + enabled: false + serviceName: s3gw + useExistingSecret: true + defaultUserCredentialsSecret: s3gw-creds + storageSize: 2Gi + storageClass: + create: false + name: "" +containerregistry: + enabled: true + image: + registry: + repository: rancher/mirrored-library-registry + tag: 2.8.1 + nginx: + repository: rancher/mirrored-library-nginx + tag: 1.23.2-alpine + imagePullPolicy: IfNotPresent + # The ingressClassName is used to select the ingress controller. If + # empty no class will be added to the ingresses. + ingressClassName: "" + # The certificateSecret is used to load the certificate of the registry in the staging job. + # The certificate has to be in PEM format within in a 'tls.crt' key (it can be an Opaque secret). + # It also has to be trusted by the kubelet, and it needs to be added in the cluster as well. + certificateSecret: "" +serviceCatalog: + # Enable service catalog service for development + enableDevServices: true +global: + rbac: + pspEnabled: false + dex: + enabled: true + # The domain that will be used to access the epinio API server and the registry + domain: "" + # Connection details for the container registry. + # Skip if containerregistry.enabled is true + registryURL: "" + registryUsername: "admin" + registryPassword: "changeme" + # Used in registry path when pushing -> "external.tld/apps/APPNAME" + registryNamespace: "apps" + # The name of the cluster issuer to use. + # Epinio creates three options: 'epinio-ca', 'letsencrypt-production', and 'selfsigned-issuer'. + tlsIssuer: "epinio-ca" + # Email address to receive the certificate notification emails send by the `letsencrypt-production` issuer. + tlsIssuerEmail: "epinio@suse.com" + # The URL of the container registry from where to pull container images for the various + # created Pods. Don't confuse this registry with the "Epinio registry" which is the one + # where Epinio stores the application images. + cattle: + systemDefaultRegistry: "" diff --git a/index.yaml b/index.yaml index 68d97372fa..7c0cc28b61 100755 --- a/index.yaml +++ b/index.yaml @@ -1,6 +1,61 @@ apiVersion: v1 entries: epinio: + - annotations: + artifacthub.io/license: Apache-2.0 + artifacthub.io/prerelease: "false" + catalog.cattle.io/auto-install: epinio-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Epinio + catalog.cattle.io/experimental: "true" + catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.28.0-0' + catalog.cattle.io/namespace: cattle-epinio-system + catalog.cattle.io/permits-os: linux + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: epinio + catalog.cattle.io/type: app + catalog.cattle.io/upstream-version: 1.9.0 + apiVersion: v2 + appVersion: v1.9.0 + created: "2023-07-25T13:57:01.838813997+02:00" + dependencies: + - condition: global.dex.enabled + name: dex + repository: file://./charts/dex + tags: + - dex + - condition: kubed.enabled, global.kubed.enabled + name: kubed + repository: file://./charts/kubed + tags: + - kubed + - condition: minio.enabled, global.minio.enabled + name: minio + repository: file://./charts/minio + tags: + - minio + - condition: s3gw.enabled, global.s3gw.enabled + name: s3gw + repository: file://./charts/s3gw + tags: + - s3gw + description: Epinio deploys Kubernetes applications directly from source code + in one step. + digest: 553ab5adf47549107e205a2dddf5d362189f525757ef8a69a0bb4d365fe5afa5 + home: https://github.com/epinio/epinio + icon: https://charts.rancher.io/assets/logos/epinio.svg + keywords: + - epinio + - paas + maintainers: + - email: team@epinio.io + name: SUSE + name: epinio + sources: + - https://github.com/epinio/epinio + urls: + - assets/epinio/epinio-102.0.4+up1.9.0.tgz + version: 102.0.4+up1.9.0 - annotations: artifacthub.io/license: Apache-2.0 catalog.cattle.io/auto-install: epinio-crd=match @@ -56,6 +111,20 @@ entries: - assets/epinio/epinio-102.0.3+up1.8.1.tgz version: 102.0.3+up1.8.1 epinio-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-epinio-system + catalog.cattle.io/release-name: epinio-crd + apiVersion: v2 + created: "2023-07-25T13:57:01.839703523+02:00" + description: Installs the CRDs for Epinio. + digest: 6704572ee09b773d99c97c441d25350c1193ef9ded8ecc9f652f430ddbab7321 + name: epinio-crd + type: application + urls: + - assets/epinio-crd/epinio-crd-102.0.4+up1.9.0.tgz + version: 102.0.4+up1.9.0 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" diff --git a/release.yaml b/release.yaml index de0dbd42ed..aae68b261c 100644 --- a/release.yaml +++ b/release.yaml @@ -3,11 +3,13 @@ epinio: - 100.0.5+up1.6.2 - 102.0.1+up1.6.2 - 102.0.3+up1.8.1 +- 102.0.4+up1.9.0 epinio-crd: - 100.0.0+up1.2.1 - 100.0.5+up1.6.2 - 102.0.1+up1.6.2 - 102.0.3+up1.8.1 +- 102.0.4+up1.9.0 fleet: - 102.1.0+up0.7.0 - 102.2.0+up0.8.0-rc.5