diff --git a/assets/elemental-crd/elemental-crd-104.2.1+up1.6.5.tgz b/assets/elemental-crd/elemental-crd-104.2.1+up1.6.5.tgz new file mode 100644 index 0000000000..754c9f5d50 Binary files /dev/null and b/assets/elemental-crd/elemental-crd-104.2.1+up1.6.5.tgz differ diff --git a/assets/elemental/elemental-104.2.1+up1.6.5.tgz b/assets/elemental/elemental-104.2.1+up1.6.5.tgz new file mode 100644 index 0000000000..658fb751f5 Binary files /dev/null and b/assets/elemental/elemental-104.2.1+up1.6.5.tgz differ diff --git a/assets/fleet-agent/fleet-agent-104.1.1+up0.10.5.tgz b/assets/fleet-agent/fleet-agent-104.1.1+up0.10.5.tgz new file mode 100644 index 0000000000..598b1a875b Binary files /dev/null and b/assets/fleet-agent/fleet-agent-104.1.1+up0.10.5.tgz differ diff --git a/assets/fleet-crd/fleet-crd-104.1.1+up0.10.5.tgz b/assets/fleet-crd/fleet-crd-104.1.1+up0.10.5.tgz new file mode 100644 index 0000000000..c9b6ec6e30 Binary files /dev/null and b/assets/fleet-crd/fleet-crd-104.1.1+up0.10.5.tgz differ diff --git a/assets/fleet/fleet-104.1.1+up0.10.5.tgz b/assets/fleet/fleet-104.1.1+up0.10.5.tgz new file mode 100644 index 0000000000..236d401922 Binary files /dev/null and b/assets/fleet/fleet-104.1.1+up0.10.5.tgz differ diff --git a/assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-104.0.1+up3.13.0.tgz b/assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-104.0.1+up3.13.0.tgz new file mode 100644 index 0000000000..c9395ba422 Binary files /dev/null and b/assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-104.0.1+up3.13.0.tgz differ diff --git a/assets/rancher-gatekeeper/rancher-gatekeeper-104.0.1+up3.13.0.tgz b/assets/rancher-gatekeeper/rancher-gatekeeper-104.0.1+up3.13.0.tgz new file mode 100644 index 0000000000..9334b0abfb Binary files /dev/null and b/assets/rancher-gatekeeper/rancher-gatekeeper-104.0.1+up3.13.0.tgz differ diff --git a/assets/rancher-istio/rancher-istio-104.4.1+up1.22.1.tgz b/assets/rancher-istio/rancher-istio-104.4.1+up1.22.1.tgz new file mode 100644 index 0000000000..106f04b808 Binary files /dev/null and b/assets/rancher-istio/rancher-istio-104.4.1+up1.22.1.tgz differ diff --git a/assets/rancher-istio/rancher-istio-104.5.0+up1.23.2.tgz b/assets/rancher-istio/rancher-istio-104.5.0+up1.23.2.tgz new file mode 100644 index 0000000000..852f3a44d1 Binary files /dev/null and b/assets/rancher-istio/rancher-istio-104.5.0+up1.23.2.tgz differ diff --git a/charts/elemental-crd/104.2.1+up1.6.5/Chart.yaml b/charts/elemental-crd/104.2.1+up1.6.5/Chart.yaml new file mode 100644 index 0000000000..2a33a4d20e --- /dev/null +++ b/charts/elemental-crd/104.2.1+up1.6.5/Chart.yaml @@ -0,0 +1,11 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-elemental-system + catalog.cattle.io/release-name: elemental-operator-crds +apiVersion: v2 +appVersion: 1.6.5 +description: A Helm chart for deploying Rancher Elemental Operator CRDs +name: elemental-crd +type: application +version: 104.2.1+up1.6.5 diff --git a/charts/elemental-crd/104.2.1+up1.6.5/templates/crds.yaml b/charts/elemental-crd/104.2.1+up1.6.5/templates/crds.yaml new file mode 100644 index 0000000000..8746409480 --- /dev/null +++ b/charts/elemental-crd/104.2.1+up1.6.5/templates/crds.yaml @@ -0,0 +1,3747 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/part-of: Elemental Operator + app.kubernetes.io/version: '{{ .Chart.Version }}' + controller-gen.kubebuilder.io/version: v0.14.0 + labels: + cluster.x-k8s.io/provider: infrastructure-elemental + cluster.x-k8s.io/v1beta1: v1beta1 + release-name: '{{ .Release.Name }}' + name: machineinventories.elemental.cattle.io +spec: + group: elemental.cattle.io + names: + kind: MachineInventory + listKind: MachineInventoryList + plural: machineinventories + singular: machineinventory + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + machineHash: + description: |- + MachineHash the hash of the identifier used by the host to identify + to the operator. This is used when the host authenticates without TPM. + Both the authentication method and the identifier used to derive the hash + depend upon the MachineRegistration spec.config.elemental.registration.auth value. + type: string + tpmHash: + description: |- + TPMHash the hash of the TPM EK public key. This is used if you are + using TPM2 to identifiy nodes. You can obtain the TPM by + running `rancherd get-tpm-hash` on the node. Or nodes can + report their TPM hash by using the MachineRegister. + type: string + type: object + status: + properties: + conditions: + description: Conditions describe the state of the machine inventory + object. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + plan: + description: PlanStatus reflect the status of the plan owned by the + machine inventory object. + properties: + checksum: + description: Checksum checksum of the created plan. + type: string + secretRef: + description: PlanSecretRef a reference to the created plan secret. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + state: + description: State reflect state of the plan that belongs to the + machine inventory. + enum: + - Applied + - Failed + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/part-of: Elemental Operator + app.kubernetes.io/version: '{{ .Chart.Version }}' + controller-gen.kubebuilder.io/version: v0.14.0 + labels: + cluster.x-k8s.io/provider: infrastructure-elemental + cluster.x-k8s.io/v1beta1: v1beta1 + release-name: '{{ .Release.Name }}' + name: machineinventoryselectors.elemental.cattle.io +spec: + group: elemental.cattle.io + names: + kind: MachineInventorySelector + listKind: MachineInventorySelectorList + plural: machineinventoryselectors + singular: machineinventoryselector + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + providerID: + description: |- + ProviderID the identifier for the elemental instance. + NOTE: Functionality not implemented yet. + type: string + selector: + description: Selector selector to choose elemental machines. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + status: + properties: + addresses: + description: Addresses represent machine addresses. + items: + description: MachineAddress contains information for the node's + address. + properties: + address: + description: The machine address. + type: string + type: + description: Machine address type, one of Hostname, ExternalIP, + InternalIP, ExternalDNS or InternalDNS. + type: string + required: + - address + - type + type: object + type: array + bootstrapPlanChecksum: + description: BootstrapPlanChecksum represent bootstrap plan checksum. + type: string + conditions: + description: Conditions describe the state of the machine selector + object. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + machineInventoryRef: + description: MachineInventoryRef reference to the machine inventory + that belongs to the selector. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + ready: + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/part-of: Elemental Operator + app.kubernetes.io/version: '{{ .Chart.Version }}' + controller-gen.kubebuilder.io/version: v0.14.0 + labels: + cluster.x-k8s.io/provider: infrastructure-elemental + cluster.x-k8s.io/v1beta1: v1beta1 + release-name: '{{ .Release.Name }}' + name: machineinventoryselectortemplates.elemental.cattle.io +spec: + group: elemental.cattle.io + names: + kind: MachineInventorySelectorTemplate + listKind: MachineInventorySelectorTemplateList + plural: machineinventoryselectortemplates + singular: machineinventoryselectortemplate + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + template: + description: Template machine inventory selector template. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + providerID: + description: |- + ProviderID the identifier for the elemental instance. + NOTE: Functionality not implemented yet. + type: string + selector: + description: Selector selector to choose elemental machines. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + status: + properties: + addresses: + description: Addresses represent machine addresses. + items: + description: MachineAddress contains information for the + node's address. + properties: + address: + description: The machine address. + type: string + type: + description: Machine address type, one of Hostname, + ExternalIP, InternalIP, ExternalDNS or InternalDNS. + type: string + required: + - address + - type + type: object + type: array + bootstrapPlanChecksum: + description: BootstrapPlanChecksum represent bootstrap plan + checksum. + type: string + conditions: + description: Conditions describe the state of the machine + selector object. + items: + description: "Condition contains details for one aspect + of the current state of this API Resource.\n---\nThis + struct is intended for direct use as an array at the field + path .status.conditions. For example,\n\n\n\ttype FooStatus + struct{\n\t // Represents the observations of a foo's + current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t + \ // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t + \ // +listType=map\n\t // +listMapKey=type\n\t Conditions + []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" + patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + machineInventoryRef: + description: MachineInventoryRef reference to the machine + inventory that belongs to the selector. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + ready: + type: boolean + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/part-of: Elemental Operator + app.kubernetes.io/version: '{{ .Chart.Version }}' + controller-gen.kubebuilder.io/version: v0.14.0 + labels: + cluster.x-k8s.io/provider: infrastructure-elemental + cluster.x-k8s.io/v1beta1: v1beta1 + release-name: '{{ .Release.Name }}' + name: machineregistrations.elemental.cattle.io +spec: + group: elemental.cattle.io + names: + kind: MachineRegistration + listKind: MachineRegistrationList + plural: machineregistrations + singular: machineregistration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + config: + description: Config the cloud config that will be used to provision + the node. + properties: + cloud-config: + x-kubernetes-preserve-unknown-fields: true + elemental: + properties: + install: + properties: + config-dir: + type: string + config-urls: + items: + type: string + type: array + debug: + type: boolean + device: + type: string + device-selector: + items: + properties: + key: + enum: + - Name + - Size + type: string + operator: + enum: + - In + - NotIn + - Gt + - Lt + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + disable-boot-entry: + type: boolean + eject-cd: + type: boolean + firmware: + type: string + iso: + type: string + no-format: + type: boolean + poweroff: + type: boolean + reboot: + type: boolean + snapshotter: + default: + type: loopdevice + properties: + type: + default: loopdevice + description: Type sets the snapshotter type a new + installation, available options are 'loopdevice' + and 'btrfs' + type: string + type: object + system-uri: + type: string + tty: + type: string + type: object + registration: + properties: + auth: + default: tpm + type: string + ca-cert: + type: string + emulate-tpm: + type: boolean + emulated-tpm-seed: + format: int64 + type: integer + no-smbios: + type: boolean + no-toolkit: + type: boolean + url: + type: string + type: object + reset: + default: + reboot: true + reset-oem: true + reset-persistent: true + properties: + config-urls: + items: + type: string + type: array + debug: + type: boolean + disable-boot-entry: + type: boolean + enabled: + type: boolean + poweroff: + type: boolean + reboot: + default: true + type: boolean + reset-oem: + default: true + type: boolean + reset-persistent: + default: true + type: boolean + system-uri: + type: string + type: object + system-agent: + properties: + secret-name: + type: string + secret-namespace: + type: string + token: + type: string + url: + type: string + type: object + type: object + type: object + machineInventoryAnnotations: + additionalProperties: + type: string + description: MachineInventoryAnnotations annotations to be added to + the created MachineInventory object. + type: object + machineInventoryLabels: + additionalProperties: + type: string + description: MachineInventoryLabels label to be added to the created + MachineInventory object. + type: object + machineName: + type: string + type: object + status: + properties: + conditions: + description: Conditions describe the state of the machine registration + object. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + registrationToken: + description: RegistrationToken a token for registering a machine. + type: string + registrationURL: + description: RegistrationURL is the URL for registering a new machine. + type: string + serviceAccountRef: + description: ServiceAccountRef a reference to the service account + created by the machine registration. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/part-of: Elemental Operator + app.kubernetes.io/version: '{{ .Chart.Version }}' + controller-gen.kubebuilder.io/version: v0.14.0 + labels: + cluster.x-k8s.io/provider: infrastructure-elemental + cluster.x-k8s.io/v1beta1: v1beta1 + release-name: '{{ .Release.Name }}' + name: managedosimages.elemental.cattle.io +spec: + group: elemental.cattle.io + names: + kind: ManagedOSImage + listKind: ManagedOSImageList + plural: managedosimages + singular: managedosimage + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + cloudConfig: + x-kubernetes-preserve-unknown-fields: true + clusterRolloutStrategy: + description: RolloverStrategy controls the rollout of the bundle across + clusters. + properties: + autoPartitionSize: + anyOf: + - type: integer + - type: string + description: |- + A number or percentage of how to automatically partition clusters if no + specific partitioning strategy is configured. + default: 25% + nullable: true + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: |- + A number or percentage of clusters that can be unavailable during an update + of a bundle. This follows the same basic approach as a deployment rollout + strategy. Once the number of clusters meets unavailable state update will be + paused. Default value is 100% which doesn't take effect on update. + default: 100% + nullable: true + x-kubernetes-int-or-string: true + maxUnavailablePartitions: + anyOf: + - type: integer + - type: string + description: |- + A number or percentage of cluster partitions that can be unavailable during + an update of a bundle. + default: 0 + nullable: true + x-kubernetes-int-or-string: true + partitions: + description: |- + A list of definitions of partitions. If any target clusters do not match + the configuration they are added to partitions at the end following the + autoPartitionSize. + items: + description: Partition defines a separate rollout strategy for + a set of clusters. + properties: + clusterGroup: + description: A cluster group name to include in this partition + type: string + clusterGroupSelector: + description: Selector matching cluster group labels to include + in this partition + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + clusterName: + description: ClusterName is the name of a cluster to include + in this partition + type: string + clusterSelector: + description: Selector matching cluster labels to include + in this partition + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + maxUnavailable: + anyOf: + - type: integer + - type: string + description: |- + A number or percentage of clusters that can be unavailable in this + partition before this partition is treated as done. + default: 10% + x-kubernetes-int-or-string: true + name: + description: A user-friendly name given to the partition + used for Display (optional). + type: string + type: object + nullable: true + type: array + type: object + clusterTargets: + items: + description: |- + BundleTarget declares clusters to deploy to. Fleet will merge the + BundleDeploymentOptions from customizations into this struct. + properties: + clusterGroup: + description: ClusterGroup to match a specific cluster group + by name. + nullable: true + type: string + clusterGroupSelector: + description: ClusterGroupSelector is a selector to match cluster + groups. + nullable: true + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + clusterName: + description: |- + ClusterName to match a specific cluster by name that will be + selected + nullable: true + type: string + clusterSelector: + description: |- + ClusterSelector is a selector to match clusters. The structure is + the standard metav1.LabelSelector format. If clusterGroupSelector or + clusterGroup is specified, clusterSelector will be used only to + further refine the selection after clusterGroupSelector and + clusterGroup is evaluated. + nullable: true + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + correctDrift: + description: CorrectDrift specifies how drift correction should + work. + properties: + enabled: + description: Enabled correct drift if true. + type: boolean + force: + description: Force helm rollback with --force option will + be used if true. This will try to recreate all resources + in the release. + type: boolean + keepFailHistory: + description: KeepFailHistory keeps track of failed rollbacks + in the helm history. + type: boolean + type: object + defaultNamespace: + description: |- + DefaultNamespace is the namespace to use for resources that do not + specify a namespace. This field is not used to enforce or lock down + the deployment to a specific namespace. + nullable: true + type: string + deleteCRDResources: + description: DeleteCRDResources deletes CRDs. Warning! this + will also delete all your Custom Resources. + type: boolean + diff: + description: Diff can be used to ignore the modified state of + objects which are amended at runtime. + nullable: true + properties: + comparePatches: + description: ComparePatches match a resource and remove + fields from the check for modifications. + items: + description: ComparePatch matches a resource and removes + fields from the check for modifications. + properties: + apiVersion: + description: APIVersion is the apiVersion of the resource + to match. + nullable: true + type: string + jsonPointers: + description: JSONPointers ignore diffs at a certain + JSON path. + items: + type: string + nullable: true + type: array + kind: + description: Kind is the kind of the resource to match. + nullable: true + type: string + name: + description: Name is the name of the resource to match. + nullable: true + type: string + namespace: + description: Namespace is the namespace of the resource + to match. + nullable: true + type: string + operations: + description: Operations remove a JSON path from the + resource. + items: + description: Operation of a ComparePatch, usually + "remove". + properties: + op: + description: Op is usually "remove" + nullable: true + type: string + path: + description: Path is the JSON path to remove. + nullable: true + type: string + value: + description: Value is usually empty. + nullable: true + type: string + type: object + nullable: true + type: array + type: object + nullable: true + type: array + type: object + doNotDeploy: + description: DoNotDeploy if set to true, will not deploy to + this target. + type: boolean + forceSyncGeneration: + description: ForceSyncGeneration is used to force a redeployment + format: int64 + type: integer + helm: + description: Helm options for the deployment, like the chart + name, repo and values. + nullable: true + properties: + atomic: + description: Atomic sets the --atomic flag when Helm is + performing an upgrade + type: boolean + chart: + description: |- + Chart can refer to any go-getter URL or OCI registry based helm + chart URL. The chart will be downloaded. + nullable: true + type: string + disableDNS: + description: DisableDNS can be used to customize Helm's + EnableDNS option, which Fleet sets to `true` by default. + type: boolean + disableDependencyUpdate: + description: DisableDependencyUpdate allows skipping chart + dependencies update + type: boolean + disablePreProcess: + description: DisablePreProcess disables template processing + in values + type: boolean + force: + description: Force allows to override immutable resources. + This could be dangerous. + type: boolean + maxHistory: + description: MaxHistory limits the maximum number of revisions + saved per release by Helm. + type: integer + releaseName: + description: |- + ReleaseName sets a custom release name to deploy the chart as. If + not specified a release name will be generated by combining the + invoking GitRepo.name + GitRepo.path. + maxLength: 53 + nullable: true + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + repo: + description: Repo is the name of the HTTPS helm repo to + download the chart from. + nullable: true + type: string + skipSchemaValidation: + description: SkipSchemaValidation allows skipping schema + validation against the chart values + type: boolean + takeOwnership: + description: TakeOwnership makes helm skip the check for + its own annotations + type: boolean + timeoutSeconds: + description: TimeoutSeconds is the time to wait for Helm + operations. + type: integer + values: + description: |- + Values passed to Helm. It is possible to specify the keys and values + as go template strings. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + valuesFiles: + description: ValuesFiles is a list of files to load values + from. + items: + type: string + nullable: true + type: array + valuesFrom: + description: ValuesFrom loads the values from configmaps + and secrets. + items: + description: 'Define helm values that can come from configmap, + secret or external. Credit: https://github.com/fluxcd/helm-operator/blob/0cfea875b5d44bea995abe7324819432070dfbdc/pkg/apis/helm.fluxcd.io/v1/types_helmrelease.go#L439' + properties: + configMapKeyRef: + description: The reference to a config map with release + values. + nullable: true + properties: + key: + nullable: true + type: string + name: + description: Name of a resource in the same namespace + as the referent. + nullable: true + type: string + namespace: + nullable: true + type: string + type: object + secretKeyRef: + description: The reference to a secret with release + values. + nullable: true + properties: + key: + nullable: true + type: string + name: + description: Name of a resource in the same namespace + as the referent. + nullable: true + type: string + namespace: + nullable: true + type: string + type: object + type: object + nullable: true + type: array + version: + description: Version of the chart to download + nullable: true + type: string + waitForJobs: + description: |- + WaitForJobs if set and timeoutSeconds provided, will wait until all + Jobs have been completed before marking the GitRepo as ready. It + will wait for as long as timeoutSeconds + type: boolean + type: object + ignore: + description: IgnoreOptions can be used to ignore fields when + monitoring the bundle. + properties: + conditions: + description: Conditions is a list of conditions to be ignored + when monitoring the Bundle. + items: + additionalProperties: + type: string + type: object + nullable: true + type: array + type: object + keepResources: + description: KeepResources can be used to keep the deployed + resources when removing the bundle + type: boolean + kustomize: + description: |- + Kustomize options for the deployment, like the dir containing the + kustomization.yaml file. + nullable: true + properties: + dir: + description: |- + Dir points to a custom folder for kustomize resources. This folder must contain + a kustomization.yaml file. + nullable: true + type: string + type: object + name: + description: |- + Name of target. This value is largely for display and logging. If + not specified a default name of the format "target000" will be used + type: string + namespace: + description: |- + TargetNamespace if present will assign all resource to this + namespace and if any cluster scoped resource exists the deployment + will fail. + nullable: true + type: string + namespaceAnnotations: + additionalProperties: + type: string + description: NamespaceAnnotations are annotations that will + be appended to the namespace created by Fleet. + nullable: true + type: object + namespaceLabels: + additionalProperties: + type: string + description: NamespaceLabels are labels that will be appended + to the namespace created by Fleet. + nullable: true + type: object + serviceAccount: + description: ServiceAccount which will be used to perform this + deployment. + nullable: true + type: string + yaml: + description: |- + YAML options, if using raw YAML these are names that map to + overlays/{name} files that will be used to replace or patch a resource. + nullable: true + properties: + overlays: + description: |- + Overlays is a list of names that maps to folders in "overlays/". + If you wish to customize the file ./subdir/resource.yaml then a file + ./overlays/myoverlay/subdir/resource.yaml will replace the base + file. + A file named ./overlays/myoverlay/subdir/resource_patch.yaml will patch the base file. + items: + type: string + nullable: true + type: array + type: object + type: object + type: array + concurrency: + format: int64 + type: integer + cordon: + type: boolean + drain: + default: + deleteLocalData: true + force: true + ignoreDaemonSets: true + skipWaitForDeleteTimeout: 60 + description: DrainSpec encapsulates `kubectl drain` parameters minus + node/pod selectors. + nullable: true + properties: + deleteEmptydirData: + type: boolean + deleteLocalData: + type: boolean + disableEviction: + type: boolean + force: + type: boolean + gracePeriod: + format: int32 + type: integer + ignoreDaemonSets: + type: boolean + podSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + skipWaitForDeleteTimeout: + type: integer + timeout: + description: |- + A Duration represents the elapsed time between two instants + as an int64 nanosecond count. The representation limits the + largest representable duration to approximately 290 years. + format: int64 + type: integer + type: object + managedOSVersionName: + type: string + nodeSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + osImage: + type: string + prepare: + description: ContainerSpec is a simplified container template. + properties: + args: + items: + type: string + type: array + command: + items: + type: string + type: array + envFrom: + items: + description: EnvFromSource represents the source of a set of + ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the ConfigMap must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend to each key + in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the Secret must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + envs: + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + image: + type: string + securityContext: + description: |- + SecurityContext holds security configuration that will be applied to a container. + Some fields are present in both SecurityContext and PodSecurityContext. When both + are set, the values in SecurityContext take precedence. + properties: + allowPrivilegeEscalation: + description: |- + AllowPrivilegeEscalation controls whether a process can gain more + privileges than its parent process. This bool directly controls if + the no_new_privs flag will be set on the container process. + AllowPrivilegeEscalation is true always when the container is: + 1) run as Privileged + 2) has CAP_SYS_ADMIN + Note that this field cannot be set when spec.os.name is windows. + type: boolean + capabilities: + description: |- + The capabilities to add/drop when running containers. + Defaults to the default set of capabilities granted by the container runtime. + Note that this field cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + type: object + privileged: + description: |- + Run container in privileged mode. + Processes in privileged containers are essentially equivalent to root on the host. + Defaults to false. + Note that this field cannot be set when spec.os.name is windows. + type: boolean + procMount: + description: |- + procMount denotes the type of proc mount to use for the containers. + The default is DefaultProcMount which uses the container runtime defaults for + readonly paths and masked paths. + This requires the ProcMountType feature flag to be enabled. + Note that this field cannot be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: |- + Whether this container has a read-only root filesystem. + Default is false. + Note that this field cannot be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: |- + The GID to run the entrypoint of the container process. + Uses runtime default if unset. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: |- + Indicates that the container must run as a non-root user. + If true, the Kubelet will validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start the container if it does. + If unset or false, no such validation will be performed. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: |- + The UID to run the entrypoint of the container process. + Defaults to user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: |- + The SELinux context to be applied to the container. + If unspecified, the container runtime will allocate a random SELinux context for each + container. May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: |- + The seccomp options to use by this container. If seccomp options are + provided at both the pod & container level, the container options + override the pod options. + Note that this field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile defined in a file on the node should be used. + The profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be set for any other type. + type: string + type: + description: |- + type indicates which kind of seccomp profile will be applied. + Valid options are: + + + Localhost - a profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile should be used. + Unconfined - no profile should be applied. + type: string + required: + - type + type: object + windowsOptions: + description: |- + The Windows specific settings applied to all containers. + If unspecified, the options from the PodSecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: |- + GMSACredentialSpec is where the GMSA admission webhook + (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the + GMSA credential spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the + GMSA credential spec to use. + type: string + hostProcess: + description: |- + HostProcess determines if a container should be run as a 'Host Process' container. + All of a Pod's containers must have the same effective HostProcess value + (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). + In addition, if HostProcess is true then HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: |- + The UserName in Windows to run the entrypoint of the container process. + Defaults to the user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: string + type: object + type: object + volumes: + items: + properties: + destination: + type: string + name: + type: string + source: + type: string + type: object + type: array + type: object + upgradeContainer: + description: ContainerSpec is a simplified container template. + properties: + args: + items: + type: string + type: array + command: + items: + type: string + type: array + envFrom: + items: + description: EnvFromSource represents the source of a set of + ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the ConfigMap must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend to each key + in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the Secret must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + envs: + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + image: + type: string + securityContext: + description: |- + SecurityContext holds security configuration that will be applied to a container. + Some fields are present in both SecurityContext and PodSecurityContext. When both + are set, the values in SecurityContext take precedence. + properties: + allowPrivilegeEscalation: + description: |- + AllowPrivilegeEscalation controls whether a process can gain more + privileges than its parent process. This bool directly controls if + the no_new_privs flag will be set on the container process. + AllowPrivilegeEscalation is true always when the container is: + 1) run as Privileged + 2) has CAP_SYS_ADMIN + Note that this field cannot be set when spec.os.name is windows. + type: boolean + capabilities: + description: |- + The capabilities to add/drop when running containers. + Defaults to the default set of capabilities granted by the container runtime. + Note that this field cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + type: object + privileged: + description: |- + Run container in privileged mode. + Processes in privileged containers are essentially equivalent to root on the host. + Defaults to false. + Note that this field cannot be set when spec.os.name is windows. + type: boolean + procMount: + description: |- + procMount denotes the type of proc mount to use for the containers. + The default is DefaultProcMount which uses the container runtime defaults for + readonly paths and masked paths. + This requires the ProcMountType feature flag to be enabled. + Note that this field cannot be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: |- + Whether this container has a read-only root filesystem. + Default is false. + Note that this field cannot be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: |- + The GID to run the entrypoint of the container process. + Uses runtime default if unset. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: |- + Indicates that the container must run as a non-root user. + If true, the Kubelet will validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start the container if it does. + If unset or false, no such validation will be performed. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: |- + The UID to run the entrypoint of the container process. + Defaults to user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: |- + The SELinux context to be applied to the container. + If unspecified, the container runtime will allocate a random SELinux context for each + container. May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: |- + The seccomp options to use by this container. If seccomp options are + provided at both the pod & container level, the container options + override the pod options. + Note that this field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile defined in a file on the node should be used. + The profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be set for any other type. + type: string + type: + description: |- + type indicates which kind of seccomp profile will be applied. + Valid options are: + + + Localhost - a profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile should be used. + Unconfined - no profile should be applied. + type: string + required: + - type + type: object + windowsOptions: + description: |- + The Windows specific settings applied to all containers. + If unspecified, the options from the PodSecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: |- + GMSACredentialSpec is where the GMSA admission webhook + (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the + GMSA credential spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the + GMSA credential spec to use. + type: string + hostProcess: + description: |- + HostProcess determines if a container should be run as a 'Host Process' container. + All of a Pod's containers must have the same effective HostProcess value + (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). + In addition, if HostProcess is true then HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: |- + The UserName in Windows to run the entrypoint of the container process. + Defaults to the user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: string + type: object + type: object + volumes: + items: + properties: + destination: + type: string + name: + type: string + source: + type: string + type: object + type: array + type: object + required: + - drain + type: object + status: + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/part-of: Elemental Operator + app.kubernetes.io/version: '{{ .Chart.Version }}' + controller-gen.kubebuilder.io/version: v0.14.0 + labels: + cluster.x-k8s.io/provider: infrastructure-elemental + cluster.x-k8s.io/v1beta1: v1beta1 + release-name: '{{ .Release.Name }}' + name: managedosversionchannels.elemental.cattle.io +spec: + group: elemental.cattle.io + names: + kind: ManagedOSVersionChannel + listKind: ManagedOSVersionChannelList + plural: managedosversionchannels + singular: managedosversionchannel + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + deleteNoLongerInSyncVersions: + default: false + description: |- + DeleteNoLongerInSyncVersions automatically deletes + all no-longer-in-sync ManagedOSVersions that were created by this channel. + type: boolean + options: + x-kubernetes-preserve-unknown-fields: true + syncInterval: + default: 1h + type: string + type: + type: string + upgradeContainer: + description: ContainerSpec is a simplified container template. + properties: + args: + items: + type: string + type: array + command: + items: + type: string + type: array + envFrom: + items: + description: EnvFromSource represents the source of a set of + ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the ConfigMap must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend to each key + in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the Secret must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + envs: + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + image: + type: string + securityContext: + description: |- + SecurityContext holds security configuration that will be applied to a container. + Some fields are present in both SecurityContext and PodSecurityContext. When both + are set, the values in SecurityContext take precedence. + properties: + allowPrivilegeEscalation: + description: |- + AllowPrivilegeEscalation controls whether a process can gain more + privileges than its parent process. This bool directly controls if + the no_new_privs flag will be set on the container process. + AllowPrivilegeEscalation is true always when the container is: + 1) run as Privileged + 2) has CAP_SYS_ADMIN + Note that this field cannot be set when spec.os.name is windows. + type: boolean + capabilities: + description: |- + The capabilities to add/drop when running containers. + Defaults to the default set of capabilities granted by the container runtime. + Note that this field cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + type: object + privileged: + description: |- + Run container in privileged mode. + Processes in privileged containers are essentially equivalent to root on the host. + Defaults to false. + Note that this field cannot be set when spec.os.name is windows. + type: boolean + procMount: + description: |- + procMount denotes the type of proc mount to use for the containers. + The default is DefaultProcMount which uses the container runtime defaults for + readonly paths and masked paths. + This requires the ProcMountType feature flag to be enabled. + Note that this field cannot be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: |- + Whether this container has a read-only root filesystem. + Default is false. + Note that this field cannot be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: |- + The GID to run the entrypoint of the container process. + Uses runtime default if unset. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: |- + Indicates that the container must run as a non-root user. + If true, the Kubelet will validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start the container if it does. + If unset or false, no such validation will be performed. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: |- + The UID to run the entrypoint of the container process. + Defaults to user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: |- + The SELinux context to be applied to the container. + If unspecified, the container runtime will allocate a random SELinux context for each + container. May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: |- + The seccomp options to use by this container. If seccomp options are + provided at both the pod & container level, the container options + override the pod options. + Note that this field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile defined in a file on the node should be used. + The profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be set for any other type. + type: string + type: + description: |- + type indicates which kind of seccomp profile will be applied. + Valid options are: + + + Localhost - a profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile should be used. + Unconfined - no profile should be applied. + type: string + required: + - type + type: object + windowsOptions: + description: |- + The Windows specific settings applied to all containers. + If unspecified, the options from the PodSecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: |- + GMSACredentialSpec is where the GMSA admission webhook + (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the + GMSA credential spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the + GMSA credential spec to use. + type: string + hostProcess: + description: |- + HostProcess determines if a container should be run as a 'Host Process' container. + All of a Pod's containers must have the same effective HostProcess value + (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). + In addition, if HostProcess is true then HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: |- + The UserName in Windows to run the entrypoint of the container process. + Defaults to the user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: string + type: object + type: object + volumes: + items: + properties: + destination: + type: string + name: + type: string + source: + type: string + type: object + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions describe the state of the managed OS version + object. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + failedSynchronizationAttempts: + description: FailedSynchronizationAttempts counts the number of consecutive + synchronization failures + type: integer + lastSyncedTime: + description: LastSyncedTime is the timestamp of the last synchronization + format: date-time + type: string + syncedGeneration: + description: SyncedGeneration tracks the spec generation of the last + synchronization + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/part-of: Elemental Operator + app.kubernetes.io/version: '{{ .Chart.Version }}' + controller-gen.kubebuilder.io/version: v0.14.0 + labels: + cluster.x-k8s.io/provider: infrastructure-elemental + cluster.x-k8s.io/v1beta1: v1beta1 + release-name: '{{ .Release.Name }}' + name: managedosversions.elemental.cattle.io +spec: + group: elemental.cattle.io + names: + kind: ManagedOSVersion + listKind: ManagedOSVersionList + plural: managedosversions + singular: managedosversion + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + metadata: + x-kubernetes-preserve-unknown-fields: true + minVersion: + type: string + type: + type: string + upgradeContainer: + description: ContainerSpec is a simplified container template. + properties: + args: + items: + type: string + type: array + command: + items: + type: string + type: array + envFrom: + items: + description: EnvFromSource represents the source of a set of + ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the ConfigMap must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend to each key + in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the Secret must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + envs: + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + image: + type: string + securityContext: + description: |- + SecurityContext holds security configuration that will be applied to a container. + Some fields are present in both SecurityContext and PodSecurityContext. When both + are set, the values in SecurityContext take precedence. + properties: + allowPrivilegeEscalation: + description: |- + AllowPrivilegeEscalation controls whether a process can gain more + privileges than its parent process. This bool directly controls if + the no_new_privs flag will be set on the container process. + AllowPrivilegeEscalation is true always when the container is: + 1) run as Privileged + 2) has CAP_SYS_ADMIN + Note that this field cannot be set when spec.os.name is windows. + type: boolean + capabilities: + description: |- + The capabilities to add/drop when running containers. + Defaults to the default set of capabilities granted by the container runtime. + Note that this field cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + type: object + privileged: + description: |- + Run container in privileged mode. + Processes in privileged containers are essentially equivalent to root on the host. + Defaults to false. + Note that this field cannot be set when spec.os.name is windows. + type: boolean + procMount: + description: |- + procMount denotes the type of proc mount to use for the containers. + The default is DefaultProcMount which uses the container runtime defaults for + readonly paths and masked paths. + This requires the ProcMountType feature flag to be enabled. + Note that this field cannot be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: |- + Whether this container has a read-only root filesystem. + Default is false. + Note that this field cannot be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: |- + The GID to run the entrypoint of the container process. + Uses runtime default if unset. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: |- + Indicates that the container must run as a non-root user. + If true, the Kubelet will validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start the container if it does. + If unset or false, no such validation will be performed. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: |- + The UID to run the entrypoint of the container process. + Defaults to user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: |- + The SELinux context to be applied to the container. + If unspecified, the container runtime will allocate a random SELinux context for each + container. May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: |- + The seccomp options to use by this container. If seccomp options are + provided at both the pod & container level, the container options + override the pod options. + Note that this field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile defined in a file on the node should be used. + The profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be set for any other type. + type: string + type: + description: |- + type indicates which kind of seccomp profile will be applied. + Valid options are: + + + Localhost - a profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile should be used. + Unconfined - no profile should be applied. + type: string + required: + - type + type: object + windowsOptions: + description: |- + The Windows specific settings applied to all containers. + If unspecified, the options from the PodSecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: |- + GMSACredentialSpec is where the GMSA admission webhook + (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the + GMSA credential spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the + GMSA credential spec to use. + type: string + hostProcess: + description: |- + HostProcess determines if a container should be run as a 'Host Process' container. + All of a Pod's containers must have the same effective HostProcess value + (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). + In addition, if HostProcess is true then HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: |- + The UserName in Windows to run the entrypoint of the container process. + Defaults to the user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: string + type: object + type: object + volumes: + items: + properties: + destination: + type: string + name: + type: string + source: + type: string + type: object + type: array + type: object + version: + type: string + type: object + status: + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/part-of: Elemental Operator + app.kubernetes.io/version: '{{ .Chart.Version }}' + controller-gen.kubebuilder.io/version: v0.14.0 + labels: + cluster.x-k8s.io/provider: infrastructure-elemental + cluster.x-k8s.io/v1beta1: v1beta1 + release-name: '{{ .Release.Name }}' + name: metadata.elemental.cattle.io +spec: + group: elemental.cattle.io + names: + kind: Metadata + listKind: MetadataList + plural: metadata + singular: metadata + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + annotations: + additionalProperties: + type: string + type: object + appVersion: + type: string + type: object + status: + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/part-of: Elemental Operator + app.kubernetes.io/version: '{{ .Chart.Version }}' + controller-gen.kubebuilder.io/version: v0.14.0 + labels: + cluster.x-k8s.io/provider: infrastructure-elemental + cluster.x-k8s.io/v1beta1: v1beta1 + release-name: '{{ .Release.Name }}' + name: seedimages.elemental.cattle.io +spec: + group: elemental.cattle.io + names: + kind: SeedImage + listKind: SeedImageList + plural: seedimages + singular: seedimage + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + baseImage: + description: BaseImg the base elemental image used to build the seed + image. + type: string + buildContainer: + description: |- + BuildContainer settings for a custom container used to generate the + downloadable image. + properties: + args: + description: Args same as corev1.Container.Args + items: + type: string + type: array + command: + description: Command same as corev1.Container.Command + items: + type: string + type: array + image: + description: Image container image to run + type: string + imagePullPolicy: + description: Args same as corev1.Container.ImagePullPolicy + type: string + name: + description: Name of the spawned container + type: string + type: object + cleanupAfterMinutes: + default: 60 + description: |- + LifetimeMinutes the time at which the built seed image will be cleaned up. + If when the lifetime elapses the built image is being downloaded, the active + download will be completed before removing the built image. + Default is 60 minutes, set to 0 to disable. + format: int32 + type: integer + cloud-config: + description: CloudConfig contains cloud-config data to be put in the + generated iso. + x-kubernetes-preserve-unknown-fields: true + registrationRef: + description: MachineRegistrationRef a reference to the related MachineRegistration. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + retriggerBuild: + description: RetriggerBuild triggers to build again a cleaned up seed + image. + type: boolean + size: + anyOf: + - type: integer + - type: string + default: 6442450944 + description: |- + Size specifies the size of the volume used to store the image. + Defaults to 6Gi + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + targetPlatform: + description: 'Platform specifies the target platform for the built + image. Example: linux/amd64' + example: linux/amd64 + pattern: ^$|^\S+\/\S+$ + type: string + type: + default: iso + description: |- + Type specifies the type of seed image to built. + Valid values are iso|raw + Defaults to "iso" + enum: + - iso + - raw + type: string + required: + - registrationRef + - type + type: object + status: + properties: + checksumURL: + description: ChecksumURL the URL from which the SeedImage checksum + can be downloaded once the image is built. + type: string + conditions: + description: Conditions describe the state of the machine registration + object. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + downloadToken: + description: DownloadToken a token to identify the seed image to download. + type: string + downloadURL: + description: DownloadURL the URL from which the SeedImage can be downloaded + once built. + type: string + state: + description: State reflect the state of the seed image build process. + enum: + - Initialized + - Started + - Completed + - Failed + - NotStarted + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/elemental-crd/104.2.1+up1.6.5/templates/validate-no-pending-deletions.yaml b/charts/elemental-crd/104.2.1+up1.6.5/templates/validate-no-pending-deletions.yaml new file mode 100644 index 0000000000..6e16863118 --- /dev/null +++ b/charts/elemental-crd/104.2.1+up1.6.5/templates/validate-no-pending-deletions.yaml @@ -0,0 +1,17 @@ +{{- $crds := list + "machineinventories.elemental.cattle.io" + "machineinventoryselectors.elemental.cattle.io" + "machineinventoryselectortemplates.elemental.cattle.io" + "machineregistrations.elemental.cattle.io" + "managedosimages.elemental.cattle.io" + "managedosversionchannels.elemental.cattle.io" + "managedosversions.elemental.cattle.io" + "seedimages.elemental.cattle.io" + "metadata.elemental.cattle.io" +-}} +{{- range $index, $crd := $crds -}} + {{- $obj := lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" $.Release.Namespace $crd -}} + {{- if and $obj $obj.metadata.deletionTimestamp -}} + {{- required "CRDs from previous installations are pending to be removed (deletionTimestamp is set). Fully deleting them before (re-)installing is required" "" -}} + {{- end -}} +{{- end -}} diff --git a/charts/elemental/104.2.1+up1.6.5/Chart.yaml b/charts/elemental/104.2.1+up1.6.5/Chart.yaml new file mode 100644 index 0000000000..1ae9a56b4d --- /dev/null +++ b/charts/elemental/104.2.1+up1.6.5/Chart.yaml @@ -0,0 +1,20 @@ +annotations: + catalog.cattle.io/auto-install: elemental-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Elemental + catalog.cattle.io/kube-version: '>= 1.23.0-0' + catalog.cattle.io/namespace: cattle-elemental-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux + catalog.cattle.io/provides-gvr: elemental.cattle.io/v1beta1 + catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0' + catalog.cattle.io/release-name: elemental-operator + catalog.cattle.io/scope: management + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/upstream-version: 1.6.5 +apiVersion: v2 +appVersion: 1.6.5 +description: Elemental provides Cloud Native OS Management for Cluster Nodes. +icon: https://raw.githubusercontent.com/rancher/elemental/main/logo/icon-elemental.svg +name: elemental +version: 104.2.1+up1.6.5 diff --git a/charts/elemental/104.2.1+up1.6.5/README.md b/charts/elemental/104.2.1+up1.6.5/README.md new file mode 100644 index 0000000000..bf7b83ea6c --- /dev/null +++ b/charts/elemental/104.2.1+up1.6.5/README.md @@ -0,0 +1,5 @@ +# Elemental Operator Helm Chart + +This chart bootstraps an elemental-operator deployment on a [Rancher Manager](https://rancher.com/docs/rancher/) cluster using the [Helm](https://helm.sh) package manager. + +Check out the [Elemental Operator Helm Chart documentation](https://elemental.docs.rancher.com/elementaloperatorchart-reference/) in the official [Elemental guide](https://elemental.docs.rancher.com/). diff --git a/charts/elemental/104.2.1+up1.6.5/app-readme.md b/charts/elemental/104.2.1+up1.6.5/app-readme.md new file mode 100644 index 0000000000..3d694ac5f6 --- /dev/null +++ b/charts/elemental/104.2.1+up1.6.5/app-readme.md @@ -0,0 +1,5 @@ +# Elemental + +Elemental brings to Rancher the ability to install and manage the OS of bare metal and virtualized machines. + +For more information on how to deploy an Elemental Cluster, follow the [official documentation](https://elemental.docs.rancher.com/). \ No newline at end of file diff --git a/charts/elemental/104.2.1+up1.6.5/questions.yaml b/charts/elemental/104.2.1+up1.6.5/questions.yaml new file mode 100644 index 0000000000..53a85c6e32 --- /dev/null +++ b/charts/elemental/104.2.1+up1.6.5/questions.yaml @@ -0,0 +1,27 @@ +questions: +- variable: channel.defaultChannel + default: "true" + description: "Provide an Elemental OS Channel container image" + label: Elemental OS Channel + type: boolean + show_subquestion_if: true + group: "Elemental OS Channel" + subquestions: + - variable: channel.image + default: "registry.suse.com/rancher/elemental-channel/sl-micro" + description: "Specify the Elemental OS channel: for air-gapped scenarios you need to provide your own OS channel image (see https://elemental.docs.rancher.com/airgap for detailed instructions)" + type: string + label: Elemental OS Channel Image + group: "Elemental OS Channel" + - variable: channel.tag + default: "6.0-baremetal" + description: "Specify Elemental OS channel image tag" + type: string + label: "Elemental OS Channel Tag" + group: "Elemental OS Channel" +- variable: debug + default: "false" + description: "Enable debug logging in the Elemental operator" + type: boolean + label: "Enable Debug Logging" + group: "Logging" diff --git a/charts/elemental/104.2.1+up1.6.5/templates/_helpers.tpl b/charts/elemental/104.2.1+up1.6.5/templates/_helpers.tpl new file mode 100644 index 0000000000..ee1e6fe7d8 --- /dev/null +++ b/charts/elemental/104.2.1+up1.6.5/templates/_helpers.tpl @@ -0,0 +1,17 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{- define "registry_url" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{ include "system_default_registry" . }} +{{- else if .Values.registryUrl -}} +{{- printf "%s/" .Values.registryUrl -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} diff --git a/charts/elemental/104.2.1+up1.6.5/templates/apiservice.yaml b/charts/elemental/104.2.1+up1.6.5/templates/apiservice.yaml new file mode 100644 index 0000000000..73ae2e505f --- /dev/null +++ b/charts/elemental/104.2.1+up1.6.5/templates/apiservice.yaml @@ -0,0 +1,9 @@ +kind: APIService +apiVersion: management.cattle.io/v3 +metadata: + name: {{ .Release.Name }} +spec: + secretName: elemental-operator + secretNamespace: {{ .Release.Namespace }} + pathPrefixes: + - /elemental/ diff --git a/charts/elemental/104.2.1+up1.6.5/templates/capi_rbac.yaml b/charts/elemental/104.2.1+up1.6.5/templates/capi_rbac.yaml new file mode 100644 index 0000000000..8692f75269 --- /dev/null +++ b/charts/elemental/104.2.1+up1.6.5/templates/capi_rbac.yaml @@ -0,0 +1,10 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: elemental-capi-role + labels: + cluster.x-k8s.io/aggregate-to-manager: "true" +rules: + - apiGroups: ["elemental.cattle.io"] + resources: ["*"] + verbs: ["*"] diff --git a/charts/elemental/104.2.1+up1.6.5/templates/channel-dev.yaml b/charts/elemental/104.2.1+up1.6.5/templates/channel-dev.yaml new file mode 100644 index 0000000000..da66784034 --- /dev/null +++ b/charts/elemental/104.2.1+up1.6.5/templates/channel-dev.yaml @@ -0,0 +1,13 @@ +# Unstable channel for testing isv:Rancher:Elemental OBS projects +# it is only rendered if the registryUrl value includes a known OBS project reference +{{ if and (hasPrefix "registry.opensuse.org" .Values.registryUrl) (contains "isv/rancher/elemental" .Values.registryUrl) }} +apiVersion: elemental.cattle.io/v1beta1 +kind: ManagedOSVersionChannel +metadata: + name: unstable-testing-channel + namespace: fleet-default +spec: + options: + image: {{ .Values.registryUrl }}/rancher/elemental-unstable-channel:latest + type: custom +{{ end }} diff --git a/charts/elemental/104.2.1+up1.6.5/templates/channels.yaml b/charts/elemental/104.2.1+up1.6.5/templates/channels.yaml new file mode 100644 index 0000000000..c180d36d05 --- /dev/null +++ b/charts/elemental/104.2.1+up1.6.5/templates/channels.yaml @@ -0,0 +1,30 @@ +{{ $defChannelName := "" }} +{{ if and .Values.channel .Values.channel.image .Values.channel.tag .Values.channel.name }} +{{ $defChannelName := .Values.channel.name }} +apiVersion: elemental.cattle.io/v1beta1 +kind: ManagedOSVersionChannel +metadata: + name: {{ .Values.channel.name }} + namespace: fleet-default +spec: + options: + image: {{ .Values.channel.image }}:{{ .Values.channel.tag }} + type: custom +{{ end }} + +# Keep pre-existing channels managed by Helm if they do not match with the current default +# this way if an upgrade introduces a new channel any pre-existing channel managed by Helm is not deleted +{{ range $index, $channel := (lookup "elemental.cattle.io/v1beta1" "ManagedOSVersionChannel" "fleet-default" "").items }} + {{ if and (eq (index $channel.metadata.labels "app.kubernetes.io/managed-by") "Helm") (ne $channel.metadata.name $defChannelName) }} +--- +apiVersion: elemental.cattle.io/v1beta1 +kind: ManagedOSVersionChannel +metadata: + name: {{ $channel.metadata.name }} + namespace: fleet-default +spec: + options: + image: {{ $channel.spec.options.image }} + type: custom + {{ end }} +{{ end }} diff --git a/charts/elemental/104.2.1+up1.6.5/templates/cluster_role.yaml b/charts/elemental/104.2.1+up1.6.5/templates/cluster_role.yaml new file mode 100644 index 0000000000..aaa3a0f2ec --- /dev/null +++ b/charts/elemental/104.2.1+up1.6.5/templates/cluster_role.yaml @@ -0,0 +1,268 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: '{{ .Release.Name }}' +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get +- apiGroups: + - "" + resources: + - pods/status + verbs: + - get +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - delete + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - services/status + verbs: + - get +- apiGroups: + - cluster.x-k8s.io + resources: + - machines + verbs: + - get + - list + - watch +- apiGroups: + - elemental.cattle.io + resources: + - machineinventories + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - elemental.cattle.io + resources: + - machineinventories/status + verbs: + - get + - patch + - update +- apiGroups: + - elemental.cattle.io + resources: + - machineinventoryselectors + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - elemental.cattle.io + resources: + - machineinventoryselectors/status + verbs: + - get + - list + - patch + - update +- apiGroups: + - elemental.cattle.io + resources: + - machineregistrations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - elemental.cattle.io + resources: + - machineregistrations/status + verbs: + - get + - patch + - update +- apiGroups: + - elemental.cattle.io + resources: + - managedosimages + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - elemental.cattle.io + resources: + - managedosimages/status + verbs: + - get + - list + - patch + - update +- apiGroups: + - elemental.cattle.io + resources: + - managedosversionchannels + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - elemental.cattle.io + resources: + - managedosversionchannels/status + verbs: + - get + - list + - patch + - update +- apiGroups: + - elemental.cattle.io + resources: + - managedosversions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - elemental.cattle.io + resources: + - managedosversions/status + verbs: + - get + - list + - patch + - update +- apiGroups: + - elemental.cattle.io + resources: + - seedimages + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - elemental.cattle.io + resources: + - seedimages/status + verbs: + - get + - patch + - update +- apiGroups: + - fleet.cattle.io + resources: + - bundles + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - management.cattle.io + resources: + - settings + verbs: + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - delete + - list + - watch diff --git a/charts/elemental/104.2.1+up1.6.5/templates/cluster_role_binding.yaml b/charts/elemental/104.2.1+up1.6.5/templates/cluster_role_binding.yaml new file mode 100644 index 0000000000..e68c7bc96b --- /dev/null +++ b/charts/elemental/104.2.1+up1.6.5/templates/cluster_role_binding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Release.Name }} +subjects: +- kind: ServiceAccount + name: {{ .Release.Name }} + namespace: {{.Release.Namespace}} + diff --git a/charts/elemental/104.2.1+up1.6.5/templates/deployment.yaml b/charts/elemental/104.2.1+up1.6.5/templates/deployment.yaml new file mode 100644 index 0000000000..576d58d596 --- /dev/null +++ b/charts/elemental/104.2.1+up1.6.5/templates/deployment.yaml @@ -0,0 +1,50 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Release.Name }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: elemental-operator + template: + metadata: + labels: + app: elemental-operator + spec: + containers: + - env: + - name: NO_PROXY + value: {{ .Values.noProxy }} + {{- if .Values.proxy }} + - name: HTTP_PROXY + value: {{ .Values.proxy }} + - name: HTTPS_PROXY + value: {{ .Values.proxy }} + {{- end }} + name: {{ .Release.Name }} + imagePullPolicy: "{{ .Values.image.imagePullPolicy }}" + image: {{ template "registry_url" . }}{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }} + args: + - operator + {{- if .Values.debug }} + - --v=5 + - --debug + {{- end }} + - --namespace + - {{ .Release.Namespace }} + - --operator-image + - {{ template "registry_url" . }}{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }} + - --seedimage-image + - {{ template "registry_url" . }}{{ .Values.seedImage.repository }}:{{ .Values.seedImage.tag | default .Chart.AppVersion }} + - --seedimage-image-pullpolicy + - {{ .Values.seedImage.imagePullPolicy}} + serviceAccountName: {{ .Release.Name }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/elemental/104.2.1+up1.6.5/templates/globalrole.yaml b/charts/elemental/104.2.1+up1.6.5/templates/globalrole.yaml new file mode 100644 index 0000000000..323cf2ead8 --- /dev/null +++ b/charts/elemental/104.2.1+up1.6.5/templates/globalrole.yaml @@ -0,0 +1,16 @@ +apiVersion: management.cattle.io/v3 +builtin: false +description: "Elemental Administrator Role" +displayName: Elemental Administrator +kind: GlobalRole +metadata: + labels: + cattle.io/creator: norman + name: {{ .Release.Name }} +rules: +- apiGroups: + - elemental.cattle.io + resources: + - '*' + verbs: + - '*' diff --git a/charts/elemental/104.2.1+up1.6.5/templates/metadata.yaml b/charts/elemental/104.2.1+up1.6.5/templates/metadata.yaml new file mode 100644 index 0000000000..d102d9f2ea --- /dev/null +++ b/charts/elemental/104.2.1+up1.6.5/templates/metadata.yaml @@ -0,0 +1,10 @@ +apiVersion: elemental.cattle.io/v1beta1 +kind: Metadata +metadata: + name: {{ .Release.Name }} +spec: + appVersion: {{ .Chart.AppVersion }} + annotations: + {{- range $key, $value := .Chart.Annotations }} + {{ $key }}: {{ toYaml $value }} + {{- end }} diff --git a/charts/elemental/104.2.1+up1.6.5/templates/serviceaccount.yaml b/charts/elemental/104.2.1+up1.6.5/templates/serviceaccount.yaml new file mode 100644 index 0000000000..cb203d6f6c --- /dev/null +++ b/charts/elemental/104.2.1+up1.6.5/templates/serviceaccount.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }} diff --git a/charts/elemental/104.2.1+up1.6.5/templates/validate-install-crd.yaml b/charts/elemental/104.2.1+up1.6.5/templates/validate-install-crd.yaml new file mode 100644 index 0000000000..45008251ae --- /dev/null +++ b/charts/elemental/104.2.1+up1.6.5/templates/validate-install-crd.yaml @@ -0,0 +1,26 @@ +{{ if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 }} + {{ $apis := dict + "elemental.cattle.io/v1beta1/MachineInventory" "machineinventories" + "elemental.cattle.io/v1beta1/MachineInventorySelector" "machineinventoryselectors" + "elemental.cattle.io/v1beta1/MachineInventorySelectorTemplate" "machineinventoryselectortemplates" + "elemental.cattle.io/v1beta1/MachineRegistration" "machineregistrations" + "elemental.cattle.io/v1beta1/ManagedOSImage" "managedosimages" + "elemental.cattle.io/v1beta1/ManagedOSVersionChannel" "managedosversionchannels" + "elemental.cattle.io/v1beta1/ManagedOSVersion" "managedosversions" + "elemental.cattle.io/v1beta1/SeedImage" "seedimages" + "elemental.cattle.io/v1beta1/Metadata" "metadata" + }} + {{- range $api, $crd := $apis -}} + {{- if not ($.Capabilities.APIVersions.Has $api) -}} + {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} + {{- end -}} + {{- $crdobj := lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" (print $crd ".elemental.cattle.io") -}} + {{- if not $crdobj -}} + {{- print "Cannot lookup " $crd ".elemental.cattle.io crd object" | fail -}} + {{- end -}} + {{- $crdrelease := index $crdobj.metadata.annotations "meta.helm.sh/release-name" -}} + {{- if eq $crdrelease $.Release.Name -}} + {{- required "Elemental CRDs should be moved to the new elemental-operator-crds chart before upgrading this operator." "" -}} + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/charts/elemental/104.2.1+up1.6.5/values.yaml b/charts/elemental/104.2.1+up1.6.5/values.yaml new file mode 100644 index 0000000000..812abf75a2 --- /dev/null +++ b/charts/elemental/104.2.1+up1.6.5/values.yaml @@ -0,0 +1,43 @@ +image: + empty: rancher/pause:3.1 + repository: "rancher/mirrored-elemental-operator" + tag: "1.6.5" + imagePullPolicy: IfNotPresent + +seedImage: + repository: "rancher/mirrored-elemental-seedimage-builder" + tag: "1.6.5" + imagePullPolicy: IfNotPresent + +channel: + name: "sl-micro-6.0-baremetal-channel" + image: "registry.suse.com/rancher/elemental-channel/sl-micro" + tag: "6.0-baremetal" + +# number of operator replicas to deploy +replicas: 1 + +# http[s] proxy server +# proxy: http://@:: + +# comma separated list of domains or ip addresses that will not use the proxy +noProxy: 127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local + +global: + cattle: + systemDefaultRegistry: "" + +# used only if systemDefaultRegistry is empty +registryUrl: "" + +# enable debug output for operator +debug: false + +nodeSelector: + kubernetes.io/os: linux + +tolerations: + - key: cattle.io/os + operator: "Equal" + value: "linux" + effect: NoSchedule diff --git a/charts/fleet-agent/104.1.1+up0.10.5/Chart.yaml b/charts/fleet-agent/104.1.1+up0.10.5/Chart.yaml new file mode 100644 index 0000000000..084f53dea6 --- /dev/null +++ b/charts/fleet-agent/104.1.1+up0.10.5/Chart.yaml @@ -0,0 +1,15 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/kube-version: '>= 1.18.0-0 < 1.31.0-0' + catalog.cattle.io/namespace: cattle-fleet-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0' + catalog.cattle.io/release-name: fleet-agent +apiVersion: v2 +appVersion: 0.10.5 +description: Fleet Manager Agent - GitOps at Scale +icon: https://charts.rancher.io/assets/logos/fleet.svg +name: fleet-agent +version: 104.1.1+up0.10.5 diff --git a/charts/fleet-agent/104.1.1+up0.10.5/README.md b/charts/fleet-agent/104.1.1+up0.10.5/README.md new file mode 100644 index 0000000000..2c5724dcef --- /dev/null +++ b/charts/fleet-agent/104.1.1+up0.10.5/README.md @@ -0,0 +1,8 @@ +## Fleet Agent Helm Chart + +Every Fleet-managed downstream cluster will run an agent that communicates back to the Fleet controller. This agent is just another set of Kubernetes controllers running in the downstream cluster. + +Standalone Fleet users use this chart for agent-initiated registration. For more details see [agent-initiated registration](https://fleet.rancher.io/cluster-registration#agent-initiated). +Fleet in Rancher does not use this chart, but creates the agent deployments programmatically. + +The Fleet documentation is centralized in the [doc website](https://fleet.rancher.io/). \ No newline at end of file diff --git a/charts/fleet-agent/104.1.1+up0.10.5/templates/_helpers.tpl b/charts/fleet-agent/104.1.1+up0.10.5/templates/_helpers.tpl new file mode 100644 index 0000000000..6cd96c3ace --- /dev/null +++ b/charts/fleet-agent/104.1.1+up0.10.5/templates/_helpers.tpl @@ -0,0 +1,22 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/charts/fleet-agent/104.1.1+up0.10.5/templates/configmap.yaml b/charts/fleet-agent/104.1.1+up0.10.5/templates/configmap.yaml new file mode 100644 index 0000000000..5b052e8745 --- /dev/null +++ b/charts/fleet-agent/104.1.1+up0.10.5/templates/configmap.yaml @@ -0,0 +1,16 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: fleet-agent +data: + config: |- + { + {{ if .Values.labels }} + "labels":{{toJson .Values.labels}}, + {{ end }} + "clientID":"{{.Values.clientID}}", + "agentTLSMode": "{{.Values.agentTLSMode}}" + {{ if .Values.garbageCollectionInterval }} + "garbageCollectionInterval": "{{.Values.garbageCollectionInterval}}" + {{ end }} + } diff --git a/charts/fleet-agent/104.1.1+up0.10.5/templates/deployment.yaml b/charts/fleet-agent/104.1.1+up0.10.5/templates/deployment.yaml new file mode 100644 index 0000000000..a13d85abee --- /dev/null +++ b/charts/fleet-agent/104.1.1+up0.10.5/templates/deployment.yaml @@ -0,0 +1,108 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: fleet-agent +spec: + serviceName: fleet-agent + selector: + matchLabels: + app: fleet-agent + template: + metadata: + labels: + app: fleet-agent + spec: + initContainers: + - env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: '{{ template "system_default_registry" . }}{{.Values.image.repository}}:{{.Values.image.tag}}' + name: fleet-agent-register + command: + - fleetagent + - register + {{- if .Values.debug }} + - --debug + - --debug-level + - {{ quote .Values.debugLevel }} + {{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + capabilities: + drop: + - ALL + {{- end }} + containers: + - env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: '{{ template "system_default_registry" . }}{{.Values.image.repository}}:{{.Values.image.tag}}' + name: fleet-agent + command: + - fleetagent + {{- if .Values.debug }} + - --debug + - --debug-level + - {{ quote .Values.debugLevel }} + {{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + capabilities: + drop: + - ALL + {{- end }} + volumeMounts: + - mountPath: /.kube + name: kube + - env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: '{{ template "system_default_registry" . }}{{.Values.image.repository}}:{{.Values.image.tag}}' + name: fleet-agent-clusterstatus + command: + - fleetagent + - clusterstatus + {{- if .Values.debug }} + - --debug + - --debug-level + - {{ quote .Values.debugLevel }} + {{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + capabilities: + drop: + - ALL + {{- end }} + volumes: + - name: kube + emptyDir: {} + serviceAccountName: fleet-agent + {{- if .Values.fleetAgent.hostNetwork }} + hostNetwork: true + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.fleetAgent.nodeSelector }} +{{ toYaml .Values.fleetAgent.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.fleetAgent.tolerations }} +{{ toYaml .Values.fleetAgent.tolerations | indent 8 }} +{{- end }} +{{- if not .Values.debug }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} diff --git a/charts/fleet-agent/104.1.1+up0.10.5/templates/network_policy_allow_all.yaml b/charts/fleet-agent/104.1.1+up0.10.5/templates/network_policy_allow_all.yaml new file mode 100644 index 0000000000..a72109a062 --- /dev/null +++ b/charts/fleet-agent/104.1.1+up0.10.5/templates/network_policy_allow_all.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-allow-all + namespace: {{ .Values.internal.systemNamespace }} +spec: + podSelector: {} + ingress: + - {} + egress: + - {} + policyTypes: + - Ingress + - Egress diff --git a/charts/fleet-agent/104.1.1+up0.10.5/templates/patch_default_serviceaccount.yaml b/charts/fleet-agent/104.1.1+up0.10.5/templates/patch_default_serviceaccount.yaml new file mode 100644 index 0000000000..aad4eea415 --- /dev/null +++ b/charts/fleet-agent/104.1.1+up0.10.5/templates/patch_default_serviceaccount.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: patch-fleet-sa + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + template: + spec: + serviceAccountName: fleet-agent + restartPolicy: Never + containers: + - name: sa + image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] + args: ["-n", {{ .Values.internal.systemNamespace }}] + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.kubectl.nodeSelector }} +{{ toYaml .Values.kubectl.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.kubectl.tolerations }} +{{ toYaml .Values.kubectl.tolerations | indent 8 }} +{{- end }} + backoffLimit: 1 diff --git a/charts/fleet-agent/104.1.1+up0.10.5/templates/rbac.yaml b/charts/fleet-agent/104.1.1+up0.10.5/templates/rbac.yaml new file mode 100644 index 0000000000..1a7e8d8841 --- /dev/null +++ b/charts/fleet-agent/104.1.1+up0.10.5/templates/rbac.yaml @@ -0,0 +1,28 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: fleet-agent-system-fleet-agent-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +- nonResourceURLs: + - "*" + verbs: + - "*" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: fleet-agent-system-fleet-agent-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: fleet-agent-system-fleet-agent-role +subjects: +- kind: ServiceAccount + name: fleet-agent + namespace: {{.Release.Namespace}} diff --git a/charts/fleet-agent/104.1.1+up0.10.5/templates/secret.yaml b/charts/fleet-agent/104.1.1+up0.10.5/templates/secret.yaml new file mode 100644 index 0000000000..4715882047 --- /dev/null +++ b/charts/fleet-agent/104.1.1+up0.10.5/templates/secret.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + systemRegistrationNamespace: "{{b64enc .Values.systemRegistrationNamespace}}" + clusterNamespace: "{{b64enc .Values.clusterNamespace}}" + token: "{{b64enc .Values.token}}" + apiServerURL: "{{b64enc .Values.apiServerURL}}" + apiServerCA: "{{b64enc .Values.apiServerCA}}" +kind: Secret +metadata: + name: fleet-agent-bootstrap diff --git a/charts/fleet-agent/104.1.1+up0.10.5/templates/service.yaml b/charts/fleet-agent/104.1.1+up0.10.5/templates/service.yaml new file mode 100644 index 0000000000..36d35588f3 --- /dev/null +++ b/charts/fleet-agent/104.1.1+up0.10.5/templates/service.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Service +metadata: + name: fleet-agent +spec: + type: ClusterIP + clusterIP: None + selector: + app: fleet-agent diff --git a/charts/fleet-agent/104.1.1+up0.10.5/templates/serviceaccount.yaml b/charts/fleet-agent/104.1.1+up0.10.5/templates/serviceaccount.yaml new file mode 100644 index 0000000000..73e27f0be9 --- /dev/null +++ b/charts/fleet-agent/104.1.1+up0.10.5/templates/serviceaccount.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: fleet-agent diff --git a/charts/fleet-agent/104.1.1+up0.10.5/templates/validate.yaml b/charts/fleet-agent/104.1.1+up0.10.5/templates/validate.yaml new file mode 100644 index 0000000000..d53ff1c508 --- /dev/null +++ b/charts/fleet-agent/104.1.1+up0.10.5/templates/validate.yaml @@ -0,0 +1,11 @@ +{{if ne .Release.Namespace .Values.internal.systemNamespace }} +{{ fail (printf "This chart must be installed in the namespace %s as the release name fleet-agent" .Values.internal.systemNamespace) }} +{{end}} + +{{if ne .Release.Name .Values.internal.managedReleaseName }} +{{ fail (printf "This chart must be installed in the namespace %s as the release name fleet-agent" .Values.internal.managedReleaseName) }} +{{end}} + +{{if not .Values.apiServerURL }} +{{ fail "apiServerURL is required to be set, and most likely also apiServerCA" }} +{{end}} diff --git a/charts/fleet-agent/104.1.1+up0.10.5/values.yaml b/charts/fleet-agent/104.1.1+up0.10.5/values.yaml new file mode 100644 index 0000000000..3557719771 --- /dev/null +++ b/charts/fleet-agent/104.1.1+up0.10.5/values.yaml @@ -0,0 +1,70 @@ +image: + os: "windows,linux" + repository: rancher/fleet-agent + tag: v0.10.5 + +# The public URL of the Kubernetes API server running the Fleet Manager must be set here +# Example: https://example.com:6443 +apiServerURL: "" + +# The the pem encoded value of the CA of the Kubernetes API server running the Fleet Manager. +# If left empty it is assumed this Kubernetes API TLS is signed by a well known CA. +apiServerCA: "" + +# Determines whether the agent should trust CA bundles from the operating system's trust store when connecting to a +# management cluster. True in `system-store` mode, false in `strict` mode. +agentTLSMode: "system-store" + +# The cluster registration value +token: "" + +# Labels to add to the cluster upon registration only. They are not added after the fact. +# labels: +# foo: bar + +# The client ID of the cluster to associate with +clientID: "" + +# The namespace of the cluster we are register with +clusterNamespace: "" + +# The namespace containing the clusters registration secrets +systemRegistrationNamespace: cattle-fleet-clusters-system + +# Please do not change the below setting unless you really know what you are doing +internal: + systemNamespace: cattle-fleet-system + managedReleaseName: fleet-agent + +# The nodeSelector and tolerations for the agent deployment +fleetAgent: + ## Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## List of node taints to tolerate (requires Kubernetes >= 1.6) + tolerations: [] + ## HostNetwork setting for the agent deployment. + ## When set allows for provisioning of network related bundles (CNI configuration) in a cluster without CNI. + hostNetwork: false +kubectl: + ## Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## List of node taints to tolerate (requires Kubernetes >= 1.6) + tolerations: + - key: node.cloudprovider.kubernetes.io/uninitialized + operator: "Equal" + value: "true" + effect: NoSchedule + +global: + cattle: + systemDefaultRegistry: "" + kubectl: + repository: rancher/kubectl + tag: v1.29.0 + +debug: false +debugLevel: 0 diff --git a/charts/fleet-crd/104.1.1+up0.10.5/Chart.yaml b/charts/fleet-crd/104.1.1+up0.10.5/Chart.yaml new file mode 100644 index 0000000000..4d6be69cf2 --- /dev/null +++ b/charts/fleet-crd/104.1.1+up0.10.5/Chart.yaml @@ -0,0 +1,13 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-fleet-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/release-name: fleet-crd +apiVersion: v2 +appVersion: 0.10.5 +description: Fleet Manager CustomResourceDefinitions +icon: https://charts.rancher.io/assets/logos/fleet.svg +name: fleet-crd +version: 104.1.1+up0.10.5 diff --git a/charts/fleet-crd/104.1.1+up0.10.5/README.md b/charts/fleet-crd/104.1.1+up0.10.5/README.md new file mode 100644 index 0000000000..2452ab2f1f --- /dev/null +++ b/charts/fleet-crd/104.1.1+up0.10.5/README.md @@ -0,0 +1,5 @@ +# Fleet CRD Helm Chart + +Fleet Manager CustomResourceDefinitions Helm chart is a requirement for the Fleet Helm Chart. + +The Fleet documentation is centralized in the [doc website](https://fleet.rancher.io/). \ No newline at end of file diff --git a/charts/fleet-crd/104.1.1+up0.10.5/templates/crds.yaml b/charts/fleet-crd/104.1.1+up0.10.5/templates/crds.yaml new file mode 100644 index 0000000000..4ee4cd986b --- /dev/null +++ b/charts/fleet-crd/104.1.1+up0.10.5/templates/crds.yaml @@ -0,0 +1,7076 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: bundledeployments.fleet.cattle.io +spec: + group: fleet.cattle.io + names: + kind: BundleDeployment + listKind: BundleDeploymentList + plural: bundledeployments + singular: bundledeployment + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.display.deployed + name: Deployed + type: string + - jsonPath: .status.display.monitored + name: Monitored + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: 'BundleDeployment is used internally by Fleet and should not + be used directly. + + When a Bundle is deployed to a cluster an instance of a Bundle is called + a + + BundleDeployment. A BundleDeployment represents the state of that Bundle + on + + a specific cluster with its cluster-specific customizations. The Fleet + agent + + is only aware of BundleDeployment resources that are created for the cluster + + the agent is managing.' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal value, + and + + may reject unrecognized values. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource + this object represents. + + Servers may infer this from the endpoint the client submits requests + to. + + Cannot be updated. + + In CamelCase. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + correctDrift: + description: CorrectDrift specifies how drift correction should + work. + properties: + enabled: + description: Enabled correct drift if true. + type: boolean + force: + description: Force helm rollback with --force option will be + used if true. This will try to recreate all resources in the + release. + type: boolean + keepFailHistory: + description: KeepFailHistory keeps track of failed rollbacks + in the helm history. + type: boolean + type: object + dependsOn: + description: DependsOn refers to the bundles which must be ready + before this bundle can be deployed. + items: + properties: + name: + description: Name of the bundle. + nullable: true + type: string + selector: + description: Selector matching bundle's labels. + nullable: true + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: 'A label selector requirement is a selector + that contains values, a key, and an operator that + + relates the key and values.' + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: 'operator represents a key''s relationship + to a set of values. + + Valid operators are In, NotIn, Exists and DoesNotExist.' + type: string + values: + description: 'values is an array of string values. + If the operator is In or NotIn, + + the values array must be non-empty. If the operator + is Exists or DoesNotExist, + + the values array must be empty. This array is + replaced during a strategic + + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: 'matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels + + map is equivalent to an element of matchExpressions, + whose key field is "key", the + + operator is "In", and the values array contains only + "value". The requirements are ANDed.' + type: object + type: object + x-kubernetes-map-type: atomic + type: object + nullable: true + type: array + deploymentID: + description: DeploymentID is the ID of the currently applied deployment. + nullable: true + type: string + ociContents: + description: OCIContents is true when this deployment's contents + is stored in an oci registry + type: boolean + options: + description: Options are the deployment options, that are currently + applied. + properties: + correctDrift: + description: CorrectDrift specifies how drift correction should + work. + properties: + enabled: + description: Enabled correct drift if true. + type: boolean + force: + description: Force helm rollback with --force option will + be used if true. This will try to recreate all resources + in the release. + type: boolean + keepFailHistory: + description: KeepFailHistory keeps track of failed rollbacks + in the helm history. + type: boolean + type: object + defaultNamespace: + description: 'DefaultNamespace is the namespace to use for resources + that do not + + specify a namespace. This field is not used to enforce or + lock down + + the deployment to a specific namespace.' + nullable: true + type: string + deleteCRDResources: + description: DeleteCRDResources deletes CRDs. Warning! this + will also delete all your Custom Resources. + type: boolean + deleteNamespace: + description: DeleteNamespace can be used to delete the deployed + namespace when removing the bundle + type: boolean + diff: + description: Diff can be used to ignore the modified state of + objects which are amended at runtime. + nullable: true + properties: + comparePatches: + description: ComparePatches match a resource and remove + fields from the check for modifications. + items: + description: ComparePatch matches a resource and removes + fields from the check for modifications. + properties: + apiVersion: + description: APIVersion is the apiVersion of the resource + to match. + nullable: true + type: string + jsonPointers: + description: JSONPointers ignore diffs at a certain + JSON path. + items: + type: string + nullable: true + type: array + kind: + description: Kind is the kind of the resource to match. + nullable: true + type: string + name: + description: Name is the name of the resource to match. + nullable: true + type: string + namespace: + description: Namespace is the namespace of the resource + to match. + nullable: true + type: string + operations: + description: Operations remove a JSON path from the + resource. + items: + description: Operation of a ComparePatch, usually + "remove". + properties: + op: + description: Op is usually "remove" + nullable: true + type: string + path: + description: Path is the JSON path to remove. + nullable: true + type: string + value: + description: Value is usually empty. + nullable: true + type: string + type: object + nullable: true + type: array + type: object + nullable: true + type: array + type: object + forceSyncGeneration: + description: ForceSyncGeneration is used to force a redeployment + format: int64 + type: integer + helm: + description: Helm options for the deployment, like the chart + name, repo and values. + nullable: true + properties: + atomic: + description: Atomic sets the --atomic flag when Helm is + performing an upgrade + type: boolean + chart: + description: 'Chart can refer to any go-getter URL or OCI + registry based helm + + chart URL. The chart will be downloaded.' + nullable: true + type: string + disableDNS: + description: DisableDNS can be used to customize Helm's + EnableDNS option, which Fleet sets to `true` by default. + type: boolean + disableDependencyUpdate: + description: DisableDependencyUpdate allows skipping chart + dependencies update + type: boolean + disablePreProcess: + description: DisablePreProcess disables template processing + in values + type: boolean + force: + description: Force allows to override immutable resources. + This could be dangerous. + type: boolean + maxHistory: + description: MaxHistory limits the maximum number of revisions + saved per release by Helm. + type: integer + releaseName: + description: 'ReleaseName sets a custom release name to + deploy the chart as. If + + not specified a release name will be generated by combining + the + + invoking GitRepo.name + GitRepo.path.' + maxLength: 53 + nullable: true + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + repo: + description: Repo is the name of the HTTPS helm repo to + download the chart from. + nullable: true + type: string + skipSchemaValidation: + description: SkipSchemaValidation allows skipping schema + validation against the chart values + type: boolean + takeOwnership: + description: TakeOwnership makes helm skip the check for + its own annotations + type: boolean + timeoutSeconds: + description: TimeoutSeconds is the time to wait for Helm + operations. + type: integer + values: + description: 'Values passed to Helm. It is possible to specify + the keys and values + + as go template strings.' + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + valuesFiles: + description: ValuesFiles is a list of files to load values + from. + items: + type: string + nullable: true + type: array + valuesFrom: + description: ValuesFrom loads the values from configmaps + and secrets. + items: + description: 'Define helm values that can come from configmap, + secret or external. Credit: https://github.com/fluxcd/helm-operator/blob/0cfea875b5d44bea995abe7324819432070dfbdc/pkg/apis/helm.fluxcd.io/v1/types_helmrelease.go#L439' + properties: + configMapKeyRef: + description: The reference to a config map with release + values. + nullable: true + properties: + key: + nullable: true + type: string + name: + description: Name of a resource in the same namespace + as the referent. + nullable: true + type: string + namespace: + nullable: true + type: string + type: object + secretKeyRef: + description: The reference to a secret with release + values. + nullable: true + properties: + key: + nullable: true + type: string + name: + description: Name of a resource in the same namespace + as the referent. + nullable: true + type: string + namespace: + nullable: true + type: string + type: object + type: object + nullable: true + type: array + version: + description: Version of the chart to download + nullable: true + type: string + waitForJobs: + description: 'WaitForJobs if set and timeoutSeconds provided, + will wait until all + + Jobs have been completed before marking the GitRepo as + ready. It + + will wait for as long as timeoutSeconds' + type: boolean + type: object + ignore: + description: IgnoreOptions can be used to ignore fields when + monitoring the bundle. + properties: + conditions: + description: Conditions is a list of conditions to be ignored + when monitoring the Bundle. + items: + additionalProperties: + type: string + type: object + nullable: true + type: array + type: object + keepResources: + description: KeepResources can be used to keep the deployed + resources when removing the bundle + type: boolean + kustomize: + description: 'Kustomize options for the deployment, like the + dir containing the + + kustomization.yaml file.' + nullable: true + properties: + dir: + description: 'Dir points to a custom folder for kustomize + resources. This folder must contain + + a kustomization.yaml file.' + nullable: true + type: string + type: object + namespace: + description: 'TargetNamespace if present will assign all resource + to this + + namespace and if any cluster scoped resource exists the deployment + + will fail.' + nullable: true + type: string + namespaceAnnotations: + additionalProperties: + type: string + description: NamespaceAnnotations are annotations that will + be appended to the namespace created by Fleet. + nullable: true + type: object + namespaceLabels: + additionalProperties: + type: string + description: NamespaceLabels are labels that will be appended + to the namespace created by Fleet. + nullable: true + type: object + serviceAccount: + description: ServiceAccount which will be used to perform this + deployment. + nullable: true + type: string + yaml: + description: 'YAML options, if using raw YAML these are names + that map to + + overlays/{name} files that will be used to replace or patch + a resource.' + nullable: true + properties: + overlays: + description: 'Overlays is a list of names that maps to folders + in "overlays/". + + If you wish to customize the file ./subdir/resource.yaml + then a file + + ./overlays/myoverlay/subdir/resource.yaml will replace + the base + + file. + + A file named ./overlays/myoverlay/subdir/resource_patch.yaml + will patch the base file.' + items: + type: string + nullable: true + type: array + type: object + type: object + paused: + description: 'Paused if set to true, will stop any BundleDeployments + from being + + updated. If true, BundleDeployments will be marked as out of sync + + when changes are detected.' + type: boolean + stagedDeploymentID: + description: StagedDeploymentID is the ID of the staged deployment. + nullable: true + type: string + stagedOptions: + description: 'StagedOptions are the deployment options, that are + staged for + + the next deployment.' + properties: + correctDrift: + description: CorrectDrift specifies how drift correction should + work. + properties: + enabled: + description: Enabled correct drift if true. + type: boolean + force: + description: Force helm rollback with --force option will + be used if true. This will try to recreate all resources + in the release. + type: boolean + keepFailHistory: + description: KeepFailHistory keeps track of failed rollbacks + in the helm history. + type: boolean + type: object + defaultNamespace: + description: 'DefaultNamespace is the namespace to use for resources + that do not + + specify a namespace. This field is not used to enforce or + lock down + + the deployment to a specific namespace.' + nullable: true + type: string + deleteCRDResources: + description: DeleteCRDResources deletes CRDs. Warning! this + will also delete all your Custom Resources. + type: boolean + deleteNamespace: + description: DeleteNamespace can be used to delete the deployed + namespace when removing the bundle + type: boolean + diff: + description: Diff can be used to ignore the modified state of + objects which are amended at runtime. + nullable: true + properties: + comparePatches: + description: ComparePatches match a resource and remove + fields from the check for modifications. + items: + description: ComparePatch matches a resource and removes + fields from the check for modifications. + properties: + apiVersion: + description: APIVersion is the apiVersion of the resource + to match. + nullable: true + type: string + jsonPointers: + description: JSONPointers ignore diffs at a certain + JSON path. + items: + type: string + nullable: true + type: array + kind: + description: Kind is the kind of the resource to match. + nullable: true + type: string + name: + description: Name is the name of the resource to match. + nullable: true + type: string + namespace: + description: Namespace is the namespace of the resource + to match. + nullable: true + type: string + operations: + description: Operations remove a JSON path from the + resource. + items: + description: Operation of a ComparePatch, usually + "remove". + properties: + op: + description: Op is usually "remove" + nullable: true + type: string + path: + description: Path is the JSON path to remove. + nullable: true + type: string + value: + description: Value is usually empty. + nullable: true + type: string + type: object + nullable: true + type: array + type: object + nullable: true + type: array + type: object + forceSyncGeneration: + description: ForceSyncGeneration is used to force a redeployment + format: int64 + type: integer + helm: + description: Helm options for the deployment, like the chart + name, repo and values. + nullable: true + properties: + atomic: + description: Atomic sets the --atomic flag when Helm is + performing an upgrade + type: boolean + chart: + description: 'Chart can refer to any go-getter URL or OCI + registry based helm + + chart URL. The chart will be downloaded.' + nullable: true + type: string + disableDNS: + description: DisableDNS can be used to customize Helm's + EnableDNS option, which Fleet sets to `true` by default. + type: boolean + disableDependencyUpdate: + description: DisableDependencyUpdate allows skipping chart + dependencies update + type: boolean + disablePreProcess: + description: DisablePreProcess disables template processing + in values + type: boolean + force: + description: Force allows to override immutable resources. + This could be dangerous. + type: boolean + maxHistory: + description: MaxHistory limits the maximum number of revisions + saved per release by Helm. + type: integer + releaseName: + description: 'ReleaseName sets a custom release name to + deploy the chart as. If + + not specified a release name will be generated by combining + the + + invoking GitRepo.name + GitRepo.path.' + maxLength: 53 + nullable: true + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + repo: + description: Repo is the name of the HTTPS helm repo to + download the chart from. + nullable: true + type: string + skipSchemaValidation: + description: SkipSchemaValidation allows skipping schema + validation against the chart values + type: boolean + takeOwnership: + description: TakeOwnership makes helm skip the check for + its own annotations + type: boolean + timeoutSeconds: + description: TimeoutSeconds is the time to wait for Helm + operations. + type: integer + values: + description: 'Values passed to Helm. It is possible to specify + the keys and values + + as go template strings.' + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + valuesFiles: + description: ValuesFiles is a list of files to load values + from. + items: + type: string + nullable: true + type: array + valuesFrom: + description: ValuesFrom loads the values from configmaps + and secrets. + items: + description: 'Define helm values that can come from configmap, + secret or external. Credit: https://github.com/fluxcd/helm-operator/blob/0cfea875b5d44bea995abe7324819432070dfbdc/pkg/apis/helm.fluxcd.io/v1/types_helmrelease.go#L439' + properties: + configMapKeyRef: + description: The reference to a config map with release + values. + nullable: true + properties: + key: + nullable: true + type: string + name: + description: Name of a resource in the same namespace + as the referent. + nullable: true + type: string + namespace: + nullable: true + type: string + type: object + secretKeyRef: + description: The reference to a secret with release + values. + nullable: true + properties: + key: + nullable: true + type: string + name: + description: Name of a resource in the same namespace + as the referent. + nullable: true + type: string + namespace: + nullable: true + type: string + type: object + type: object + nullable: true + type: array + version: + description: Version of the chart to download + nullable: true + type: string + waitForJobs: + description: 'WaitForJobs if set and timeoutSeconds provided, + will wait until all + + Jobs have been completed before marking the GitRepo as + ready. It + + will wait for as long as timeoutSeconds' + type: boolean + type: object + ignore: + description: IgnoreOptions can be used to ignore fields when + monitoring the bundle. + properties: + conditions: + description: Conditions is a list of conditions to be ignored + when monitoring the Bundle. + items: + additionalProperties: + type: string + type: object + nullable: true + type: array + type: object + keepResources: + description: KeepResources can be used to keep the deployed + resources when removing the bundle + type: boolean + kustomize: + description: 'Kustomize options for the deployment, like the + dir containing the + + kustomization.yaml file.' + nullable: true + properties: + dir: + description: 'Dir points to a custom folder for kustomize + resources. This folder must contain + + a kustomization.yaml file.' + nullable: true + type: string + type: object + namespace: + description: 'TargetNamespace if present will assign all resource + to this + + namespace and if any cluster scoped resource exists the deployment + + will fail.' + nullable: true + type: string + namespaceAnnotations: + additionalProperties: + type: string + description: NamespaceAnnotations are annotations that will + be appended to the namespace created by Fleet. + nullable: true + type: object + namespaceLabels: + additionalProperties: + type: string + description: NamespaceLabels are labels that will be appended + to the namespace created by Fleet. + nullable: true + type: object + serviceAccount: + description: ServiceAccount which will be used to perform this + deployment. + nullable: true + type: string + yaml: + description: 'YAML options, if using raw YAML these are names + that map to + + overlays/{name} files that will be used to replace or patch + a resource.' + nullable: true + properties: + overlays: + description: 'Overlays is a list of names that maps to folders + in "overlays/". + + If you wish to customize the file ./subdir/resource.yaml + then a file + + ./overlays/myoverlay/subdir/resource.yaml will replace + the base + + file. + + A file named ./overlays/myoverlay/subdir/resource_patch.yaml + will patch the base file.' + items: + type: string + nullable: true + type: array + type: object + type: object + type: object + status: + properties: + appliedDeploymentID: + nullable: true + type: string + conditions: + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one + status to another. + type: string + lastUpdateTime: + description: The last time this condition was updated. + type: string + message: + description: Human-readable message indicating details about + last transition + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + type: string + type: + description: Type of cluster condition. + type: string + required: + - status + - type + type: object + nullable: true + type: array + display: + nullable: true + properties: + deployed: + nullable: true + type: string + monitored: + nullable: true + type: string + state: + nullable: true + type: string + type: object + modifiedStatus: + items: + description: 'ModifiedStatus is used to report the status of a + resource that is modified. + + It indicates if the modification was a create, a delete or a + patch.' + properties: + apiVersion: + nullable: true + type: string + delete: + type: boolean + kind: + nullable: true + type: string + missing: + type: boolean + name: + nullable: true + type: string + namespace: + nullable: true + type: string + patch: + nullable: true + type: string + type: object + nullable: true + type: array + nonModified: + type: boolean + nonReadyStatus: + items: + description: NonReadyStatus is used to report the status of a + resource that is not ready. It includes a summary. + properties: + apiVersion: + nullable: true + type: string + kind: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + summary: + properties: + error: + type: boolean + message: + items: + type: string + type: array + state: + type: string + transitioning: + type: boolean + type: object + uid: + description: 'UID is a type that holds unique ID values, including + UUIDs. Because we + + don''t ONLY use UUIDs, this is an alias to string. Being + a type captures + + intent and helps make sure that UIDs and names do not get + conflated.' + nullable: true + type: string + type: object + nullable: true + type: array + ready: + type: boolean + release: + nullable: true + type: string + resources: + description: 'Resources lists the metadata of resources that were + deployed + + according to the helm release history.' + items: + description: BundleDeploymentResource contains the metadata of + a deployed resource. + properties: + apiVersion: + nullable: true + type: string + createdAt: + format: date-time + nullable: true + type: string + kind: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + type: object + nullable: true + type: array + syncGeneration: + format: int64 + nullable: true + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: bundlenamespacemappings.fleet.cattle.io +spec: + group: fleet.cattle.io + names: + kind: BundleNamespaceMapping + listKind: BundleNamespaceMappingList + plural: bundlenamespacemappings + singular: bundlenamespacemapping + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: BundleNamespaceMapping maps bundles to clusters in other namespaces. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal value, + and + + may reject unrecognized values. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + bundleSelector: + description: 'A label selector is a label query over a set of resources. + The result of matchLabels and + + matchExpressions are ANDed. An empty label selector matches all objects. + A null + + label selector matches no objects.' + nullable: true + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: 'A label selector requirement is a selector that + contains values, a key, and an operator that + + relates the key and values.' + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: 'operator represents a key''s relationship to + a set of values. + + Valid operators are In, NotIn, Exists and DoesNotExist.' + type: string + values: + description: 'values is an array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If the operator is Exists + or DoesNotExist, + + the values array must be empty. This array is replaced during + a strategic + + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: 'matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels + + map is equivalent to an element of matchExpressions, whose key + field is "key", the + + operator is "In", and the values array contains only "value". + The requirements are ANDed.' + type: object + type: object + x-kubernetes-map-type: atomic + kind: + description: 'Kind is a string value representing the REST resource + this object represents. + + Servers may infer this from the endpoint the client submits requests + to. + + Cannot be updated. + + In CamelCase. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + namespaceSelector: + description: 'A label selector is a label query over a set of resources. + The result of matchLabels and + + matchExpressions are ANDed. An empty label selector matches all objects. + A null + + label selector matches no objects.' + nullable: true + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: 'A label selector requirement is a selector that + contains values, a key, and an operator that + + relates the key and values.' + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: 'operator represents a key''s relationship to + a set of values. + + Valid operators are In, NotIn, Exists and DoesNotExist.' + type: string + values: + description: 'values is an array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If the operator is Exists + or DoesNotExist, + + the values array must be empty. This array is replaced during + a strategic + + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: 'matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels + + map is equivalent to an element of matchExpressions, whose key + field is "key", the + + operator is "In", and the values array contains only "value". + The requirements are ANDed.' + type: object + type: object + x-kubernetes-map-type: atomic + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: bundles.fleet.cattle.io +spec: + group: fleet.cattle.io + names: + kind: Bundle + listKind: BundleList + plural: bundles + singular: bundle + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.display.readyClusters + name: BundleDeployments-Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: 'Bundle contains the resources of an application and its deployment + options. + + It will be deployed as a Helm chart to target clusters. + + + + When a GitRepo is scanned it will produce one or more bundles. Bundles + are + + a collection of resources that get deployed to one or more cluster(s). + Bundle is the + + fundamental deployment unit used in Fleet. The contents of a Bundle may + be + + Kubernetes manifests, Kustomize configuration, or Helm charts. Regardless + + of the source the contents are dynamically rendered into a Helm chart + by + + the agent and installed into the downstream cluster as a Helm release.' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal value, + and + + may reject unrecognized values. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource + this object represents. + + Servers may infer this from the endpoint the client submits requests + to. + + Cannot be updated. + + In CamelCase. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + contentsId: + description: ContentsID stores the contents id when deploying contents + using an OCI registry. + nullable: true + type: string + correctDrift: + description: CorrectDrift specifies how drift correction should + work. + properties: + enabled: + description: Enabled correct drift if true. + type: boolean + force: + description: Force helm rollback with --force option will be + used if true. This will try to recreate all resources in the + release. + type: boolean + keepFailHistory: + description: KeepFailHistory keeps track of failed rollbacks + in the helm history. + type: boolean + type: object + defaultNamespace: + description: 'DefaultNamespace is the namespace to use for resources + that do not + + specify a namespace. This field is not used to enforce or lock + down + + the deployment to a specific namespace.' + nullable: true + type: string + deleteCRDResources: + description: DeleteCRDResources deletes CRDs. Warning! this will + also delete all your Custom Resources. + type: boolean + deleteNamespace: + description: DeleteNamespace can be used to delete the deployed + namespace when removing the bundle + type: boolean + dependsOn: + description: DependsOn refers to the bundles which must be ready + before this bundle can be deployed. + items: + properties: + name: + description: Name of the bundle. + nullable: true + type: string + selector: + description: Selector matching bundle's labels. + nullable: true + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: 'A label selector requirement is a selector + that contains values, a key, and an operator that + + relates the key and values.' + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: 'operator represents a key''s relationship + to a set of values. + + Valid operators are In, NotIn, Exists and DoesNotExist.' + type: string + values: + description: 'values is an array of string values. + If the operator is In or NotIn, + + the values array must be non-empty. If the operator + is Exists or DoesNotExist, + + the values array must be empty. This array is + replaced during a strategic + + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: 'matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels + + map is equivalent to an element of matchExpressions, + whose key field is "key", the + + operator is "In", and the values array contains only + "value". The requirements are ANDed.' + type: object + type: object + x-kubernetes-map-type: atomic + type: object + nullable: true + type: array + diff: + description: Diff can be used to ignore the modified state of objects + which are amended at runtime. + nullable: true + properties: + comparePatches: + description: ComparePatches match a resource and remove fields + from the check for modifications. + items: + description: ComparePatch matches a resource and removes fields + from the check for modifications. + properties: + apiVersion: + description: APIVersion is the apiVersion of the resource + to match. + nullable: true + type: string + jsonPointers: + description: JSONPointers ignore diffs at a certain JSON + path. + items: + type: string + nullable: true + type: array + kind: + description: Kind is the kind of the resource to match. + nullable: true + type: string + name: + description: Name is the name of the resource to match. + nullable: true + type: string + namespace: + description: Namespace is the namespace of the resource + to match. + nullable: true + type: string + operations: + description: Operations remove a JSON path from the resource. + items: + description: Operation of a ComparePatch, usually "remove". + properties: + op: + description: Op is usually "remove" + nullable: true + type: string + path: + description: Path is the JSON path to remove. + nullable: true + type: string + value: + description: Value is usually empty. + nullable: true + type: string + type: object + nullable: true + type: array + type: object + nullable: true + type: array + type: object + forceSyncGeneration: + description: ForceSyncGeneration is used to force a redeployment + format: int64 + type: integer + helm: + description: Helm options for the deployment, like the chart name, + repo and values. + nullable: true + properties: + atomic: + description: Atomic sets the --atomic flag when Helm is performing + an upgrade + type: boolean + chart: + description: 'Chart can refer to any go-getter URL or OCI registry + based helm + + chart URL. The chart will be downloaded.' + nullable: true + type: string + disableDNS: + description: DisableDNS can be used to customize Helm's EnableDNS + option, which Fleet sets to `true` by default. + type: boolean + disableDependencyUpdate: + description: DisableDependencyUpdate allows skipping chart dependencies + update + type: boolean + disablePreProcess: + description: DisablePreProcess disables template processing + in values + type: boolean + force: + description: Force allows to override immutable resources. This + could be dangerous. + type: boolean + maxHistory: + description: MaxHistory limits the maximum number of revisions + saved per release by Helm. + type: integer + releaseName: + description: 'ReleaseName sets a custom release name to deploy + the chart as. If + + not specified a release name will be generated by combining + the + + invoking GitRepo.name + GitRepo.path.' + maxLength: 53 + nullable: true + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + repo: + description: Repo is the name of the HTTPS helm repo to download + the chart from. + nullable: true + type: string + skipSchemaValidation: + description: SkipSchemaValidation allows skipping schema validation + against the chart values + type: boolean + takeOwnership: + description: TakeOwnership makes helm skip the check for its + own annotations + type: boolean + timeoutSeconds: + description: TimeoutSeconds is the time to wait for Helm operations. + type: integer + values: + description: 'Values passed to Helm. It is possible to specify + the keys and values + + as go template strings.' + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + valuesFiles: + description: ValuesFiles is a list of files to load values from. + items: + type: string + nullable: true + type: array + valuesFrom: + description: ValuesFrom loads the values from configmaps and + secrets. + items: + description: 'Define helm values that can come from configmap, + secret or external. Credit: https://github.com/fluxcd/helm-operator/blob/0cfea875b5d44bea995abe7324819432070dfbdc/pkg/apis/helm.fluxcd.io/v1/types_helmrelease.go#L439' + properties: + configMapKeyRef: + description: The reference to a config map with release + values. + nullable: true + properties: + key: + nullable: true + type: string + name: + description: Name of a resource in the same namespace + as the referent. + nullable: true + type: string + namespace: + nullable: true + type: string + type: object + secretKeyRef: + description: The reference to a secret with release values. + nullable: true + properties: + key: + nullable: true + type: string + name: + description: Name of a resource in the same namespace + as the referent. + nullable: true + type: string + namespace: + nullable: true + type: string + type: object + type: object + nullable: true + type: array + version: + description: Version of the chart to download + nullable: true + type: string + waitForJobs: + description: 'WaitForJobs if set and timeoutSeconds provided, + will wait until all + + Jobs have been completed before marking the GitRepo as ready. + It + + will wait for as long as timeoutSeconds' + type: boolean + type: object + ignore: + description: IgnoreOptions can be used to ignore fields when monitoring + the bundle. + properties: + conditions: + description: Conditions is a list of conditions to be ignored + when monitoring the Bundle. + items: + additionalProperties: + type: string + type: object + nullable: true + type: array + type: object + keepResources: + description: KeepResources can be used to keep the deployed resources + when removing the bundle + type: boolean + kustomize: + description: 'Kustomize options for the deployment, like the dir + containing the + + kustomization.yaml file.' + nullable: true + properties: + dir: + description: 'Dir points to a custom folder for kustomize resources. + This folder must contain + + a kustomization.yaml file.' + nullable: true + type: string + type: object + namespace: + description: 'TargetNamespace if present will assign all resource + to this + + namespace and if any cluster scoped resource exists the deployment + + will fail.' + nullable: true + type: string + namespaceAnnotations: + additionalProperties: + type: string + description: NamespaceAnnotations are annotations that will be appended + to the namespace created by Fleet. + nullable: true + type: object + namespaceLabels: + additionalProperties: + type: string + description: NamespaceLabels are labels that will be appended to + the namespace created by Fleet. + nullable: true + type: object + paused: + description: Paused if set to true, will stop any BundleDeployments + from being updated. It will be marked as out of sync. + type: boolean + resources: + description: 'Resources contains the resources that were read from + the bundle''s + + path. This includes the content of downloaded helm charts.' + items: + description: BundleResource represents the content of a single + resource from the bundle, like a YAML manifest. + properties: + content: + description: The content of the resource, can be compressed. + nullable: true + type: string + encoding: + description: Encoding is either empty or "base64+gz". + nullable: true + type: string + name: + description: Name of the resource, can include the bundle's + internal path. + nullable: true + type: string + type: object + nullable: true + type: array + rolloutStrategy: + description: 'RolloutStrategy controls the rollout of bundles, by + defining + + partitions, canaries and percentages for cluster availability.' + nullable: true + properties: + autoPartitionSize: + anyOf: + - type: integer + - type: string + description: 'A number or percentage of how to automatically + partition clusters if no + + specific partitioning strategy is configured. + + default: 25%' + nullable: true + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: 'A number or percentage of clusters that can be + unavailable during an update + + of a bundle. This follows the same basic approach as a deployment + rollout + + strategy. Once the number of clusters meets unavailable state + update will be + + paused. Default value is 100% which doesn''t take effect on + update. + + default: 100%' + nullable: true + x-kubernetes-int-or-string: true + maxUnavailablePartitions: + anyOf: + - type: integer + - type: string + description: 'A number or percentage of cluster partitions that + can be unavailable during + + an update of a bundle. + + default: 0' + nullable: true + x-kubernetes-int-or-string: true + partitions: + description: 'A list of definitions of partitions. If any target + clusters do not match + + the configuration they are added to partitions at the end + following the + + autoPartitionSize.' + items: + description: Partition defines a separate rollout strategy + for a set of clusters. + properties: + clusterGroup: + description: A cluster group name to include in this partition + type: string + clusterGroupSelector: + description: Selector matching cluster group labels to + include in this partition + nullable: true + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: 'A label selector requirement is a + selector that contains values, a key, and an operator + that + + relates the key and values.' + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: 'operator represents a key''s relationship + to a set of values. + + Valid operators are In, NotIn, Exists and + DoesNotExist.' + type: string + values: + description: 'values is an array of string values. + If the operator is In or NotIn, + + the values array must be non-empty. If the + operator is Exists or DoesNotExist, + + the values array must be empty. This array + is replaced during a strategic + + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: 'matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + + map is equivalent to an element of matchExpressions, + whose key field is "key", the + + operator is "In", and the values array contains + only "value". The requirements are ANDed.' + type: object + type: object + x-kubernetes-map-type: atomic + clusterName: + description: ClusterName is the name of a cluster to include + in this partition + type: string + clusterSelector: + description: Selector matching cluster labels to include + in this partition + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: 'A label selector requirement is a + selector that contains values, a key, and an operator + that + + relates the key and values.' + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: 'operator represents a key''s relationship + to a set of values. + + Valid operators are In, NotIn, Exists and + DoesNotExist.' + type: string + values: + description: 'values is an array of string values. + If the operator is In or NotIn, + + the values array must be non-empty. If the + operator is Exists or DoesNotExist, + + the values array must be empty. This array + is replaced during a strategic + + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: 'matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + + map is equivalent to an element of matchExpressions, + whose key field is "key", the + + operator is "In", and the values array contains + only "value". The requirements are ANDed.' + type: object + type: object + x-kubernetes-map-type: atomic + maxUnavailable: + anyOf: + - type: integer + - type: string + description: 'A number or percentage of clusters that + can be unavailable in this + + partition before this partition is treated as done. + + default: 10%' + x-kubernetes-int-or-string: true + name: + description: A user-friendly name given to the partition + used for Display (optional). + nullable: true + type: string + type: object + nullable: true + type: array + type: object + serviceAccount: + description: ServiceAccount which will be used to perform this deployment. + nullable: true + type: string + targetRestrictions: + description: TargetRestrictions is an allow list, which controls + if a bundledeployment is created for a target. + items: + description: 'BundleTargetRestriction is used internally by Fleet + and should not be modified. + + It acts as an allow list, to prevent the creation of BundleDeployments + from + + Targets created by TargetCustomizations in fleet.yaml.' + properties: + clusterGroup: + nullable: true + type: string + clusterGroupSelector: + description: 'A label selector is a label query over a set + of resources. The result of matchLabels and + + matchExpressions are ANDed. An empty label selector matches + all objects. A null + + label selector matches no objects.' + nullable: true + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: 'A label selector requirement is a selector + that contains values, a key, and an operator that + + relates the key and values.' + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: 'operator represents a key''s relationship + to a set of values. + + Valid operators are In, NotIn, Exists and DoesNotExist.' + type: string + values: + description: 'values is an array of string values. + If the operator is In or NotIn, + + the values array must be non-empty. If the operator + is Exists or DoesNotExist, + + the values array must be empty. This array is + replaced during a strategic + + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: 'matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels + + map is equivalent to an element of matchExpressions, + whose key field is "key", the + + operator is "In", and the values array contains only + "value". The requirements are ANDed.' + type: object + type: object + x-kubernetes-map-type: atomic + clusterName: + nullable: true + type: string + clusterSelector: + description: 'A label selector is a label query over a set + of resources. The result of matchLabels and + + matchExpressions are ANDed. An empty label selector matches + all objects. A null + + label selector matches no objects.' + nullable: true + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: 'A label selector requirement is a selector + that contains values, a key, and an operator that + + relates the key and values.' + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: 'operator represents a key''s relationship + to a set of values. + + Valid operators are In, NotIn, Exists and DoesNotExist.' + type: string + values: + description: 'values is an array of string values. + If the operator is In or NotIn, + + the values array must be non-empty. If the operator + is Exists or DoesNotExist, + + the values array must be empty. This array is + replaced during a strategic + + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: 'matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels + + map is equivalent to an element of matchExpressions, + whose key field is "key", the + + operator is "In", and the values array contains only + "value". The requirements are ANDed.' + type: object + type: object + x-kubernetes-map-type: atomic + name: + nullable: true + type: string + type: object + type: array + targets: + description: 'Targets refer to the clusters which will be deployed + to. + + Targets are evaluated in order and the first one to match is used.' + items: + description: 'BundleTarget declares clusters to deploy to. Fleet + will merge the + + BundleDeploymentOptions from customizations into this struct.' + properties: + clusterGroup: + description: ClusterGroup to match a specific cluster group + by name. + nullable: true + type: string + clusterGroupSelector: + description: ClusterGroupSelector is a selector to match cluster + groups. + nullable: true + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: 'A label selector requirement is a selector + that contains values, a key, and an operator that + + relates the key and values.' + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: 'operator represents a key''s relationship + to a set of values. + + Valid operators are In, NotIn, Exists and DoesNotExist.' + type: string + values: + description: 'values is an array of string values. + If the operator is In or NotIn, + + the values array must be non-empty. If the operator + is Exists or DoesNotExist, + + the values array must be empty. This array is + replaced during a strategic + + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: 'matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels + + map is equivalent to an element of matchExpressions, + whose key field is "key", the + + operator is "In", and the values array contains only + "value". The requirements are ANDed.' + type: object + type: object + x-kubernetes-map-type: atomic + clusterName: + description: 'ClusterName to match a specific cluster by name + that will be + + selected' + nullable: true + type: string + clusterSelector: + description: 'ClusterSelector is a selector to match clusters. + The structure is + + the standard metav1.LabelSelector format. If clusterGroupSelector + or + + clusterGroup is specified, clusterSelector will be used + only to + + further refine the selection after clusterGroupSelector + and + + clusterGroup is evaluated.' + nullable: true + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: 'A label selector requirement is a selector + that contains values, a key, and an operator that + + relates the key and values.' + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: 'operator represents a key''s relationship + to a set of values. + + Valid operators are In, NotIn, Exists and DoesNotExist.' + type: string + values: + description: 'values is an array of string values. + If the operator is In or NotIn, + + the values array must be non-empty. If the operator + is Exists or DoesNotExist, + + the values array must be empty. This array is + replaced during a strategic + + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: 'matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels + + map is equivalent to an element of matchExpressions, + whose key field is "key", the + + operator is "In", and the values array contains only + "value". The requirements are ANDed.' + type: object + type: object + x-kubernetes-map-type: atomic + correctDrift: + description: CorrectDrift specifies how drift correction should + work. + properties: + enabled: + description: Enabled correct drift if true. + type: boolean + force: + description: Force helm rollback with --force option will + be used if true. This will try to recreate all resources + in the release. + type: boolean + keepFailHistory: + description: KeepFailHistory keeps track of failed rollbacks + in the helm history. + type: boolean + type: object + defaultNamespace: + description: 'DefaultNamespace is the namespace to use for + resources that do not + + specify a namespace. This field is not used to enforce or + lock down + + the deployment to a specific namespace.' + nullable: true + type: string + deleteCRDResources: + description: DeleteCRDResources deletes CRDs. Warning! this + will also delete all your Custom Resources. + type: boolean + deleteNamespace: + description: DeleteNamespace can be used to delete the deployed + namespace when removing the bundle + type: boolean + diff: + description: Diff can be used to ignore the modified state + of objects which are amended at runtime. + nullable: true + properties: + comparePatches: + description: ComparePatches match a resource and remove + fields from the check for modifications. + items: + description: ComparePatch matches a resource and removes + fields from the check for modifications. + properties: + apiVersion: + description: APIVersion is the apiVersion of the + resource to match. + nullable: true + type: string + jsonPointers: + description: JSONPointers ignore diffs at a certain + JSON path. + items: + type: string + nullable: true + type: array + kind: + description: Kind is the kind of the resource to + match. + nullable: true + type: string + name: + description: Name is the name of the resource to + match. + nullable: true + type: string + namespace: + description: Namespace is the namespace of the resource + to match. + nullable: true + type: string + operations: + description: Operations remove a JSON path from + the resource. + items: + description: Operation of a ComparePatch, usually + "remove". + properties: + op: + description: Op is usually "remove" + nullable: true + type: string + path: + description: Path is the JSON path to remove. + nullable: true + type: string + value: + description: Value is usually empty. + nullable: true + type: string + type: object + nullable: true + type: array + type: object + nullable: true + type: array + type: object + doNotDeploy: + description: DoNotDeploy if set to true, will not deploy to + this target. + type: boolean + forceSyncGeneration: + description: ForceSyncGeneration is used to force a redeployment + format: int64 + type: integer + helm: + description: Helm options for the deployment, like the chart + name, repo and values. + nullable: true + properties: + atomic: + description: Atomic sets the --atomic flag when Helm is + performing an upgrade + type: boolean + chart: + description: 'Chart can refer to any go-getter URL or + OCI registry based helm + + chart URL. The chart will be downloaded.' + nullable: true + type: string + disableDNS: + description: DisableDNS can be used to customize Helm's + EnableDNS option, which Fleet sets to `true` by default. + type: boolean + disableDependencyUpdate: + description: DisableDependencyUpdate allows skipping chart + dependencies update + type: boolean + disablePreProcess: + description: DisablePreProcess disables template processing + in values + type: boolean + force: + description: Force allows to override immutable resources. + This could be dangerous. + type: boolean + maxHistory: + description: MaxHistory limits the maximum number of revisions + saved per release by Helm. + type: integer + releaseName: + description: 'ReleaseName sets a custom release name to + deploy the chart as. If + + not specified a release name will be generated by combining + the + + invoking GitRepo.name + GitRepo.path.' + maxLength: 53 + nullable: true + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + repo: + description: Repo is the name of the HTTPS helm repo to + download the chart from. + nullable: true + type: string + skipSchemaValidation: + description: SkipSchemaValidation allows skipping schema + validation against the chart values + type: boolean + takeOwnership: + description: TakeOwnership makes helm skip the check for + its own annotations + type: boolean + timeoutSeconds: + description: TimeoutSeconds is the time to wait for Helm + operations. + type: integer + values: + description: 'Values passed to Helm. It is possible to + specify the keys and values + + as go template strings.' + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + valuesFiles: + description: ValuesFiles is a list of files to load values + from. + items: + type: string + nullable: true + type: array + valuesFrom: + description: ValuesFrom loads the values from configmaps + and secrets. + items: + description: 'Define helm values that can come from + configmap, secret or external. Credit: https://github.com/fluxcd/helm-operator/blob/0cfea875b5d44bea995abe7324819432070dfbdc/pkg/apis/helm.fluxcd.io/v1/types_helmrelease.go#L439' + properties: + configMapKeyRef: + description: The reference to a config map with + release values. + nullable: true + properties: + key: + nullable: true + type: string + name: + description: Name of a resource in the same + namespace as the referent. + nullable: true + type: string + namespace: + nullable: true + type: string + type: object + secretKeyRef: + description: The reference to a secret with release + values. + nullable: true + properties: + key: + nullable: true + type: string + name: + description: Name of a resource in the same + namespace as the referent. + nullable: true + type: string + namespace: + nullable: true + type: string + type: object + type: object + nullable: true + type: array + version: + description: Version of the chart to download + nullable: true + type: string + waitForJobs: + description: 'WaitForJobs if set and timeoutSeconds provided, + will wait until all + + Jobs have been completed before marking the GitRepo + as ready. It + + will wait for as long as timeoutSeconds' + type: boolean + type: object + ignore: + description: IgnoreOptions can be used to ignore fields when + monitoring the bundle. + properties: + conditions: + description: Conditions is a list of conditions to be + ignored when monitoring the Bundle. + items: + additionalProperties: + type: string + type: object + nullable: true + type: array + type: object + keepResources: + description: KeepResources can be used to keep the deployed + resources when removing the bundle + type: boolean + kustomize: + description: 'Kustomize options for the deployment, like the + dir containing the + + kustomization.yaml file.' + nullable: true + properties: + dir: + description: 'Dir points to a custom folder for kustomize + resources. This folder must contain + + a kustomization.yaml file.' + nullable: true + type: string + type: object + name: + description: 'Name of target. This value is largely for display + and logging. If + + not specified a default name of the format "target000" will + be used' + type: string + namespace: + description: 'TargetNamespace if present will assign all resource + to this + + namespace and if any cluster scoped resource exists the + deployment + + will fail.' + nullable: true + type: string + namespaceAnnotations: + additionalProperties: + type: string + description: NamespaceAnnotations are annotations that will + be appended to the namespace created by Fleet. + nullable: true + type: object + namespaceLabels: + additionalProperties: + type: string + description: NamespaceLabels are labels that will be appended + to the namespace created by Fleet. + nullable: true + type: object + serviceAccount: + description: ServiceAccount which will be used to perform + this deployment. + nullable: true + type: string + yaml: + description: 'YAML options, if using raw YAML these are names + that map to + + overlays/{name} files that will be used to replace or patch + a resource.' + nullable: true + properties: + overlays: + description: 'Overlays is a list of names that maps to + folders in "overlays/". + + If you wish to customize the file ./subdir/resource.yaml + then a file + + ./overlays/myoverlay/subdir/resource.yaml will replace + the base + + file. + + A file named ./overlays/myoverlay/subdir/resource_patch.yaml + will patch the base file.' + items: + type: string + nullable: true + type: array + type: object + type: object + type: array + yaml: + description: 'YAML options, if using raw YAML these are names that + map to + + overlays/{name} files that will be used to replace or patch a + resource.' + nullable: true + properties: + overlays: + description: 'Overlays is a list of names that maps to folders + in "overlays/". + + If you wish to customize the file ./subdir/resource.yaml then + a file + + ./overlays/myoverlay/subdir/resource.yaml will replace the + base + + file. + + A file named ./overlays/myoverlay/subdir/resource_patch.yaml + will patch the base file.' + items: + type: string + nullable: true + type: array + type: object + type: object + status: + properties: + conditions: + description: 'Conditions is a list of Wrangler conditions that describe + the state + + of the bundle.' + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one + status to another. + type: string + lastUpdateTime: + description: The last time this condition was updated. + type: string + message: + description: Human-readable message indicating details about + last transition + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + type: string + type: + description: Type of cluster condition. + type: string + required: + - status + - type + type: object + type: array + display: + description: 'Display contains the number of ready, desiredready + clusters and a + + summary state for the bundle''s resources.' + properties: + readyClusters: + description: 'ReadyClusters is a string in the form "%d/%d", + that describes the + + number of clusters that are ready vs. the number of clusters + desired + + to be ready.' + nullable: true + type: string + state: + description: State is a summary state for the bundle, calculated + over the non-ready resources. + nullable: true + type: string + type: object + maxNew: + description: 'MaxNew is always 50. A bundle change can only stage + 50 + + bundledeployments at a time.' + type: integer + maxUnavailable: + description: 'MaxUnavailable is the maximum number of unavailable + deployments. See + + rollout configuration.' + type: integer + maxUnavailablePartitions: + description: 'MaxUnavailablePartitions is the maximum number of + unavailable + + partitions. The rollout configuration defines a maximum number + or + + percentage of unavailable partitions.' + type: integer + newlyCreated: + description: 'NewlyCreated is the number of bundle deployments that + have been created, + + not updated.' + type: integer + observedGeneration: + description: ObservedGeneration is the current generation of the + bundle. + format: int64 + type: integer + ociReference: + description: 'OCIReference is the OCI reference used to store contents, + this is + + only for informational purposes.' + type: string + partitions: + description: PartitionStatus lists the status of each partition. + items: + description: PartitionStatus is the status of a single rollout + partition. + properties: + count: + description: Count is the number of clusters in the partition. + type: integer + maxUnavailable: + description: MaxUnavailable is the maximum number of unavailable + clusters in the partition. + type: integer + name: + description: Name is the name of the partition. + nullable: true + type: string + summary: + description: Summary is a summary state for the partition, + calculated over its non-ready resources. + properties: + desiredReady: + description: 'DesiredReady is the number of bundle deployments + that should be + + ready.' + type: integer + errApplied: + description: 'ErrApplied is the number of bundle deployments + that have been synced + + from the Fleet controller and the downstream cluster, + but with some + + errors when deploying the bundle.' + type: integer + modified: + description: 'Modified is the number of bundle deployments + that have been deployed + + and for which all resources are ready, but where some + changes from the + + Git repository have not yet been synced.' + type: integer + nonReadyResources: + description: 'NonReadyClusters is a list of states, which + is filled for a bundle + + that is not ready.' + items: + description: 'NonReadyResource contains information + about a bundle that is not ready for a + + given state like "ErrApplied". It contains a list + of non-ready or modified + + resources and their states.' + properties: + bundleState: + description: State is the state of the resource, + like e.g. "NotReady" or "ErrApplied". + nullable: true + type: string + message: + description: Message contains information why the + bundle is not ready. + nullable: true + type: string + modifiedStatus: + description: ModifiedStatus lists the state for + each modified resource. + items: + description: 'ModifiedStatus is used to report + the status of a resource that is modified. + + It indicates if the modification was a create, + a delete or a patch.' + properties: + apiVersion: + nullable: true + type: string + delete: + type: boolean + kind: + nullable: true + type: string + missing: + type: boolean + name: + nullable: true + type: string + namespace: + nullable: true + type: string + patch: + nullable: true + type: string + type: object + nullable: true + type: array + name: + description: Name is the name of the resource. + nullable: true + type: string + nonReadyStatus: + description: NonReadyStatus lists the state for + each non-ready resource. + items: + description: NonReadyStatus is used to report + the status of a resource that is not ready. + It includes a summary. + properties: + apiVersion: + nullable: true + type: string + kind: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + summary: + properties: + error: + type: boolean + message: + items: + type: string + type: array + state: + type: string + transitioning: + type: boolean + type: object + uid: + description: 'UID is a type that holds unique + ID values, including UUIDs. Because we + + don''t ONLY use UUIDs, this is an alias + to string. Being a type captures + + intent and helps make sure that UIDs and + names do not get conflated.' + nullable: true + type: string + type: object + nullable: true + type: array + type: object + nullable: true + type: array + notReady: + description: 'NotReady is the number of bundle deployments + that have been deployed + + where some resources are not ready.' + type: integer + outOfSync: + description: 'OutOfSync is the number of bundle deployments + that have been synced + + from Fleet controller, but not yet by the downstream + agent.' + type: integer + pending: + description: 'Pending is the number of bundle deployments + that are being processed + + by Fleet controller.' + type: integer + ready: + description: 'Ready is the number of bundle deployments + that have been deployed + + where all resources are ready.' + type: integer + waitApplied: + description: 'WaitApplied is the number of bundle deployments + that have been + + synced from Fleet controller and downstream cluster, + but are waiting + + to be deployed.' + type: integer + type: object + unavailable: + description: Unavailable is the number of unavailable clusters + in the partition. + type: integer + type: object + type: array + resourceKey: + description: 'ResourceKey lists resources, which will likely be + deployed. The + + actual list of resources on a cluster might differ, depending + on the + + helm chart, value templating, etc..' + items: + description: ResourceKey lists resources, which will likely be + deployed. + properties: + apiVersion: + description: APIVersion is the k8s api version of the resource. + nullable: true + type: string + kind: + description: Kind is the k8s api kind of the resource. + nullable: true + type: string + name: + description: Name is the name of the resource. + nullable: true + type: string + namespace: + description: Namespace is the namespace of the resource. + nullable: true + type: string + type: object + nullable: true + type: array + resourcesSha256Sum: + description: ResourcesSHA256Sum corresponds to the JSON serialization + of the .Spec.Resources field + type: string + summary: + description: 'Summary contains the number of bundle deployments + in each state and + + a list of non-ready resources.' + properties: + desiredReady: + description: 'DesiredReady is the number of bundle deployments + that should be + + ready.' + type: integer + errApplied: + description: 'ErrApplied is the number of bundle deployments + that have been synced + + from the Fleet controller and the downstream cluster, but + with some + + errors when deploying the bundle.' + type: integer + modified: + description: 'Modified is the number of bundle deployments that + have been deployed + + and for which all resources are ready, but where some changes + from the + + Git repository have not yet been synced.' + type: integer + nonReadyResources: + description: 'NonReadyClusters is a list of states, which is + filled for a bundle + + that is not ready.' + items: + description: 'NonReadyResource contains information about + a bundle that is not ready for a + + given state like "ErrApplied". It contains a list of non-ready + or modified + + resources and their states.' + properties: + bundleState: + description: State is the state of the resource, like + e.g. "NotReady" or "ErrApplied". + nullable: true + type: string + message: + description: Message contains information why the bundle + is not ready. + nullable: true + type: string + modifiedStatus: + description: ModifiedStatus lists the state for each modified + resource. + items: + description: 'ModifiedStatus is used to report the status + of a resource that is modified. + + It indicates if the modification was a create, a delete + or a patch.' + properties: + apiVersion: + nullable: true + type: string + delete: + type: boolean + kind: + nullable: true + type: string + missing: + type: boolean + name: + nullable: true + type: string + namespace: + nullable: true + type: string + patch: + nullable: true + type: string + type: object + nullable: true + type: array + name: + description: Name is the name of the resource. + nullable: true + type: string + nonReadyStatus: + description: NonReadyStatus lists the state for each non-ready + resource. + items: + description: NonReadyStatus is used to report the status + of a resource that is not ready. It includes a summary. + properties: + apiVersion: + nullable: true + type: string + kind: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + summary: + properties: + error: + type: boolean + message: + items: + type: string + type: array + state: + type: string + transitioning: + type: boolean + type: object + uid: + description: 'UID is a type that holds unique ID + values, including UUIDs. Because we + + don''t ONLY use UUIDs, this is an alias to string. Being + a type captures + + intent and helps make sure that UIDs and names + do not get conflated.' + nullable: true + type: string + type: object + nullable: true + type: array + type: object + nullable: true + type: array + notReady: + description: 'NotReady is the number of bundle deployments that + have been deployed + + where some resources are not ready.' + type: integer + outOfSync: + description: 'OutOfSync is the number of bundle deployments + that have been synced + + from Fleet controller, but not yet by the downstream agent.' + type: integer + pending: + description: 'Pending is the number of bundle deployments that + are being processed + + by Fleet controller.' + type: integer + ready: + description: 'Ready is the number of bundle deployments that + have been deployed + + where all resources are ready.' + type: integer + waitApplied: + description: 'WaitApplied is the number of bundle deployments + that have been + + synced from Fleet controller and downstream cluster, but are + waiting + + to be deployed.' + type: integer + type: object + unavailable: + description: 'Unavailable is the number of bundle deployments that + are not ready or + + where the AppliedDeploymentID in the status does not match the + + DeploymentID from the spec.' + type: integer + unavailablePartitions: + description: UnavailablePartitions is the number of unavailable + partitions. + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: clustergroups.fleet.cattle.io +spec: + group: fleet.cattle.io + names: + categories: + - fleet + kind: ClusterGroup + listKind: ClusterGroupList + plural: clustergroups + singular: clustergroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.display.readyClusters + name: Clusters-Ready + type: string + - jsonPath: .status.display.readyBundles + name: Bundles-Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterGroup is a re-usable selector to target a group of clusters. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal value, + and + + may reject unrecognized values. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource + this object represents. + + Servers may infer this from the endpoint the client submits requests + to. + + Cannot be updated. + + In CamelCase. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + selector: + description: Selector is a label selector, used to select clusters + for this group. + nullable: true + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: 'A label selector requirement is a selector that + contains values, a key, and an operator that + + relates the key and values.' + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: 'operator represents a key''s relationship + to a set of values. + + Valid operators are In, NotIn, Exists and DoesNotExist.' + type: string + values: + description: 'values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If the operator + is Exists or DoesNotExist, + + the values array must be empty. This array is replaced + during a strategic + + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: 'matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels + + map is equivalent to an element of matchExpressions, whose + key field is "key", the + + operator is "In", and the values array contains only "value". + The requirements are ANDed.' + type: object + type: object + x-kubernetes-map-type: atomic + type: object + status: + properties: + clusterCount: + description: ClusterCount is the number of clusters in the cluster + group. + type: integer + conditions: + description: Conditions is a list of conditions and their statuses + for the cluster group. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one + status to another. + type: string + lastUpdateTime: + description: The last time this condition was updated. + type: string + message: + description: Human-readable message indicating details about + last transition + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + type: string + type: + description: Type of cluster condition. + type: string + required: + - status + - type + type: object + type: array + display: + description: 'Display contains the number of ready, desiredready + clusters and a + + summary state for the bundle''s resources.' + properties: + readyBundles: + description: 'ReadyBundles is a string in the form "%d/%d", + that describes the + + number of bundles that are ready vs. the number of bundles + desired + + to be ready.' + nullable: true + type: string + readyClusters: + description: 'ReadyClusters is a string in the form "%d/%d", + that describes the + + number of clusters that are ready vs. the number of clusters + desired + + to be ready.' + nullable: true + type: string + state: + description: 'State is a summary state for the cluster group, + showing "NotReady" if + + there are non-ready resources.' + nullable: true + type: string + type: object + nonReadyClusterCount: + description: NonReadyClusterCount is the number of clusters that + are not ready. + type: integer + nonReadyClusters: + description: NonReadyClusters is a list of cluster names that are + not ready. + items: + type: string + nullable: true + type: array + resourceCounts: + description: 'ResourceCounts contains the number of resources in + each state over + + all bundles in the cluster group.' + properties: + desiredReady: + description: DesiredReady is the number of resources that should + be ready. + type: integer + missing: + description: Missing is the number of missing resources. + type: integer + modified: + description: Modified is the number of resources that have been + modified. + type: integer + notReady: + description: 'NotReady is the number of not ready resources. + Resources are not + + ready if they do not match any other state.' + type: integer + orphaned: + description: Orphaned is the number of orphaned resources. + type: integer + ready: + description: Ready is the number of ready resources. + type: integer + unknown: + description: Unknown is the number of resources in an unknown + state. + type: integer + waitApplied: + description: WaitApplied is the number of resources that are + waiting to be applied. + type: integer + type: object + summary: + description: 'Summary is a summary of the bundle deployments and + their resources + + in the cluster group.' + properties: + desiredReady: + description: 'DesiredReady is the number of bundle deployments + that should be + + ready.' + type: integer + errApplied: + description: 'ErrApplied is the number of bundle deployments + that have been synced + + from the Fleet controller and the downstream cluster, but + with some + + errors when deploying the bundle.' + type: integer + modified: + description: 'Modified is the number of bundle deployments that + have been deployed + + and for which all resources are ready, but where some changes + from the + + Git repository have not yet been synced.' + type: integer + nonReadyResources: + description: 'NonReadyClusters is a list of states, which is + filled for a bundle + + that is not ready.' + items: + description: 'NonReadyResource contains information about + a bundle that is not ready for a + + given state like "ErrApplied". It contains a list of non-ready + or modified + + resources and their states.' + properties: + bundleState: + description: State is the state of the resource, like + e.g. "NotReady" or "ErrApplied". + nullable: true + type: string + message: + description: Message contains information why the bundle + is not ready. + nullable: true + type: string + modifiedStatus: + description: ModifiedStatus lists the state for each modified + resource. + items: + description: 'ModifiedStatus is used to report the status + of a resource that is modified. + + It indicates if the modification was a create, a delete + or a patch.' + properties: + apiVersion: + nullable: true + type: string + delete: + type: boolean + kind: + nullable: true + type: string + missing: + type: boolean + name: + nullable: true + type: string + namespace: + nullable: true + type: string + patch: + nullable: true + type: string + type: object + nullable: true + type: array + name: + description: Name is the name of the resource. + nullable: true + type: string + nonReadyStatus: + description: NonReadyStatus lists the state for each non-ready + resource. + items: + description: NonReadyStatus is used to report the status + of a resource that is not ready. It includes a summary. + properties: + apiVersion: + nullable: true + type: string + kind: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + summary: + properties: + error: + type: boolean + message: + items: + type: string + type: array + state: + type: string + transitioning: + type: boolean + type: object + uid: + description: 'UID is a type that holds unique ID + values, including UUIDs. Because we + + don''t ONLY use UUIDs, this is an alias to string. Being + a type captures + + intent and helps make sure that UIDs and names + do not get conflated.' + nullable: true + type: string + type: object + nullable: true + type: array + type: object + nullable: true + type: array + notReady: + description: 'NotReady is the number of bundle deployments that + have been deployed + + where some resources are not ready.' + type: integer + outOfSync: + description: 'OutOfSync is the number of bundle deployments + that have been synced + + from Fleet controller, but not yet by the downstream agent.' + type: integer + pending: + description: 'Pending is the number of bundle deployments that + are being processed + + by Fleet controller.' + type: integer + ready: + description: 'Ready is the number of bundle deployments that + have been deployed + + where all resources are ready.' + type: integer + waitApplied: + description: 'WaitApplied is the number of bundle deployments + that have been + + synced from Fleet controller and downstream cluster, but are + waiting + + to be deployed.' + type: integer + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: clusterregistrations.fleet.cattle.io +spec: + group: fleet.cattle.io + names: + kind: ClusterRegistration + listKind: ClusterRegistrationList + plural: clusterregistrations + singular: clusterregistration + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.clusterName + name: Cluster-Name + type: string + - jsonPath: .spec.clusterLabels + name: Labels + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterRegistration is used internally by Fleet and should + not be used directly. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal value, + and + + may reject unrecognized values. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource + this object represents. + + Servers may infer this from the endpoint the client submits requests + to. + + Cannot be updated. + + In CamelCase. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + clientID: + description: 'ClientID is a unique string that will identify the + cluster. The + + agent either uses the configured ID or the kubeSystem.UID.' + nullable: true + type: string + clientRandom: + description: 'ClientRandom is a random string that the agent generates. + When + + fleet-controller grants a registration, it creates a registration + + secret with this string in the name.' + nullable: true + type: string + clusterLabels: + additionalProperties: + type: string + description: ClusterLabels are copied to the cluster resource during + the registration. + nullable: true + type: object + type: object + status: + properties: + clusterName: + description: 'ClusterName is only set after the registration is + being processed by + + fleet-controller.' + nullable: true + type: string + granted: + description: 'Granted is set to true, if the request service account + is present + + and its token secret exists. This happens directly before creating + + the registration secret, roles and rolebindings.' + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: clusterregistrationtokens.fleet.cattle.io +spec: + group: fleet.cattle.io + names: + kind: ClusterRegistrationToken + listKind: ClusterRegistrationTokenList + plural: clusterregistrationtokens + singular: clusterregistrationtoken + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.secretName + name: Secret-Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterRegistrationToken is used by agents to register a new + cluster. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal value, + and + + may reject unrecognized values. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource + this object represents. + + Servers may infer this from the endpoint the client submits requests + to. + + Cannot be updated. + + In CamelCase. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + ttl: + description: 'TTL is the time to live for the token. It is used + to calculate the + + expiration time. If the token expires, it will be deleted.' + nullable: true + type: string + type: object + status: + properties: + expires: + description: Expires is the time when the token expires. + format: date-time + type: string + secretName: + description: SecretName is the name of the secret containing the + token. + nullable: true + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: clusters.fleet.cattle.io +spec: + group: fleet.cattle.io + names: + kind: Cluster + listKind: ClusterList + plural: clusters + singular: cluster + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.display.readyBundles + name: Bundles-Ready + type: string + - jsonPath: .status.agent.lastSeen + name: Last-Seen + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: 'Cluster corresponds to a Kubernetes cluster. Fleet deploys + bundles to targeted clusters. + + Clusters to which Fleet deploys manifests are referred to as downstream + + clusters. In the single cluster use case, the Fleet manager Kubernetes + + cluster is both the manager and downstream cluster at the same time.' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal value, + and + + may reject unrecognized values. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource + this object represents. + + Servers may infer this from the endpoint the client submits requests + to. + + Cannot be updated. + + In CamelCase. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + agentAffinity: + description: 'AgentAffinity overrides the default affinity for the + cluster''s agent + + deployment. If this value is nil the default affinity is used.' + nullable: true + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the + pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: 'The scheduler will prefer to schedule pods + to nodes that satisfy + + the affinity expressions specified by this field, but + it may choose + + a node that violates one or more of the expressions. The + node that is + + most preferred is the one with the greatest sum of weights, + i.e. + + for each node that meets all of the scheduling requirements + (resource + + request, requiredDuringScheduling affinity expressions, + etc.), + + compute a sum by iterating through the elements of this + field and adding + + "weight" to the sum if the node matches the corresponding + matchExpressions; the + + node(s) with the highest sum are the most preferred.' + items: + description: 'An empty preferred scheduling term matches + all objects with implicit weight 0 + + (i.e. it''s a no-op). A null preferred scheduling term + matches no objects (i.e. is also a no-op).' + properties: + preference: + description: A node selector term, associated with + the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: 'A node selector requirement is + a selector that contains values, a key, and + an operator + + that relates the key and values.' + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: 'Represents a key''s relationship + to a set of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt.' + type: string + values: + description: 'An array of string values. + If the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a strategic + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: 'A node selector requirement is + a selector that contains values, a key, and + an operator + + that relates the key and values.' + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: 'Represents a key''s relationship + to a set of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt.' + type: string + values: + description: 'An array of string values. + If the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a strategic + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding + nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: 'If the affinity requirements specified by + this field are not met at + + scheduling time, the pod will not be scheduled onto the + node. + + If the affinity requirements specified by this field cease + to be met + + at some point during pod execution (e.g. due to an update), + the system + + may or may not try to eventually evict the pod from its + node.' + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: 'A null or empty node selector term matches + no objects. The requirements of + + them are ANDed. + + The TopologySelectorTerm type implements a subset + of the NodeSelectorTerm.' + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: 'A node selector requirement is + a selector that contains values, a key, and + an operator + + that relates the key and values.' + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: 'Represents a key''s relationship + to a set of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt.' + type: string + values: + description: 'An array of string values. + If the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a strategic + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: 'A node selector requirement is + a selector that contains values, a key, and + an operator + + that relates the key and values.' + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: 'Represents a key''s relationship + to a set of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt.' + type: string + values: + description: 'An array of string values. + If the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a strategic + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate + this pod in the same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: 'The scheduler will prefer to schedule pods + to nodes that satisfy + + the affinity expressions specified by this field, but + it may choose + + a node that violates one or more of the expressions. The + node that is + + most preferred is the one with the greatest sum of weights, + i.e. + + for each node that meets all of the scheduling requirements + (resource + + request, requiredDuringScheduling affinity expressions, + etc.), + + compute a sum by iterating through the elements of this + field and adding + + "weight" to the sum if the node has pods which matches + the corresponding podAffinityTerm; the + + node(s) with the highest sum are the most preferred.' + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: 'A label query over a set of resources, + in this case pods. + + If it''s null, this PodAffinityTerm matches + with no Pods.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: 'A label selector requirement + is a selector that contains values, a + key, and an operator that + + relates the key and values.' + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: 'operator represents a + key''s relationship to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist.' + type: string + values: + description: 'values is an array of + string values. If the operator is + In or NotIn, + + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: 'matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + + map is equivalent to an element of matchExpressions, + whose key field is "key", the + + operator is "In", and the values array contains + only "value". The requirements are ANDed.' + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: 'MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys are used + to lookup values from the + + incoming pod labels, those key-value labels + are merged with `labelSelector` as `key in (value)` + + to select the group of existing pods which pods + will be taken into consideration + + for the incoming pod''s pod (anti) affinity. + Keys that don''t exist in the incoming + + pod labels will be ignored. The default value + is empty. + + The same key is forbidden to exist in both matchLabelKeys + and labelSelector. + + Also, matchLabelKeys cannot be set when labelSelector + isn''t set. + + This is an alpha field and requires enabling + MatchLabelKeysInPodAffinity feature gate.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: 'MismatchLabelKeys is a set of pod + label keys to select which pods will + + be taken into consideration. The keys are used + to lookup values from the + + incoming pod labels, those key-value labels + are merged with `labelSelector` as `key notin + (value)` + + to select the group of existing pods which pods + will be taken into consideration + + for the incoming pod''s pod (anti) affinity. + Keys that don''t exist in the incoming + + pod labels will be ignored. The default value + is empty. + + The same key is forbidden to exist in both mismatchLabelKeys + and labelSelector. + + Also, mismatchLabelKeys cannot be set when labelSelector + isn''t set. + + This is an alpha field and requires enabling + MatchLabelKeysInPodAffinity feature gate.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: 'A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the namespaces + selected by this field + + and the ones listed in the namespaces field. + + null selector and null or empty namespaces list + means "this pod''s namespace". + + An empty selector ({}) matches all namespaces.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: 'A label selector requirement + is a selector that contains values, a + key, and an operator that + + relates the key and values.' + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: 'operator represents a + key''s relationship to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist.' + type: string + values: + description: 'values is an array of + string values. If the operator is + In or NotIn, + + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: 'matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + + map is equivalent to an element of matchExpressions, + whose key field is "key", the + + operator is "In", and the values array contains + only "value". The requirements are ANDed.' + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: 'namespaces specifies a static list + of namespace names that the term applies to. + + The term is applied to the union of the namespaces + listed in this field + + and the ones selected by namespaceSelector. + + null or empty namespaces list and null namespaceSelector + means "this pod''s namespace".' + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: 'This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching + + the labelSelector in the specified namespaces, + where co-located is defined as running on a + node + + whose value of the label with key topologyKey + matches that of any node on which any of the + + selected pods is running. + + Empty topologyKey is not allowed.' + type: string + required: + - topologyKey + type: object + weight: + description: 'weight associated with matching the + corresponding podAffinityTerm, + + in the range 1-100.' + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: 'If the affinity requirements specified by + this field are not met at + + scheduling time, the pod will not be scheduled onto the + node. + + If the affinity requirements specified by this field cease + to be met + + at some point during pod execution (e.g. due to a pod + label update), the + + system may or may not try to eventually evict the pod + from its node. + + When there are multiple elements, the lists of nodes corresponding + to each + + podAffinityTerm are intersected, i.e. all terms must be + satisfied.' + items: + description: 'Defines a set of pods (namely those matching + the labelSelector + + relative to the given namespace(s)) that this pod should + be + + co-located (affinity) or not co-located (anti-affinity) + with, + + where co-located is defined as running on a node whose + value of + + the label with key matches that of any + node on which + + a pod of the set of pods is running' + properties: + labelSelector: + description: 'A label query over a set of resources, + in this case pods. + + If it''s null, this PodAffinityTerm matches with + no Pods.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: 'A label selector requirement is + a selector that contains values, a key, and + an operator that + + relates the key and values.' + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: 'operator represents a key''s + relationship to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist.' + type: string + values: + description: 'values is an array of string + values. If the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This array + is replaced during a strategic + + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: 'matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + + map is equivalent to an element of matchExpressions, + whose key field is "key", the + + operator is "In", and the values array contains + only "value". The requirements are ANDed.' + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: 'MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys are used to + lookup values from the + + incoming pod labels, those key-value labels are + merged with `labelSelector` as `key in (value)` + + to select the group of existing pods which pods + will be taken into consideration + + for the incoming pod''s pod (anti) affinity. Keys + that don''t exist in the incoming + + pod labels will be ignored. The default value is + empty. + + The same key is forbidden to exist in both matchLabelKeys + and labelSelector. + + Also, matchLabelKeys cannot be set when labelSelector + isn''t set. + + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity + feature gate.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: 'MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys are used to + lookup values from the + + incoming pod labels, those key-value labels are + merged with `labelSelector` as `key notin (value)` + + to select the group of existing pods which pods + will be taken into consideration + + for the incoming pod''s pod (anti) affinity. Keys + that don''t exist in the incoming + + pod labels will be ignored. The default value is + empty. + + The same key is forbidden to exist in both mismatchLabelKeys + and labelSelector. + + Also, mismatchLabelKeys cannot be set when labelSelector + isn''t set. + + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity + feature gate.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: 'A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the namespaces + selected by this field + + and the ones listed in the namespaces field. + + null selector and null or empty namespaces list + means "this pod''s namespace". + + An empty selector ({}) matches all namespaces.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: 'A label selector requirement is + a selector that contains values, a key, and + an operator that + + relates the key and values.' + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: 'operator represents a key''s + relationship to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist.' + type: string + values: + description: 'values is an array of string + values. If the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This array + is replaced during a strategic + + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: 'matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + + map is equivalent to an element of matchExpressions, + whose key field is "key", the + + operator is "In", and the values array contains + only "value". The requirements are ANDed.' + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: 'namespaces specifies a static list of + namespace names that the term applies to. + + The term is applied to the union of the namespaces + listed in this field + + and the ones selected by namespaceSelector. + + null or empty namespaces list and null namespaceSelector + means "this pod''s namespace".' + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: 'This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching + + the labelSelector in the specified namespaces, where + co-located is defined as running on a node + + whose value of the label with key topologyKey matches + that of any node on which any of the + + selected pods is running. + + Empty topologyKey is not allowed.' + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. + avoid putting this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: 'The scheduler will prefer to schedule pods + to nodes that satisfy + + the anti-affinity expressions specified by this field, + but it may choose + + a node that violates one or more of the expressions. The + node that is + + most preferred is the one with the greatest sum of weights, + i.e. + + for each node that meets all of the scheduling requirements + (resource + + request, requiredDuringScheduling anti-affinity expressions, + etc.), + + compute a sum by iterating through the elements of this + field and adding + + "weight" to the sum if the node has pods which matches + the corresponding podAffinityTerm; the + + node(s) with the highest sum are the most preferred.' + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: 'A label query over a set of resources, + in this case pods. + + If it''s null, this PodAffinityTerm matches + with no Pods.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: 'A label selector requirement + is a selector that contains values, a + key, and an operator that + + relates the key and values.' + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: 'operator represents a + key''s relationship to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist.' + type: string + values: + description: 'values is an array of + string values. If the operator is + In or NotIn, + + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: 'matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + + map is equivalent to an element of matchExpressions, + whose key field is "key", the + + operator is "In", and the values array contains + only "value". The requirements are ANDed.' + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: 'MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys are used + to lookup values from the + + incoming pod labels, those key-value labels + are merged with `labelSelector` as `key in (value)` + + to select the group of existing pods which pods + will be taken into consideration + + for the incoming pod''s pod (anti) affinity. + Keys that don''t exist in the incoming + + pod labels will be ignored. The default value + is empty. + + The same key is forbidden to exist in both matchLabelKeys + and labelSelector. + + Also, matchLabelKeys cannot be set when labelSelector + isn''t set. + + This is an alpha field and requires enabling + MatchLabelKeysInPodAffinity feature gate.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: 'MismatchLabelKeys is a set of pod + label keys to select which pods will + + be taken into consideration. The keys are used + to lookup values from the + + incoming pod labels, those key-value labels + are merged with `labelSelector` as `key notin + (value)` + + to select the group of existing pods which pods + will be taken into consideration + + for the incoming pod''s pod (anti) affinity. + Keys that don''t exist in the incoming + + pod labels will be ignored. The default value + is empty. + + The same key is forbidden to exist in both mismatchLabelKeys + and labelSelector. + + Also, mismatchLabelKeys cannot be set when labelSelector + isn''t set. + + This is an alpha field and requires enabling + MatchLabelKeysInPodAffinity feature gate.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: 'A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the namespaces + selected by this field + + and the ones listed in the namespaces field. + + null selector and null or empty namespaces list + means "this pod''s namespace". + + An empty selector ({}) matches all namespaces.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: 'A label selector requirement + is a selector that contains values, a + key, and an operator that + + relates the key and values.' + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: 'operator represents a + key''s relationship to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist.' + type: string + values: + description: 'values is an array of + string values. If the operator is + In or NotIn, + + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: 'matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + + map is equivalent to an element of matchExpressions, + whose key field is "key", the + + operator is "In", and the values array contains + only "value". The requirements are ANDed.' + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: 'namespaces specifies a static list + of namespace names that the term applies to. + + The term is applied to the union of the namespaces + listed in this field + + and the ones selected by namespaceSelector. + + null or empty namespaces list and null namespaceSelector + means "this pod''s namespace".' + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: 'This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching + + the labelSelector in the specified namespaces, + where co-located is defined as running on a + node + + whose value of the label with key topologyKey + matches that of any node on which any of the + + selected pods is running. + + Empty topologyKey is not allowed.' + type: string + required: + - topologyKey + type: object + weight: + description: 'weight associated with matching the + corresponding podAffinityTerm, + + in the range 1-100.' + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: 'If the anti-affinity requirements specified + by this field are not met at + + scheduling time, the pod will not be scheduled onto the + node. + + If the anti-affinity requirements specified by this field + cease to be met + + at some point during pod execution (e.g. due to a pod + label update), the + + system may or may not try to eventually evict the pod + from its node. + + When there are multiple elements, the lists of nodes corresponding + to each + + podAffinityTerm are intersected, i.e. all terms must be + satisfied.' + items: + description: 'Defines a set of pods (namely those matching + the labelSelector + + relative to the given namespace(s)) that this pod should + be + + co-located (affinity) or not co-located (anti-affinity) + with, + + where co-located is defined as running on a node whose + value of + + the label with key matches that of any + node on which + + a pod of the set of pods is running' + properties: + labelSelector: + description: 'A label query over a set of resources, + in this case pods. + + If it''s null, this PodAffinityTerm matches with + no Pods.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: 'A label selector requirement is + a selector that contains values, a key, and + an operator that + + relates the key and values.' + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: 'operator represents a key''s + relationship to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist.' + type: string + values: + description: 'values is an array of string + values. If the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This array + is replaced during a strategic + + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: 'matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + + map is equivalent to an element of matchExpressions, + whose key field is "key", the + + operator is "In", and the values array contains + only "value". The requirements are ANDed.' + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: 'MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys are used to + lookup values from the + + incoming pod labels, those key-value labels are + merged with `labelSelector` as `key in (value)` + + to select the group of existing pods which pods + will be taken into consideration + + for the incoming pod''s pod (anti) affinity. Keys + that don''t exist in the incoming + + pod labels will be ignored. The default value is + empty. + + The same key is forbidden to exist in both matchLabelKeys + and labelSelector. + + Also, matchLabelKeys cannot be set when labelSelector + isn''t set. + + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity + feature gate.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: 'MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys are used to + lookup values from the + + incoming pod labels, those key-value labels are + merged with `labelSelector` as `key notin (value)` + + to select the group of existing pods which pods + will be taken into consideration + + for the incoming pod''s pod (anti) affinity. Keys + that don''t exist in the incoming + + pod labels will be ignored. The default value is + empty. + + The same key is forbidden to exist in both mismatchLabelKeys + and labelSelector. + + Also, mismatchLabelKeys cannot be set when labelSelector + isn''t set. + + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity + feature gate.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: 'A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the namespaces + selected by this field + + and the ones listed in the namespaces field. + + null selector and null or empty namespaces list + means "this pod''s namespace". + + An empty selector ({}) matches all namespaces.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: 'A label selector requirement is + a selector that contains values, a key, and + an operator that + + relates the key and values.' + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: 'operator represents a key''s + relationship to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist.' + type: string + values: + description: 'values is an array of string + values. If the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This array + is replaced during a strategic + + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: 'matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + + map is equivalent to an element of matchExpressions, + whose key field is "key", the + + operator is "In", and the values array contains + only "value". The requirements are ANDed.' + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: 'namespaces specifies a static list of + namespace names that the term applies to. + + The term is applied to the union of the namespaces + listed in this field + + and the ones selected by namespaceSelector. + + null or empty namespaces list and null namespaceSelector + means "this pod''s namespace".' + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: 'This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching + + the labelSelector in the specified namespaces, where + co-located is defined as running on a node + + whose value of the label with key topologyKey matches + that of any node on which any of the + + selected pods is running. + + Empty topologyKey is not allowed.' + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + agentEnvVars: + description: AgentEnvVars are extra environment variables to be + added to the agent deployment. + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + + using the previously defined environment variables in the + container and + + any service environment variables. If a variable cannot + be resolved, + + the reference in the input string will be unchanged. Double + $$ are reduced + + to a single $, which allows for escaping the $(VAR_NAME) + syntax: i.e. + + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + + Escaped references will never be expanded, regardless of + whether the variable + + exists or not. + + Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + default: '' + description: 'Name of the referent. + + This field is effectively required, but due to backwards + compatibility is + + allowed to be empty. Instances of this type with + an empty value here are + + almost certainly wrong. + + TODO: Add other useful fields. apiVersion, kind, + uid? + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + + TODO: Drop `kubebuilder:default` when controller-gen + doesn''t need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, `metadata.annotations['''']`, + + spec.nodeName, spec.serviceAccountName, status.hostIP, + status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the specified + API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests + + (limits.cpu, limits.memory, limits.ephemeral-storage, + requests.cpu, requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the exposed + resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: '' + description: 'Name of the referent. + + This field is effectively required, but due to backwards + compatibility is + + allowed to be empty. Instances of this type with + an empty value here are + + almost certainly wrong. + + TODO: Add other useful fields. apiVersion, kind, + uid? + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + + TODO: Drop `kubebuilder:default` when controller-gen + doesn''t need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + nullable: true + type: array + agentNamespace: + description: AgentNamespace defaults to the system namespace, e.g. + cattle-fleet-system. + nullable: true + type: string + agentResources: + description: AgentResources sets the resources for the cluster's + agent deployment. + nullable: true + properties: + claims: + description: 'Claims lists the names of resources, defined in + spec.resourceClaims, + + that are used by this container. + + + + This is an alpha field and requires enabling the + + DynamicResourceAllocation feature gate. + + + + This field is immutable. It can only be set for containers.' + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: 'Name must match the name of one entry in + pod.spec.resourceClaims of + + the Pod where this field is used. It makes that resource + available + + inside a container.' + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. + + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. + + If Requests is omitted for a container, it defaults to Limits + if that is explicitly specified, + + otherwise to an implementation-defined value. Requests cannot + exceed Limits. + + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + agentTolerations: + description: AgentTolerations defines an extra set of Tolerations + to be added to the Agent deployment. + items: + description: 'The pod this Toleration is attached to tolerates + any taint that matches + + the triple using the matching operator .' + properties: + effect: + description: 'Effect indicates the taint effect to match. + Empty means match all taint effects. + + When specified, allowed values are NoSchedule, PreferNoSchedule + and NoExecute.' + type: string + key: + description: 'Key is the taint key that the toleration applies + to. Empty means match all taint keys. + + If the key is empty, operator must be Exists; this combination + means to match all values and all keys.' + type: string + operator: + description: 'Operator represents a key''s relationship to + the value. + + Valid operators are Exists and Equal. Defaults to Equal. + + Exists is equivalent to wildcard for value, so that a pod + can + + tolerate all taints of a particular category.' + type: string + tolerationSeconds: + description: 'TolerationSeconds represents the period of time + the toleration (which must be + + of effect NoExecute, otherwise this field is ignored) tolerates + the taint. By default, + + it is not set, which means tolerate the taint forever (do + not evict). Zero and + + negative values will be treated as 0 (evict immediately) + by the system.' + format: int64 + type: integer + value: + description: 'Value is the taint value the toleration matches + to. + + If the operator is Exists, the value should be empty, otherwise + just a regular string.' + type: string + type: object + nullable: true + type: array + clientID: + description: 'ClientID is a unique string that will identify the + cluster. It can + + either be predefined, or generated when importing the cluster.' + nullable: true + type: string + hostNetwork: + description: 'HostNetwork sets the agent StatefulSet to use hostNetwork: + true setting. + + Allows for provisioning of network related bundles (CNI configuration).' + nullable: true + type: boolean + kubeConfigSecret: + description: 'KubeConfigSecret is the name of the secret containing + the kubeconfig for the downstream cluster. + + It can optionally contain a APIServerURL and CA to override the + + values in the fleet-controller''s configmap.' + nullable: true + type: string + kubeConfigSecretNamespace: + description: 'KubeConfigSecretNamespace is the namespace of the + secret containing the kubeconfig for the downstream cluster. + + If unset, it will be assumed the secret can be found in the namespace + that the Cluster object resides within.' + nullable: true + type: string + paused: + description: Paused if set to true, will stop any BundleDeployments + from being updated. + type: boolean + privateRepoURL: + description: PrivateRepoURL prefixes the image name and overrides + a global repo URL from the agents config. + nullable: true + type: string + redeployAgentGeneration: + description: RedeployAgentGeneration can be used to force redeploying + the agent. + format: int64 + type: integer + templateValues: + description: TemplateValues defines a cluster specific mapping of + values to be sent to fleet.yaml values templating. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + properties: + agent: + description: AgentStatus contains information about the agent. + properties: + lastSeen: + description: 'LastSeen is the last time the agent checked in + to update the status + + of the cluster resource.' + format: date-time + nullable: true + type: string + namespace: + description: Namespace is the namespace of the agent deployment, + e.g. "cattle-fleet-system". + nullable: true + type: string + type: object + agentAffinityHash: + description: 'AgentAffinityHash is a hash of the agent''s affinity + configuration, + + used to detect changes.' + type: string + agentConfigChanged: + description: 'AgentConfigChanged is set to true if any of the agent + configuration + + changed, like the API server URL or CA. Setting it to true will + + trigger a re-import of the cluster.' + type: boolean + agentDeployedGeneration: + description: AgentDeployedGeneration is the generation of the agent + that is currently deployed. + format: int64 + nullable: true + type: integer + agentEnvVarsHash: + description: AgentEnvVarsHash is a hash of the agent's env vars, + used to detect changes. + nullable: true + type: string + agentHostNetwork: + description: AgentHostNetwork defines observed state of spec.hostNetwork + setting that is currently used. + nullable: true + type: boolean + agentMigrated: + description: 'AgentMigrated is always set to true after importing + a cluster. If + + false, it will trigger a migration. Old agents don''t have + + this in their status.' + type: boolean + agentNamespaceMigrated: + description: 'AgentNamespaceMigrated is always set to true after + importing a + + cluster. If false, it will trigger a migration. Old Fleet agents + + don''t have this in their status.' + type: boolean + agentPrivateRepoURL: + description: AgentPrivateRepoURL is the private repo URL for the + agent that is currently used. + nullable: true + type: string + agentResourcesHash: + description: 'AgentResourcesHash is a hash of the agent''s resources + configuration, + + used to detect changes.' + nullable: true + type: string + agentTLSMode: + description: 'AgentTLSMode supports two values: `system-store` and + `strict`. If set to + + `system-store`, instructs the agent to trust CA bundles from the + operating + + system''s store. If set to `strict`, then the agent shall only + connect to a + + server which uses the exact CA configured when creating/updating + the agent.' + nullable: true + type: string + agentTolerationsHash: + description: 'AgentTolerationsHash is a hash of the agent''s tolerations + + configuration, used to detect changes.' + nullable: true + type: string + apiServerCAHash: + description: APIServerCAHash is a hash of the upstream API server + CA, used to detect changes. + nullable: true + type: string + apiServerURL: + description: 'APIServerURL is the currently used URL of the API + server that the + + cluster uses to connect to upstream.' + nullable: true + type: string + cattleNamespaceMigrated: + description: 'CattleNamespaceMigrated is always set to true after + importing a + + cluster. If false, it will trigger a migration. Old Fleet agents, + + don''t have this in their status.' + type: boolean + conditions: + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one + status to another. + type: string + lastUpdateTime: + description: The last time this condition was updated. + type: string + message: + description: Human-readable message indicating details about + last transition + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + type: string + type: + description: Type of cluster condition. + type: string + required: + - status + - type + type: object + type: array + desiredReadyGitRepos: + description: 'DesiredReadyGitRepos is the number of gitrepos for + this cluster that + + are desired to be ready.' + type: integer + display: + description: Display contains the number of ready bundles, nodes + and a summary state. + properties: + readyBundles: + description: 'ReadyBundles is a string in the form "%d/%d", + that describes the + + number of bundles that are ready vs. the number of bundles + desired + + to be ready.' + type: string + state: + description: State of the cluster, either one of the bundle + states, or "WaitCheckIn". + nullable: true + type: string + type: object + garbageCollectionInterval: + description: GarbageCollectionInterval determines how often agents + clean up obsolete Helm releases. + type: string + namespace: + description: 'Namespace is the cluster namespace, it contains the + clusters service + + account as well as any bundledeployments. Example: + + "cluster-fleet-local-cluster-294db1acfa77-d9ccf852678f"' + type: string + readyGitRepos: + description: ReadyGitRepos is the number of gitrepos for this cluster + that are ready. + type: integer + resourceCounts: + description: ResourceCounts is an aggregate over the GitRepoResourceCounts. + properties: + desiredReady: + description: DesiredReady is the number of resources that should + be ready. + type: integer + missing: + description: Missing is the number of missing resources. + type: integer + modified: + description: Modified is the number of resources that have been + modified. + type: integer + notReady: + description: 'NotReady is the number of not ready resources. + Resources are not + + ready if they do not match any other state.' + type: integer + orphaned: + description: Orphaned is the number of orphaned resources. + type: integer + ready: + description: Ready is the number of ready resources. + type: integer + unknown: + description: Unknown is the number of resources in an unknown + state. + type: integer + waitApplied: + description: WaitApplied is the number of resources that are + waiting to be applied. + type: integer + type: object + summary: + description: 'Summary is a summary of the bundledeployments. The + resource counts + + are copied from the gitrepo resource.' + properties: + desiredReady: + description: 'DesiredReady is the number of bundle deployments + that should be + + ready.' + type: integer + errApplied: + description: 'ErrApplied is the number of bundle deployments + that have been synced + + from the Fleet controller and the downstream cluster, but + with some + + errors when deploying the bundle.' + type: integer + modified: + description: 'Modified is the number of bundle deployments that + have been deployed + + and for which all resources are ready, but where some changes + from the + + Git repository have not yet been synced.' + type: integer + nonReadyResources: + description: 'NonReadyClusters is a list of states, which is + filled for a bundle + + that is not ready.' + items: + description: 'NonReadyResource contains information about + a bundle that is not ready for a + + given state like "ErrApplied". It contains a list of non-ready + or modified + + resources and their states.' + properties: + bundleState: + description: State is the state of the resource, like + e.g. "NotReady" or "ErrApplied". + nullable: true + type: string + message: + description: Message contains information why the bundle + is not ready. + nullable: true + type: string + modifiedStatus: + description: ModifiedStatus lists the state for each modified + resource. + items: + description: 'ModifiedStatus is used to report the status + of a resource that is modified. + + It indicates if the modification was a create, a delete + or a patch.' + properties: + apiVersion: + nullable: true + type: string + delete: + type: boolean + kind: + nullable: true + type: string + missing: + type: boolean + name: + nullable: true + type: string + namespace: + nullable: true + type: string + patch: + nullable: true + type: string + type: object + nullable: true + type: array + name: + description: Name is the name of the resource. + nullable: true + type: string + nonReadyStatus: + description: NonReadyStatus lists the state for each non-ready + resource. + items: + description: NonReadyStatus is used to report the status + of a resource that is not ready. It includes a summary. + properties: + apiVersion: + nullable: true + type: string + kind: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + summary: + properties: + error: + type: boolean + message: + items: + type: string + type: array + state: + type: string + transitioning: + type: boolean + type: object + uid: + description: 'UID is a type that holds unique ID + values, including UUIDs. Because we + + don''t ONLY use UUIDs, this is an alias to string. Being + a type captures + + intent and helps make sure that UIDs and names + do not get conflated.' + nullable: true + type: string + type: object + nullable: true + type: array + type: object + nullable: true + type: array + notReady: + description: 'NotReady is the number of bundle deployments that + have been deployed + + where some resources are not ready.' + type: integer + outOfSync: + description: 'OutOfSync is the number of bundle deployments + that have been synced + + from Fleet controller, but not yet by the downstream agent.' + type: integer + pending: + description: 'Pending is the number of bundle deployments that + are being processed + + by Fleet controller.' + type: integer + ready: + description: 'Ready is the number of bundle deployments that + have been deployed + + where all resources are ready.' + type: integer + waitApplied: + description: 'WaitApplied is the number of bundle deployments + that have been + + synced from Fleet controller and downstream cluster, but are + waiting + + to be deployed.' + type: integer + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: contents.fleet.cattle.io +spec: + group: fleet.cattle.io + names: + kind: Content + listKind: ContentList + plural: contents + singular: content + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: 'Content is used internally by Fleet and should not be used + directly. It + + contains the resources from a bundle for a specific target cluster.' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal value, + and + + may reject unrecognized values. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + content: + description: 'Content is a byte array, which contains the manifests + of a bundle. + + The bundle resources are copied into the bundledeployment''s content + + resource, so the downstream agent can deploy them.' + format: byte + nullable: true + type: string + kind: + description: 'Kind is a string value representing the REST resource + this object represents. + + Servers may infer this from the endpoint the client submits requests + to. + + Cannot be updated. + + In CamelCase. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + sha256sum: + description: SHA256Sum of the Content field + type: string + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: gitreporestrictions.fleet.cattle.io +spec: + group: fleet.cattle.io + names: + kind: GitRepoRestriction + listKind: GitRepoRestrictionList + plural: gitreporestrictions + singular: gitreporestriction + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .defaultServiceAccount + name: Default-ServiceAccount + type: string + - jsonPath: .allowedServiceAccounts + name: Allowed-ServiceAccounts + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: 'GitRepoRestriction is a resource that can optionally be used + to restrict + + the options of GitRepos in the same namespace.' + properties: + allowedClientSecretNames: + description: AllowedClientSecretNames is a list of client secret names + that GitRepos are allowed to use. + items: + type: string + nullable: true + type: array + allowedRepoPatterns: + description: 'AllowedRepoPatterns is a list of regex patterns that restrict + the + + valid values of the Repo field of a GitRepo.' + items: + type: string + nullable: true + type: array + allowedServiceAccounts: + description: AllowedServiceAccounts is a list of service accounts that + GitRepos are allowed to use. + items: + type: string + nullable: true + type: array + allowedTargetNamespaces: + description: 'AllowedTargetNamespaces restricts TargetNamespace to the + given + + namespaces. If AllowedTargetNamespaces is set, TargetNamespace must + + be set.' + items: + type: string + nullable: true + type: array + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal value, + and + + may reject unrecognized values. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + defaultClientSecretName: + description: DefaultClientSecretName overrides the GitRepo's default + client secret. + nullable: true + type: string + defaultServiceAccount: + description: DefaultServiceAccount overrides the GitRepo's default service + account. + nullable: true + type: string + kind: + description: 'Kind is a string value representing the REST resource + this object represents. + + Servers may infer this from the endpoint the client submits requests + to. + + Cannot be updated. + + In CamelCase. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: gitrepos.fleet.cattle.io +spec: + group: fleet.cattle.io + names: + categories: + - fleet + kind: GitRepo + listKind: GitRepoList + plural: gitrepos + singular: gitrepo + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.repo + name: Repo + type: string + - jsonPath: .status.commit + name: Commit + type: string + - jsonPath: .status.display.readyBundleDeployments + name: BundleDeployments-Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: 'GitRepo describes a git repository that is watched by Fleet. + + The resource contains the necessary information to deploy the repo, or + parts + + of it, to target clusters.' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal value, + and + + may reject unrecognized values. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource + this object represents. + + Servers may infer this from the endpoint the client submits requests + to. + + Cannot be updated. + + In CamelCase. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + branch: + description: Branch The git branch to follow. + nullable: true + type: string + caBundle: + description: CABundle is a PEM encoded CA bundle which will be used + to validate the repo's certificate. + format: byte + nullable: true + type: string + clientSecretName: + description: 'ClientSecretName is the name of the client secret + to be used to connect to the repo + + It is expected the secret be of type "kubernetes.io/basic-auth" + or "kubernetes.io/ssh-auth".' + nullable: true + type: string + correctDrift: + description: CorrectDrift specifies how drift correction should + work. + properties: + enabled: + description: Enabled correct drift if true. + type: boolean + force: + description: Force helm rollback with --force option will be + used if true. This will try to recreate all resources in the + release. + type: boolean + keepFailHistory: + description: KeepFailHistory keeps track of failed rollbacks + in the helm history. + type: boolean + type: object + deleteNamespace: + description: DeleteNamespace specifies if the namespace created + must be deleted after deleting the GitRepo. + type: boolean + disablePolling: + description: Disables git polling. When enabled only webhooks will + be used. + type: boolean + forceSyncGeneration: + description: Increment this number to force a redeployment of contents + from Git. + format: int64 + type: integer + helmRepoURLRegex: + description: 'HelmRepoURLRegex Helm credentials will be used if + the helm repo matches this regex + + Credentials will always be used if this is empty or not provided.' + nullable: true + type: string + helmSecretName: + description: HelmSecretName contains the auth secret for a private + Helm repository. + nullable: true + type: string + helmSecretNameForPaths: + description: HelmSecretNameForPaths contains the auth secret for + private Helm repository for each path. + nullable: true + type: string + imageScanCommit: + description: Commit specifies how to commit to the git repo when + a new image is scanned and written back to git repo. + properties: + authorEmail: + description: AuthorEmail gives the email to provide when making + a commit + nullable: true + type: string + authorName: + description: AuthorName gives the name to provide when making + a commit + nullable: true + type: string + messageTemplate: + description: 'MessageTemplate provides a template for the commit + message, + + into which will be interpolated the details of the change + made.' + nullable: true + type: string + type: object + imageScanInterval: + description: ImageScanInterval is the interval of syncing scanned + images and writing back to git repo. + type: string + insecureSkipTLSVerify: + description: InsecureSkipTLSverify will use insecure HTTPS to clone + the repo. + type: boolean + keepResources: + description: KeepResources specifies if the resources created must + be kept after deleting the GitRepo. + type: boolean + ociRegistry: + description: OCIRegistry specifies the OCI registry related parameters + properties: + authSecretName: + description: AuthSecretName contains the auth secret where the + OCI regristry credentials are stored. + nullable: true + type: string + basicHTTP: + description: BasicHTTP uses HTTP connections to the OCI registry + when enabled. + nullable: true + type: boolean + insecureSkipTLS: + description: InsecureSkipTLS allows connections to OCI registry + without certs when enabled. + nullable: true + type: boolean + reference: + description: Reference of the OCI Registry + type: string + type: object + paths: + description: 'Paths is the directories relative to the git repo + root that contain resources to be applied. + + Path globbing is supported, for example ["charts/*"] will match + all folders as a subdirectory of charts/ + + If empty, "/" is the default.' + items: + type: string + nullable: true + type: array + paused: + description: 'Paused, when true, causes changes in Git not to be + propagated down to the clusters but instead to mark + + resources as OutOfSync.' + type: boolean + pollingInterval: + description: PollingInterval is how often to check git for new updates. + nullable: true + type: string + repo: + description: Repo is a URL to a git repo to clone and index. + nullable: true + type: string + revision: + description: Revision A specific commit or tag to operate on. + nullable: true + type: string + serviceAccount: + description: ServiceAccount used in the downstream cluster for deployment. + nullable: true + type: string + targetNamespace: + description: 'Ensure that all resources are created in this namespace + + Any cluster scoped resource will be rejected if this is set + + Additionally this namespace will be created on demand.' + nullable: true + type: string + targets: + description: Targets is a list of targets this repo will deploy + to. + items: + description: GitTarget is a cluster or cluster group to deploy + to. + properties: + clusterGroup: + description: ClusterGroup is the name of a cluster group in + the same namespace as the clusters. + nullable: true + type: string + clusterGroupSelector: + description: ClusterGroupSelector is a label selector to select + cluster groups. + nullable: true + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: 'A label selector requirement is a selector + that contains values, a key, and an operator that + + relates the key and values.' + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: 'operator represents a key''s relationship + to a set of values. + + Valid operators are In, NotIn, Exists and DoesNotExist.' + type: string + values: + description: 'values is an array of string values. + If the operator is In or NotIn, + + the values array must be non-empty. If the operator + is Exists or DoesNotExist, + + the values array must be empty. This array is + replaced during a strategic + + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: 'matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels + + map is equivalent to an element of matchExpressions, + whose key field is "key", the + + operator is "In", and the values array contains only + "value". The requirements are ANDed.' + type: object + type: object + x-kubernetes-map-type: atomic + clusterName: + description: ClusterName is the name of a cluster. + nullable: true + type: string + clusterSelector: + description: ClusterSelector is a label selector to select + clusters. + nullable: true + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: 'A label selector requirement is a selector + that contains values, a key, and an operator that + + relates the key and values.' + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: 'operator represents a key''s relationship + to a set of values. + + Valid operators are In, NotIn, Exists and DoesNotExist.' + type: string + values: + description: 'values is an array of string values. + If the operator is In or NotIn, + + the values array must be non-empty. If the operator + is Exists or DoesNotExist, + + the values array must be empty. This array is + replaced during a strategic + + merge patch.' + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: 'matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels + + map is equivalent to an element of matchExpressions, + whose key field is "key", the + + operator is "In", and the values array contains only + "value". The requirements are ANDed.' + type: object + type: object + x-kubernetes-map-type: atomic + name: + description: Name is the name of this target. + nullable: true + type: string + type: object + type: array + type: object + status: + properties: + commit: + description: Commit is the Git commit hash from the last git job + run. + type: string + conditions: + description: 'Conditions is a list of Wrangler conditions that describe + the state + + of the GitRepo.' + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one + status to another. + type: string + lastUpdateTime: + description: The last time this condition was updated. + type: string + message: + description: Human-readable message indicating details about + last transition + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + type: string + type: + description: Type of cluster condition. + type: string + required: + - status + - type + type: object + type: array + desiredReadyClusters: + description: "DesiredReadyClusters\tis the number of clusters that\ + \ should be ready for bundles of this GitRepo." + type: integer + display: + description: Display contains a human readable summary of the status. + properties: + error: + description: Error is true if a message is present. + type: boolean + message: + description: Message contains the relevant message from the + deployment conditions. + type: string + readyBundleDeployments: + description: 'ReadyBundleDeployments is a string in the form + "%d/%d", that describes the + + number of ready bundledeployments over the total number of + bundledeployments.' + type: string + state: + description: 'State is the state of the GitRepo, e.g. "GitUpdating" + or the maximal + + BundleState according to StateRank.' + type: string + type: object + gitJobStatus: + description: GitJobStatus is the status of the last Git job run, + e.g. "Current" if there was no error. + type: string + lastPollingTriggered: + description: LastPollingTime is the last time the polling check + was triggered + format: date-time + type: string + lastSyncedImageScanTime: + description: LastSyncedImageScanTime is the time of the last image + scan. + format: date-time + type: string + observedGeneration: + description: 'ObservedGeneration is the current generation of the + resource in the cluster. It is copied from k8s + + metadata.Generation. The value is incremented for all changes, + except for changes to .metadata or .status.' + format: int64 + type: integer + readyClusters: + description: 'ReadyClusters is the lowest number of clusters that + are ready over + + all the bundles of this GitRepo.' + type: integer + resourceCounts: + description: ResourceCounts contains the number of resources in + each state over all bundles. + properties: + desiredReady: + description: DesiredReady is the number of resources that should + be ready. + type: integer + missing: + description: Missing is the number of missing resources. + type: integer + modified: + description: Modified is the number of resources that have been + modified. + type: integer + notReady: + description: 'NotReady is the number of not ready resources. + Resources are not + + ready if they do not match any other state.' + type: integer + orphaned: + description: Orphaned is the number of orphaned resources. + type: integer + ready: + description: Ready is the number of ready resources. + type: integer + unknown: + description: Unknown is the number of resources in an unknown + state. + type: integer + waitApplied: + description: WaitApplied is the number of resources that are + waiting to be applied. + type: integer + type: object + resourceErrors: + description: ResourceErrors is a sorted list of errors from the + resources. + items: + type: string + type: array + resources: + description: Resources contains metadata about the resources of + each bundle. + items: + description: GitRepoResource contains metadata about the resources + of a bundle. + properties: + apiVersion: + description: APIVersion is the API version of the resource. + nullable: true + type: string + error: + description: Error is true if any Error in the PerClusterState + is true. + type: boolean + id: + description: ID is the name of the resource, e.g. "namespace1/my-config" + or "backingimagemanagers.storage.io". + nullable: true + type: string + incompleteState: + description: 'IncompleteState is true if a bundle summary + has 10 or more non-ready + + resources or a non-ready resource has more 10 or more non-ready + or + + modified states.' + type: boolean + kind: + description: Kind is the k8s kind of the resource. + nullable: true + type: string + message: + description: Message is the first message from the PerClusterStates. + nullable: true + type: string + name: + description: Name of the resource. + nullable: true + type: string + namespace: + description: Namespace of the resource. + nullable: true + type: string + perClusterState: + description: PerClusterState is a list of states for each + cluster. Derived from the summaries non-ready resources. + items: + description: ResourcePerClusterState is generated for each + non-ready resource of the bundles. + properties: + clusterId: + description: ClusterID is the id of the cluster. + nullable: true + type: string + error: + description: Error is true if the resource is in an + error state, copied from the bundle's summary for + non-ready resources. + type: boolean + message: + description: Message combines the messages from the + bundle's summary. Messages are joined with the delimiter + ';'. + nullable: true + type: string + patch: + description: Patch for modified resources. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + state: + description: State is the state of the resource. + nullable: true + type: string + transitioning: + description: 'Transitioning is true if the resource + is in a transitioning state, + + copied from the bundle''s summary for non-ready resources.' + type: boolean + type: object + nullable: true + type: array + state: + description: State is the state of the resource, e.g. "Unknown", + "WaitApplied", "ErrApplied" or "Ready". + type: string + transitioning: + description: Transitioning is true if any Transitioning in + the PerClusterState is true. + type: boolean + type: + description: Type is the type of the resource, e.g. "apiextensions.k8s.io.customresourcedefinition" + or "configmap". + type: string + type: object + type: array + summary: + description: Summary contains the number of bundle deployments in + each state and a list of non-ready resources. + properties: + desiredReady: + description: 'DesiredReady is the number of bundle deployments + that should be + + ready.' + type: integer + errApplied: + description: 'ErrApplied is the number of bundle deployments + that have been synced + + from the Fleet controller and the downstream cluster, but + with some + + errors when deploying the bundle.' + type: integer + modified: + description: 'Modified is the number of bundle deployments that + have been deployed + + and for which all resources are ready, but where some changes + from the + + Git repository have not yet been synced.' + type: integer + nonReadyResources: + description: 'NonReadyClusters is a list of states, which is + filled for a bundle + + that is not ready.' + items: + description: 'NonReadyResource contains information about + a bundle that is not ready for a + + given state like "ErrApplied". It contains a list of non-ready + or modified + + resources and their states.' + properties: + bundleState: + description: State is the state of the resource, like + e.g. "NotReady" or "ErrApplied". + nullable: true + type: string + message: + description: Message contains information why the bundle + is not ready. + nullable: true + type: string + modifiedStatus: + description: ModifiedStatus lists the state for each modified + resource. + items: + description: 'ModifiedStatus is used to report the status + of a resource that is modified. + + It indicates if the modification was a create, a delete + or a patch.' + properties: + apiVersion: + nullable: true + type: string + delete: + type: boolean + kind: + nullable: true + type: string + missing: + type: boolean + name: + nullable: true + type: string + namespace: + nullable: true + type: string + patch: + nullable: true + type: string + type: object + nullable: true + type: array + name: + description: Name is the name of the resource. + nullable: true + type: string + nonReadyStatus: + description: NonReadyStatus lists the state for each non-ready + resource. + items: + description: NonReadyStatus is used to report the status + of a resource that is not ready. It includes a summary. + properties: + apiVersion: + nullable: true + type: string + kind: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + summary: + properties: + error: + type: boolean + message: + items: + type: string + type: array + state: + type: string + transitioning: + type: boolean + type: object + uid: + description: 'UID is a type that holds unique ID + values, including UUIDs. Because we + + don''t ONLY use UUIDs, this is an alias to string. Being + a type captures + + intent and helps make sure that UIDs and names + do not get conflated.' + nullable: true + type: string + type: object + nullable: true + type: array + type: object + nullable: true + type: array + notReady: + description: 'NotReady is the number of bundle deployments that + have been deployed + + where some resources are not ready.' + type: integer + outOfSync: + description: 'OutOfSync is the number of bundle deployments + that have been synced + + from Fleet controller, but not yet by the downstream agent.' + type: integer + pending: + description: 'Pending is the number of bundle deployments that + are being processed + + by Fleet controller.' + type: integer + ready: + description: 'Ready is the number of bundle deployments that + have been deployed + + where all resources are ready.' + type: integer + waitApplied: + description: 'WaitApplied is the number of bundle deployments + that have been + + synced from Fleet controller and downstream cluster, but are + waiting + + to be deployed.' + type: integer + type: object + updateGeneration: + description: Update generation is the force update generation if + spec.forceSyncGeneration is set + format: int64 + type: integer + webhookCommit: + description: WebhookCommit is the latest Git commit hash received + from a webhook + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: imagescans.fleet.cattle.io +spec: + group: fleet.cattle.io + names: + kind: ImageScan + listKind: ImageScanList + plural: imagescans + singular: imagescan + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.image + name: Repository + type: string + - jsonPath: .status.latestTag + name: Latest + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal value, + and + + may reject unrecognized values. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource + this object represents. + + Servers may infer this from the endpoint the client submits requests + to. + + Cannot be updated. + + In CamelCase. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: API is taken from https://github.com/fluxcd/image-reflector-controller + properties: + gitrepoName: + description: GitRepo reference name + nullable: true + type: string + image: + description: Image is the name of the image repository + nullable: true + type: string + interval: + description: 'Interval is the length of time to wait between + + scans of the image repository.' + nullable: true + type: string + policy: + description: 'Policy gives the particulars of the policy to be followed + in + + selecting the most recent image' + properties: + alphabetical: + description: Alphabetical set of rules to use for alphabetical + ordering of the tags. + nullable: true + properties: + order: + description: 'Order specifies the sorting order of the tags. + Given the letters of the + + alphabet as tags, ascending order would select Z, and + descending order + + would select A.' + nullable: true + type: string + type: object + semver: + description: 'SemVer gives a semantic version range to check + against the tags + + available.' + nullable: true + properties: + range: + description: 'Range gives a semver range for the image tag; + the highest + + version within the range that''s a tag yields the latest + image.' + nullable: true + type: string + type: object + type: object + secretRef: + description: 'SecretRef can be given the name of a secret containing + + credentials to use for the image registry. The secret should be + + created with `kubectl create secret docker-registry`, or the + + equivalent.' + nullable: true + properties: + name: + default: '' + description: 'Name of the referent. + + This field is effectively required, but due to backwards compatibility + is + + allowed to be empty. Instances of this type with an empty + value here are + + almost certainly wrong. + + TODO: Add other useful fields. apiVersion, kind, uid? + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + + TODO: Drop `kubebuilder:default` when controller-gen doesn''t + need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.' + type: string + type: object + x-kubernetes-map-type: atomic + suspend: + description: 'This flag tells the controller to suspend subsequent + image scans. + + It does not apply to already started scans. Defaults to false.' + type: boolean + tagName: + description: TagName is the tag ref that needs to be put in manifest + to replace fields + nullable: true + type: string + type: object + status: + properties: + canonicalImageName: + description: 'CanonicalName is the name of the image repository + with all the + + implied bits made explicit; e.g., `docker.io/library/alpine` + + rather than `alpine`.' + type: string + conditions: + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one + status to another. + type: string + lastUpdateTime: + description: The last time this condition was updated. + type: string + message: + description: Human-readable message indicating details about + last transition + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + type: string + type: + description: Type of cluster condition. + type: string + required: + - status + - type + type: object + type: array + lastScanTime: + description: LastScanTime is the last time image was scanned + format: date-time + type: string + latestDigest: + description: LatestDigest is the digest of latest tag + type: string + latestImage: + description: 'LatestImage gives the first in the list of images + scanned by + + the image repository, when filtered and ordered according to + + the policy.' + type: string + latestTag: + description: Latest tag is the latest tag filtered by the policy + type: string + observedGeneration: + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/fleet-crd/104.1.1+up0.10.5/values.yaml b/charts/fleet-crd/104.1.1+up0.10.5/values.yaml new file mode 100644 index 0000000000..d41d3a2444 --- /dev/null +++ b/charts/fleet-crd/104.1.1+up0.10.5/values.yaml @@ -0,0 +1 @@ +# This file is intentionally empty diff --git a/charts/fleet/104.1.1+up0.10.5/Chart.yaml b/charts/fleet/104.1.1+up0.10.5/Chart.yaml new file mode 100644 index 0000000000..f7d7b3c952 --- /dev/null +++ b/charts/fleet/104.1.1+up0.10.5/Chart.yaml @@ -0,0 +1,18 @@ +annotations: + catalog.cattle.io/auto-install: fleet-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/experimental: "true" + catalog.cattle.io/hidden: "true" + catalog.cattle.io/kube-version: '>= 1.18.0-0 < 1.31.0-0' + catalog.cattle.io/namespace: cattle-fleet-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: clusters.fleet.cattle.io/v1alpha1 + catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0' + catalog.cattle.io/release-name: fleet +apiVersion: v2 +appVersion: 0.10.5 +description: Fleet Manager - GitOps at Scale +icon: https://charts.rancher.io/assets/logos/fleet.svg +name: fleet +version: 104.1.1+up0.10.5 diff --git a/charts/fleet/104.1.1+up0.10.5/README.md b/charts/fleet/104.1.1+up0.10.5/README.md new file mode 100644 index 0000000000..2f2a4c302a --- /dev/null +++ b/charts/fleet/104.1.1+up0.10.5/README.md @@ -0,0 +1,30 @@ +# Fleet Helm Chart + +Fleet is GitOps at scale. Fleet is designed to manage multiple clusters. + +## What is Fleet? + +* Cluster engine: Fleet is a container management and deployment engine designed to offer users more control on the local cluster and constant monitoring through GitOps. Fleet focuses not only on the ability to scale, but it also gives users a high degree of control and visibility to monitor exactly what is installed on the cluster. + +* Deployment management: Fleet can manage deployments from git of raw Kubernetes YAML, Helm charts, Kustomize, or any combination of the three. Regardless of the source, all resources are dynamically turned into Helm charts, and Helm is used as the engine to deploy all resources in the cluster. As a result, users can enjoy a high degree of control, consistency, and auditability of their clusters. + +## Introduction + +This chart deploys Fleet on a Kubernetes cluster. It also deploys some of its dependencies as subcharts. + +The documentation is centralized in the [doc website](https://fleet.rancher.io/). + +## Prerequisites + +Get helm if you don't have it. Helm 3 is just a CLI. + + +## Install Fleet + +Install the Fleet Helm charts (there are two because we separate out CRDs for ultimate flexibility.): + +``` +$ helm repo add fleet https://rancher.github.io/fleet-helm-charts/ +$ helm -n cattle-fleet-system install --create-namespace --wait fleet-crd fleet/fleet-crd +$ helm -n cattle-fleet-system install --create-namespace --wait fleet fleet/fleet +``` \ No newline at end of file diff --git a/charts/fleet/104.1.1+up0.10.5/templates/_helpers.tpl b/charts/fleet/104.1.1+up0.10.5/templates/_helpers.tpl new file mode 100644 index 0000000000..6cd96c3ace --- /dev/null +++ b/charts/fleet/104.1.1+up0.10.5/templates/_helpers.tpl @@ -0,0 +1,22 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/charts/fleet/104.1.1+up0.10.5/templates/configmap.yaml b/charts/fleet/104.1.1+up0.10.5/templates/configmap.yaml new file mode 100644 index 0000000000..719898d6d8 --- /dev/null +++ b/charts/fleet/104.1.1+up0.10.5/templates/configmap.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: fleet-controller +data: + config: | + { + "systemDefaultRegistry": "{{ template "system_default_registry" . }}", + "agentImage": "{{ template "system_default_registry" . }}{{.Values.agentImage.repository}}:{{.Values.agentImage.tag}}", + "agentImagePullPolicy": "{{ .Values.agentImage.imagePullPolicy }}", + "apiServerURL": "{{.Values.apiServerURL}}", + "apiServerCA": "{{b64enc .Values.apiServerCA}}", + "agentCheckinInterval": "{{.Values.agentCheckinInterval}}", + "agentTLSMode": "{{.Values.agentTLSMode}}", + {{ if .Values.garbageCollectionInterval }} + "garbageCollectionInterval": "{{.Values.garbageCollectionInterval}}", + {{ end }} + "ignoreClusterRegistrationLabels": {{.Values.ignoreClusterRegistrationLabels}}, + "bootstrap": { + "paths": "{{.Values.bootstrap.paths}}", + "repo": "{{.Values.bootstrap.repo}}", + "secret": "{{.Values.bootstrap.secret}}", + "branch": "{{.Values.bootstrap.branch}}", + "namespace": "{{.Values.bootstrap.namespace}}", + "agentNamespace": "{{.Values.bootstrap.agentNamespace}}" + }, + "webhookReceiverURL": "{{.Values.webhookReceiverURL}}", + "githubURLPrefix": "{{.Values.githubURLPrefix}}" + } diff --git a/charts/fleet/104.1.1+up0.10.5/templates/deployment.yaml b/charts/fleet/104.1.1+up0.10.5/templates/deployment.yaml new file mode 100644 index 0000000000..025eb0710a --- /dev/null +++ b/charts/fleet/104.1.1+up0.10.5/templates/deployment.yaml @@ -0,0 +1,251 @@ +{{- $shards := list (dict "id" "" "nodeSelector" dict) -}} +{{- $uniqueShards := list -}} +{{- if .Values.shards -}} + {{- range .Values.shards -}} + {{- if not (has .id $uniqueShards) -}} + {{- $shards = append $shards . -}} + {{- $uniqueShards = append $uniqueShards .id -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{ range $shard := $shards }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "fleet-controller{{if $shard.id }}-shard-{{ $shard.id }}{{end}}" +spec: + selector: + matchLabels: + app: fleet-controller + template: + metadata: + labels: + app: fleet-controller + fleet.cattle.io/shard-id: "{{ $shard.id }}" + {{- if empty $shard.id }} + fleet.cattle.io/shard-default: "true" + {{- end }} + spec: + containers: + - env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if $.Values.clusterEnqueueDelay }} + - name: FLEET_CLUSTER_ENQUEUE_DELAY + value: {{ $.Values.clusterEnqueueDelay }} + {{- end }} + {{- if $.Values.proxy }} + - name: HTTP_PROXY + value: {{ $.Values.proxy }} + - name: HTTPS_PROXY + value: {{ $.Values.proxy }} + - name: NO_PROXY + value: {{ $.Values.noProxy }} + {{- end }} + {{- if $.Values.cpuPprof }} + - name: FLEET_CPU_PPROF_DIR + value: /tmp/pprof/ + {{- end }} + {{- if $.Values.cpuPprof }} + - name: FLEET_CPU_PPROF_PERIOD + value: {{ quote $.Values.cpuPprof.period }} + {{- end }} + {{- if $.Values.leaderElection.leaseDuration }} + - name: CATTLE_ELECTION_LEASE_DURATION + value: {{$.Values.leaderElection.leaseDuration}} + {{- end }} + {{- if $.Values.leaderElection.retryPeriod }} + - name: CATTLE_ELECTION_RETRY_PERIOD + value: {{$.Values.leaderElection.retryPeriod}} + {{- end }} + {{- if $.Values.leaderElection.renewDeadline }} + - name: CATTLE_ELECTION_RENEW_DEADLINE + value: {{$.Values.leaderElection.renewDeadline}} + {{- end }} + {{- if $.Values.debug }} + - name: CATTLE_DEV_MODE + value: "true" + {{- end }} + {{- if $.Values.controller.reconciler.workers.bundle }} + - name: BUNDLE_RECONCILER_WORKERS + value: {{ quote $.Values.controller.reconciler.workers.bundle }} + {{- end }} + {{- if $.Values.controller.reconciler.workers.bundledeployment }} + - name: BUNDLEDEPLOYMENT_RECONCILER_WORKERS + value: {{ quote $.Values.controller.reconciler.workers.bundledeployment }} + {{- end }} +{{- if $.Values.extraEnv }} +{{ toYaml $.Values.extraEnv | indent 8}} +{{- end }} + image: '{{ template "system_default_registry" $ }}{{ $.Values.image.repository }}:{{ $.Values.image.tag }}' + name: fleet-controller + imagePullPolicy: "{{ $.Values.image.imagePullPolicy }}" + {{- if $.Values.metrics.enabled }} + ports: + - containerPort: 8080 + name: metrics + {{- end }} + command: + - fleetcontroller + {{- if $shard.id }} + - --shard-id + - {{ quote $shard.id }} + {{- end }} + {{- if not $.Values.metrics.enabled }} + - --disable-metrics + {{- end }} + {{- if $.Values.debug }} + - --debug + - --debug-level + - {{ quote $.Values.debugLevel }} + {{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + capabilities: + drop: + - ALL + {{- end }} + volumeMounts: + - mountPath: /tmp + name: tmp + {{- if $.Values.cpuPprof }} + - mountPath: /tmp/pprof + name: pprof + {{- end }} + {{- if not $shard.id }} # Only deploy cleanup and agent management through sharding-less deployment + - env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if $.Values.debug }} + - name: CATTLE_DEV_MODE + value: "true" + {{- end }} + {{- if $.Values.leaderElection.leaseDuration }} + - name: CATTLE_ELECTION_LEASE_DURATION + value: {{$.Values.leaderElection.leaseDuration}} + {{- end }} + {{- if $.Values.leaderElection.retryPeriod }} + - name: CATTLE_ELECTION_RETRY_PERIOD + value: {{$.Values.leaderElection.retryPeriod}} + {{- end }} + {{- if $.Values.leaderElection.renewDeadline }} + - name: CATTLE_ELECTION_RENEW_DEADLINE + value: {{$.Values.leaderElection.renewDeadline}} + {{- end }} + {{- if $.Values.controller.reconciler.workers.gitrepo }} + - name: GITREPO_RECONCILER_WORKERS + value: {{ quote $.Values.controller.reconciler.workers.gitrepo }} + {{- end }} + {{- if $.Values.controller.reconciler.workers.bundle }} + - name: BUNDLE_RECONCILER_WORKERS + value: {{ quote $.Values.controller.reconciler.workers.bundle }} + {{- end }} + {{- if $.Values.controller.reconciler.workers.bundledeployment }} + - name: BUNDLEDEPLOYMENT_RECONCILER_WORKERS + value: {{ quote $.Values.controller.reconciler.workers.bundledeployment }} + {{- end }} + image: '{{ template "system_default_registry" $ }}{{ $.Values.image.repository }}:{{ $.Values.image.tag }}' + name: fleet-cleanup + imagePullPolicy: "{{ $.Values.image.imagePullPolicy }}" + command: + - fleetcontroller + - cleanup + {{- if $.Values.debug }} + - --debug + - --debug-level + - {{ quote $.Values.debugLevel }} + {{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + capabilities: + drop: + - ALL + {{- end }} + - env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: FLEET_PROPAGATE_DEBUG_SETTINGS_TO_AGENTS + value: {{ quote $.Values.propagateDebugSettingsToAgents }} + {{- if $.Values.debug }} + - name: CATTLE_DEV_MODE + value: "true" + {{- end }} + {{- if $.Values.leaderElection.leaseDuration }} + - name: CATTLE_ELECTION_LEASE_DURATION + value: {{$.Values.leaderElection.leaseDuration}} + {{- end }} + {{- if $.Values.leaderElection.retryPeriod }} + - name: CATTLE_ELECTION_RETRY_PERIOD + value: {{$.Values.leaderElection.retryPeriod}} + {{- end }} + {{- if $.Values.leaderElection.renewDeadline }} + - name: CATTLE_ELECTION_RENEW_DEADLINE + value: {{$.Values.leaderElection.renewDeadline}} + {{- end }} + image: '{{ template "system_default_registry" $ }}{{ $.Values.image.repository }}:{{ $.Values.image.tag }}' + name: fleet-agentmanagement + imagePullPolicy: "{{ $.Values.image.imagePullPolicy }}" + command: + - fleetcontroller + - agentmanagement + {{- if not $.Values.bootstrap.enabled }} + - --disable-bootstrap + {{- end }} + {{- if $.Values.debug }} + - --debug + - --debug-level + - {{ quote $.Values.debugLevel }} + {{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + capabilities: + drop: + - ALL + {{- end }} + {{- end }} + volumes: + - name: tmp + emptyDir: {} + {{- if $.Values.cpuPprof }} + - name: pprof {{ toYaml $.Values.cpuPprof.volumeConfiguration | nindent 10 }} + {{- end }} + + serviceAccountName: fleet-controller + nodeSelector: {{ include "linux-node-selector" $shard.id | nindent 8 }} +{{- if $.Values.nodeSelector }} +{{ toYaml $.Values.nodeSelector | indent 8 }} +{{- end }} +{{- if $shard.nodeSelector -}} +{{- range $key, $value := $shard.nodeSelector }} +{{ $key | indent 8}}: {{ $value }} +{{- end }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" $shard.id | nindent 8 }} +{{- if $.Values.tolerations }} +{{ toYaml $.Values.tolerations | indent 8 }} +{{- end }} + {{- if $.Values.priorityClassName }} + priorityClassName: "{{$.Values.priorityClassName}}" + {{- end }} + +{{- if not $.Values.debug }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} +--- +{{- end }} diff --git a/charts/fleet/104.1.1+up0.10.5/templates/deployment_gitjob.yaml b/charts/fleet/104.1.1+up0.10.5/templates/deployment_gitjob.yaml new file mode 100644 index 0000000000..5c3df9608a --- /dev/null +++ b/charts/fleet/104.1.1+up0.10.5/templates/deployment_gitjob.yaml @@ -0,0 +1,136 @@ +{{- $shards := list (dict "id" "" "nodeSelector" dict) -}} +{{- $uniqueShards := list -}} +{{- if .Values.shards -}} + {{- range .Values.shards -}} + {{- if not (has .id $uniqueShards) -}} + {{- $shards = append $shards . -}} + {{- $uniqueShards = append $uniqueShards .id -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{ range $shard := $shards }} +{{- if $.Values.gitops.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "gitjob{{if $shard.id }}-shard-{{ $shard.id }}{{end}}" +spec: + selector: + matchLabels: + app: "gitjob" + template: + metadata: + labels: + app: "gitjob" + fleet.cattle.io/shard-id: "{{ $shard.id }}" + {{- if empty $shard.id }} + fleet.cattle.io/shard-default: "true" + {{- end }} + spec: + serviceAccountName: gitjob + containers: + - image: "{{ template "system_default_registry" $ }}{{ $.Values.image.repository }}:{{ $.Values.image.tag }}" + name: gitjob + {{- if $.Values.metrics.enabled }} + ports: + - containerPort: 8081 + name: metrics + {{- end }} + args: + - fleetcontroller + - gitjob + - --gitjob-image + - "{{ template "system_default_registry" $ }}{{ $.Values.image.repository }}:{{ $.Values.image.tag }}" + {{- if $.Values.debug }} + - --debug + - --debug-level + - {{ quote $.Values.debugLevel }} + {{- end }} + {{- if $shard.id }} + - --shard-id + - {{ quote $shard.id }} + {{- end }} + {{- if $shard.nodeSelector }} + - --shard-node-selector + - {{ toJson $shard.nodeSelector | squote }} + {{- end }} + {{- if not $.Values.metrics.enabled }} + - --disable-metrics + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if $.Values.leaderElection.leaseDuration }} + - name: CATTLE_ELECTION_LEASE_DURATION + value: {{$.Values.leaderElection.leaseDuration}} + {{- end }} + {{- if $.Values.leaderElection.retryPeriod }} + - name: CATTLE_ELECTION_RETRY_PERIOD + value: {{$.Values.leaderElection.retryPeriod}} + {{- end }} + {{- if $.Values.leaderElection.renewDeadline }} + - name: CATTLE_ELECTION_RENEW_DEADLINE + value: {{$.Values.leaderElection.renewDeadline}} + {{- end }} + {{- if $.Values.proxy }} + - name: HTTP_PROXY + value: {{ $.Values.proxy }} + - name: HTTPS_PROXY + value: {{ $.Values.proxy }} + - name: NO_PROXY + value: {{ $.Values.noProxy }} + {{- end }} + {{- if $.Values.controller.reconciler.workers.gitrepo }} + - name: GITREPO_RECONCILER_WORKERS + value: {{ quote $.Values.controller.reconciler.workers.gitrepo }} + {{- end }} +{{- if $.Values.extraEnv }} +{{ toYaml $.Values.extraEnv | indent 12}} +{{- end }} + {{- if $.Values.debug }} + - name: CATTLE_DEV_MODE + value: "true" + {{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + capabilities: + drop: + - ALL + {{- end }} + volumeMounts: + - mountPath: /tmp + name: tmp + nodeSelector: {{ include "linux-node-selector" $shard.id | nindent 8 }} +{{- if $.Values.nodeSelector }} +{{ toYaml $.Values.nodeSelector | indent 8 }} +{{- end }} +{{- if $shard.nodeSelector -}} +{{- range $key, $value := $shard.nodeSelector }} +{{ $key | indent 8}}: {{ $value }} +{{- end }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" $shard.id | nindent 8 }} +{{- if $.Values.tolerations }} +{{ toYaml $.Values.tolerations | indent 8 }} +{{- end }} + {{- if $.Values.priorityClassName }} + priorityClassName: "{{$.Values.priorityClassName}}" + {{- end }} + +{{- if not $.Values.debug }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + volumes: + - name: tmp + emptyDir: {} +{{- end }} +--- +{{- end }} diff --git a/charts/fleet/104.1.1+up0.10.5/templates/job_cleanup_clusterregistrations.yaml b/charts/fleet/104.1.1+up0.10.5/templates/job_cleanup_clusterregistrations.yaml new file mode 100644 index 0000000000..d039fd40b3 --- /dev/null +++ b/charts/fleet/104.1.1+up0.10.5/templates/job_cleanup_clusterregistrations.yaml @@ -0,0 +1,41 @@ +{{- if .Values.migrations.clusterRegistrationCleanup }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: fleet-cleanup-clusterregistrations + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + template: + metadata: + labels: + app: fleet-job + spec: + serviceAccountName: fleet-controller + restartPolicy: Never + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 + containers: + - name: cleanup + image: "{{ template "system_default_registry" . }}{{.Values.image.repository}}:{{.Values.image.tag}}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + privileged: false + command: + - fleet + args: + - cleanup + - clusterregistration + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + backoffLimit: 1 +{{- end }} diff --git a/charts/fleet/104.1.1+up0.10.5/templates/job_cleanup_gitrepojobs.yaml b/charts/fleet/104.1.1+up0.10.5/templates/job_cleanup_gitrepojobs.yaml new file mode 100644 index 0000000000..0c58024476 --- /dev/null +++ b/charts/fleet/104.1.1+up0.10.5/templates/job_cleanup_gitrepojobs.yaml @@ -0,0 +1,44 @@ +{{- if .Values.migrations.gitrepoJobsCleanup }} +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: fleet-cleanup-gitrepo-jobs +spec: + schedule: "@daily" + concurrencyPolicy: Forbid + successfulJobsHistoryLimit: 0 + failedJobsHistoryLimit: 1 + jobTemplate: + spec: + template: + metadata: + labels: + app: fleet-job + spec: + serviceAccountName: gitjob + restartPolicy: Never + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 + containers: + - name: cleanup + image: "{{ template "system_default_registry" . }}{{.Values.image.repository}}:{{.Values.image.tag}}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + privileged: false + command: + - fleet + args: + - cleanup + - gitjob + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} + backoffLimit: 1 +{{- end }} diff --git a/charts/fleet/104.1.1+up0.10.5/templates/rbac.yaml b/charts/fleet/104.1.1+up0.10.5/templates/rbac.yaml new file mode 100644 index 0000000000..026c1c26d2 --- /dev/null +++ b/charts/fleet/104.1.1+up0.10.5/templates/rbac.yaml @@ -0,0 +1,113 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: fleet-controller +rules: +- apiGroups: + - fleet.cattle.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - "" + resources: + - namespaces + - serviceaccounts + verbs: + - '*' +- apiGroups: + - "" + resources: + - secrets + - configmaps + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + - roles + - rolebindings + verbs: + - '*' +- apiGroups: + - "" + resources: + - 'events' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: fleet-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: fleet-controller +subjects: +- kind: ServiceAccount + name: fleet-controller + namespace: {{.Release.Namespace}} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: fleet-controller +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - '*' +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - '*' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: fleet-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: fleet-controller +subjects: +- kind: ServiceAccount + name: fleet-controller + +{{- if .Values.bootstrap.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: fleet-controller-bootstrap +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: fleet-controller-bootstrap +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: fleet-controller-bootstrap +subjects: +- kind: ServiceAccount + name: fleet-controller-bootstrap + namespace: {{.Release.Namespace}} +{{- end }} diff --git a/charts/fleet/104.1.1+up0.10.5/templates/rbac_gitjob.yaml b/charts/fleet/104.1.1+up0.10.5/templates/rbac_gitjob.yaml new file mode 100644 index 0000000000..e2c93169de --- /dev/null +++ b/charts/fleet/104.1.1+up0.10.5/templates/rbac_gitjob.yaml @@ -0,0 +1,133 @@ +{{- if .Values.gitops.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gitjob +rules: + - apiGroups: + - "batch" + resources: + - 'jobs' + verbs: + - '*' + - apiGroups: + - "" + resources: + - 'pods' + verbs: + - 'list' + - 'get' + - 'watch' + - apiGroups: + - "" + resources: + - 'secrets' + verbs: + - '*' + - apiGroups: + - "" + resources: + - 'configmaps' + verbs: + - '*' + - apiGroups: + - "fleet.cattle.io" + resources: + - "gitrepos" + - "gitrepos/status" + verbs: + - "*" + - apiGroups: + - "fleet.cattle.io" + resources: + - "gitreporestrictions" + verbs: + - list + - get + - watch + - apiGroups: + - "fleet.cattle.io" + resources: + - "bundles" + - "bundledeployments" + - "imagescans" + - "contents" + verbs: + - list + - delete + - get + - watch + - update + - apiGroups: + - "" + resources: + - 'events' + verbs: + - '*' + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - "create" + - apiGroups: + - "" + resources: + - namespaces + verbs: + - "create" + - "delete" + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + verbs: + - escalate + - create + - bind + - apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + verbs: + - create + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gitjob-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gitjob +subjects: + - kind: ServiceAccount + name: gitjob + namespace: {{ .Release.Namespace }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gitjob +rules: + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "*" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gitjob +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: gitjob +subjects: + - kind: ServiceAccount + name: gitjob +{{- end }} diff --git a/charts/fleet/104.1.1+up0.10.5/templates/service.yaml b/charts/fleet/104.1.1+up0.10.5/templates/service.yaml new file mode 100644 index 0000000000..49aefb490a --- /dev/null +++ b/charts/fleet/104.1.1+up0.10.5/templates/service.yaml @@ -0,0 +1,36 @@ +{{- if .Values.metrics.enabled }} +{{- $shards := list (dict "id" "" "nodeSelector" dict) -}} +{{- $uniqueShards := list -}} +{{- if .Values.shards -}} + {{- range .Values.shards -}} + {{- if not (has .id $uniqueShards) -}} + {{- $shards = append $shards . -}} + {{- $uniqueShards = append $uniqueShards .id -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{ range $shard := $shards }} +apiVersion: v1 +kind: Service +metadata: + name: "monitoring-fleet-controller{{if $shard.id }}-shard-{{ $shard.id }}{{end}}" + labels: + app: fleet-controller +spec: + type: ClusterIP + ports: + - port: 8080 + targetPort: 8080 + protocol: TCP + name: metrics + selector: + app: fleet-controller + {{- if empty $shard.id }} + fleet.cattle.io/shard-default: "true" + {{- else }} + fleet.cattle.io/shard-id: "{{ $shard.id }}" + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/fleet/104.1.1+up0.10.5/templates/service_gitjob.yaml b/charts/fleet/104.1.1+up0.10.5/templates/service_gitjob.yaml new file mode 100644 index 0000000000..f33c9a5457 --- /dev/null +++ b/charts/fleet/104.1.1+up0.10.5/templates/service_gitjob.yaml @@ -0,0 +1,51 @@ +{{- if .Values.gitops.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: gitjob +spec: + ports: + - name: http-80 + port: 80 + protocol: TCP + targetPort: 8080 + selector: + app: "gitjob" +--- +{{- if .Values.metrics.enabled }} +{{- $shards := list (dict "id" "" "nodeSelector" dict) -}} +{{- $uniqueShards := list -}} +{{- if .Values.shards -}} + {{- range .Values.shards -}} + {{- if not (has .id $uniqueShards) -}} + {{- $shards = append $shards . -}} + {{- $uniqueShards = append $uniqueShards .id -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{ range $shard := $shards }} +apiVersion: v1 +kind: Service +metadata: + name: "monitoring-gitjob{{if $shard.id }}-shard-{{ $shard.id }}{{end}}" + labels: + app: gitjob +spec: + type: ClusterIP + ports: + - port: 8081 + targetPort: 8081 + protocol: TCP + name: metrics + selector: + app: gitjob + {{- if empty $shard.id }} + fleet.cattle.io/shard-default: "true" + {{- else }} + fleet.cattle.io/shard-id: "{{ $shard.id }}" + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/fleet/104.1.1+up0.10.5/templates/serviceaccount.yaml b/charts/fleet/104.1.1+up0.10.5/templates/serviceaccount.yaml new file mode 100644 index 0000000000..ba27c748d7 --- /dev/null +++ b/charts/fleet/104.1.1+up0.10.5/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: fleet-controller + +{{- if .Values.bootstrap.enabled }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: fleet-controller-bootstrap +{{- end }} diff --git a/charts/fleet/104.1.1+up0.10.5/templates/serviceaccount_gitjob.yaml b/charts/fleet/104.1.1+up0.10.5/templates/serviceaccount_gitjob.yaml new file mode 100644 index 0000000000..c769b47cfd --- /dev/null +++ b/charts/fleet/104.1.1+up0.10.5/templates/serviceaccount_gitjob.yaml @@ -0,0 +1,6 @@ +{{- if .Values.gitops.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gitjob +{{- end }} diff --git a/charts/fleet/104.1.1+up0.10.5/values.yaml b/charts/fleet/104.1.1+up0.10.5/values.yaml new file mode 100644 index 0000000000..eaac3887f3 --- /dev/null +++ b/charts/fleet/104.1.1+up0.10.5/values.yaml @@ -0,0 +1,121 @@ +image: + repository: rancher/fleet + tag: v0.10.5 + imagePullPolicy: IfNotPresent + +agentImage: + repository: rancher/fleet-agent + tag: v0.10.5 + imagePullPolicy: IfNotPresent + +# For cluster registration the public URL of the Kubernetes API server must be set here +# Example: https://example.com:6443 +apiServerURL: "" + +# For cluster registration the pem encoded value of the CA of the Kubernetes API server must be set here +# If left empty it is assumed this Kubernetes API TLS is signed by a well known CA. +apiServerCA: "" + +# Determines whether the agent should trust CA bundles from the operating system's trust store when connecting to a +# management cluster. True in `system-store` mode, false in `strict` mode. +agentTLSMode: "system-store" + +# A duration string for how often agents should report a heartbeat +agentCheckinInterval: "15m" + +# Whether you want to allow cluster upon registration to specify their labels. +ignoreClusterRegistrationLabels: false + +# Counts from gitrepo are out of sync with bundleDeployment state. +# Just retry in a number of seconds as there is no great way to trigger an event that doesn't cause a loop. +# If not set default is 15 seconds. +# clusterEnqueueDelay: 120s + +# http[s] proxy server +# proxy: http://@:: + +# comma separated list of domains or ip addresses that will not use the proxy +noProxy: 127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local + +bootstrap: + enabled: true + # The namespace that will be autocreated and the local cluster will be registered in + namespace: fleet-local + # The namespace where the fleet agent for the local cluster will be ran, if empty + # this will default to cattle-fleet-system + agentNamespace: "" + # A repo to add at install time that will deploy to the local cluster. This allows + # one to fully bootstrap fleet, its configuration and all its downstream clusters + # in one shot. + repo: "" + secret: "" + branch: master + paths: "" + +global: + cattle: + systemDefaultRegistry: "" + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] + +## PriorityClassName assigned to deployment. +priorityClassName: "" + +gitops: + enabled: true + +metrics: + enabled: true + +debug: false +debugLevel: 0 +propagateDebugSettingsToAgents: true + +## Optional CPU pprof configuration. Profiles are collected continuously and saved every period +## Any valid volume configuration can be provided, the example below uses hostPath +# cpuPprof: +# period: "60s" +# volumeConfiguration: +# hostPath: +# path: /tmp/pprof +# type: DirectoryOrCreate + +migrations: + clusterRegistrationCleanup: true + gitrepoJobsCleanup: true + +## Leader election configuration +leaderElection: + leaseDuration: 30s + retryPeriod: 10s + renewDeadline: 25s + +## Fleet controller configuration +controller: + reconciler: + # The number of workers that are allowed to each type of reconciler + workers: + gitrepo: "50" + bundle: "50" + bundledeployment: "50" + +# Extra environment variables passed to the fleet pods. +# extraEnv: +# - name: EXPERIMENTAL_OCI_STORAGE +# value: "true" + +# shards: +# - id: shard0 +# nodeSelector: +# kubernetes.io/hostname: k3d-upstream-server-0 +# - id: shard1 +# nodeSelector: +# kubernetes.io/hostname: k3d-upstream-server-1 +# - id: shard2 +# nodeSelector: +# kubernetes.io/hostname: k3d-upstream-server-2 diff --git a/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/Chart.yaml b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/Chart.yaml new file mode 100644 index 0000000000..b8210e5429 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/Chart.yaml @@ -0,0 +1,10 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/release-name: rancher-gatekeeper-crd +apiVersion: v1 +description: Installs the CRDs for rancher-gatekeeper. +name: rancher-gatekeeper-crd +type: application +version: 104.0.1+up3.13.0 diff --git a/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/README.md b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/README.md new file mode 100644 index 0000000000..26079c833e --- /dev/null +++ b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/README.md @@ -0,0 +1,2 @@ +# rancher-gatekeeper-crd +A Rancher chart that installs the CRDs used by rancher-gatekeeper. diff --git a/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/assign-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/assign-customresourcedefinition.yaml new file mode 100644 index 0000000000..0221a19481 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/assign-customresourcedefinition.yaml @@ -0,0 +1,757 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: assign.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: Assign + listKind: AssignList + plural: assign + singular: assign + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Assign is the Schema for the assign API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: AssignSpec defines the desired state of Assign. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignStatus defines the observed state of Assign. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Assign is the Schema for the assign API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AssignSpec defines the desired state of Assign. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignStatus defines the observed state of Assign. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: Assign is the Schema for the assign API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AssignSpec defines the desired state of Assign. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignStatus defines the observed state of Assign. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/assignimage-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/assignimage-customresourcedefinition.yaml new file mode 100644 index 0000000000..197f2f1793 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/assignimage-customresourcedefinition.yaml @@ -0,0 +1,237 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: assignimage.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: AssignImage + listKind: AssignImageList + plural: assignimage + singular: assignimage + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: AssignImage is the Schema for the assignimage API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: AssignImageSpec defines the desired state of AssignImage. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].image`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assignDomain: + description: AssignDomain sets the domain component on an image string. The trailing slash should not be included. + type: string + assignPath: + description: AssignPath sets the domain component on an image string. + type: string + assignTag: + description: AssignImage sets the image component on an image string. It must start with a `:` or `@`. + type: string + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignImageStatus defines the observed state of AssignImage. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/assignmetadata-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/assignmetadata-customresourcedefinition.yaml new file mode 100644 index 0000000000..65c17ed3ae --- /dev/null +++ b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/assignmetadata-customresourcedefinition.yaml @@ -0,0 +1,655 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: assignmetadata.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: AssignMetadata + listKind: AssignMetadataList + plural: assignmetadata + singular: assignmetadata + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: AssignMetadata is the Schema for the assignmetadata API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: AssignMetadataSpec defines the desired state of AssignMetadata. + properties: + location: + type: string + match: + description: Match selects which objects are in scope. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + status: + description: AssignMetadataStatus defines the observed state of AssignMetadata. + properties: + byPod: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: AssignMetadata is the Schema for the assignmetadata API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AssignMetadataSpec defines the desired state of AssignMetadata. + properties: + location: + type: string + match: + description: Match selects which objects are in scope. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + status: + description: AssignMetadataStatus defines the observed state of AssignMetadata. + properties: + byPod: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: AssignMetadata is the Schema for the assignmetadata API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AssignMetadataSpec defines the desired state of AssignMetadata. + properties: + location: + type: string + match: + description: Match selects which objects are in scope. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + status: + description: AssignMetadataStatus defines the observed state of AssignMetadata. + properties: + byPod: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/config-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/config-customresourcedefinition.yaml new file mode 100644 index 0000000000..269ca95f9a --- /dev/null +++ b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/config-customresourcedefinition.yaml @@ -0,0 +1,105 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: configs.config.gatekeeper.sh +spec: + group: config.gatekeeper.sh + names: + kind: Config + listKind: ConfigList + plural: configs + singular: config + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Config is the Schema for the configs API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ConfigSpec defines the desired state of Config. + properties: + match: + description: Configuration for namespace exclusion + items: + properties: + excludedNamespaces: + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + processes: + items: + type: string + type: array + type: object + type: array + readiness: + description: Configuration for readiness tracker + properties: + statsEnabled: + type: boolean + type: object + sync: + description: Configuration for syncing k8s objects + properties: + syncOnly: + description: If non-empty, only entries on this list will be replicated into OPA + items: + properties: + group: + type: string + kind: + type: string + version: + type: string + type: object + type: array + type: object + validation: + description: Configuration for validation + properties: + traces: + description: List of requests to trace. Both "user" and "kinds" must be specified + items: + properties: + dump: + description: Also dump the state of OPA with the trace. Set to `All` to dump everything. + type: string + kind: + description: Only trace requests of the following GroupVersionKind + properties: + group: + type: string + kind: + type: string + version: + type: string + type: object + user: + description: Only trace requests from the specified user + type: string + type: object + type: array + type: object + type: object + status: + description: ConfigStatus defines the observed state of Config. + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml new file mode 100644 index 0000000000..230a541bb7 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml @@ -0,0 +1,67 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: constraintpodstatuses.status.gatekeeper.sh +spec: + group: status.gatekeeper.sh + names: + kind: ConstraintPodStatus + listKind: ConstraintPodStatusList + plural: constraintpodstatuses + singular: constraintpodstatus + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: ConstraintPodStatus is the Schema for the constraintpodstatuses API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus. + properties: + constraintUID: + description: Storing the constraint UID allows us to detect drift, such as when a constraint has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + enforced: + type: boolean + errors: + items: + description: Error represents a single error caught while adding a constraint to OPA. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml new file mode 100644 index 0000000000..737e3aff15 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml @@ -0,0 +1,357 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + labels: + gatekeeper.sh/system: "yes" + name: constrainttemplates.templates.gatekeeper.sh +spec: + group: templates.gatekeeper.sh + names: + kind: ConstraintTemplate + listKind: ConstraintTemplateList + plural: constrainttemplates + singular: constrainttemplate + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: ConstraintTemplate is the Schema for the constrainttemplates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate. + properties: + crd: + properties: + spec: + properties: + names: + properties: + kind: + type: string + shortNames: + items: + type: string + type: array + type: object + validation: + default: + legacySchema: false + properties: + legacySchema: + default: false + type: boolean + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + targets: + items: + properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map + libs: + items: + type: string + type: array + rego: + type: string + target: + type: string + type: object + type: array + type: object + status: + description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. + properties: + byPod: + items: + description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + properties: + errors: + items: + description: CreateCRDError represents a single error caught during parsing, compiling, etc. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + description: a unique identifier for the pod that wrote the status + type: string + observedGeneration: + format: int64 + type: integer + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + created: + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ConstraintTemplate is the Schema for the constrainttemplates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate. + properties: + crd: + properties: + spec: + properties: + names: + properties: + kind: + type: string + shortNames: + items: + type: string + type: array + type: object + validation: + default: + legacySchema: true + properties: + legacySchema: + default: true + type: boolean + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + targets: + items: + properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map + libs: + items: + type: string + type: array + rego: + type: string + target: + type: string + type: object + type: array + type: object + status: + description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. + properties: + byPod: + items: + description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + properties: + errors: + items: + description: CreateCRDError represents a single error caught during parsing, compiling, etc. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + description: a unique identifier for the pod that wrote the status + type: string + observedGeneration: + format: int64 + type: integer + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + created: + type: boolean + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: ConstraintTemplate is the Schema for the constrainttemplates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate. + properties: + crd: + properties: + spec: + properties: + names: + properties: + kind: + type: string + shortNames: + items: + type: string + type: array + type: object + validation: + default: + legacySchema: true + properties: + legacySchema: + default: true + type: boolean + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + targets: + items: + properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map + libs: + items: + type: string + type: array + rego: + type: string + target: + type: string + type: object + type: array + type: object + status: + description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. + properties: + byPod: + items: + description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + properties: + errors: + items: + description: CreateCRDError represents a single error caught during parsing, compiling, etc. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + description: a unique identifier for the pod that wrote the status + type: string + observedGeneration: + format: int64 + type: integer + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + created: + type: boolean + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml new file mode 100644 index 0000000000..271572bd7e --- /dev/null +++ b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml @@ -0,0 +1,66 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: constrainttemplatepodstatuses.status.gatekeeper.sh +spec: + group: status.gatekeeper.sh + names: + kind: ConstraintTemplatePodStatus + listKind: ConstraintTemplatePodStatusList + plural: constrainttemplatepodstatuses + singular: constrainttemplatepodstatus + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + description: ConstraintTemplatePodStatusStatus defines the observed state of ConstraintTemplatePodStatus. + properties: + errors: + items: + description: CreateCRDError represents a single error caught during parsing, compiling, etc. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + description: 'Important: Run "make" to regenerate code after modifying this file' + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + templateUID: + description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml new file mode 100644 index 0000000000..9d248f2ccd --- /dev/null +++ b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml @@ -0,0 +1,200 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: expansiontemplate.expansion.gatekeeper.sh +spec: + group: expansion.gatekeeper.sh + names: + kind: ExpansionTemplate + listKind: ExpansionTemplateList + plural: expansiontemplate + singular: expansiontemplate + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ExpansionTemplate is the Schema for the ExpansionTemplate API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + enforcementAction: + description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation. + type: string + generatedGVK: + description: GeneratedGVK specifies the GVK of the resources which the generator resource creates. + properties: + group: + type: string + kind: + type: string + version: + type: string + type: object + templateSource: + description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template + type: string + type: object + status: + description: ExpansionTemplateStatus defines the observed state of ExpansionTemplate. + properties: + byPod: + items: + description: ExpansionTemplatePodStatusStatus defines the observed state of ExpansionTemplatePodStatus. + properties: + errors: + items: + properties: + message: + type: string + type: + type: string + required: + - message + type: object + type: array + id: + description: 'Important: Run "make" to regenerate code after modifying this file' + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + templateUID: + description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: ExpansionTemplate is the Schema for the ExpansionTemplate API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + enforcementAction: + description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation. + type: string + generatedGVK: + description: GeneratedGVK specifies the GVK of the resources which the generator resource creates. + properties: + group: + type: string + kind: + type: string + version: + type: string + type: object + templateSource: + description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template + type: string + type: object + status: + description: ExpansionTemplateStatus defines the observed state of ExpansionTemplate. + properties: + byPod: + items: + description: ExpansionTemplatePodStatusStatus defines the observed state of ExpansionTemplatePodStatus. + properties: + errors: + items: + properties: + message: + type: string + type: + type: string + required: + - message + type: object + type: array + id: + description: 'Important: Run "make" to regenerate code after modifying this file' + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + templateUID: + description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + type: string + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/expansiontemplatepodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/expansiontemplatepodstatus-customresourcedefinition.yaml new file mode 100644 index 0000000000..8f49b4c5f7 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/expansiontemplatepodstatus-customresourcedefinition.yaml @@ -0,0 +1,62 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: expansiontemplatepodstatuses.status.gatekeeper.sh +spec: + group: status.gatekeeper.sh + names: + kind: ExpansionTemplatePodStatus + listKind: ExpansionTemplatePodStatusList + plural: expansiontemplatepodstatuses + singular: expansiontemplatepodstatus + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: ExpansionTemplatePodStatus is the Schema for the expansiontemplatepodstatuses API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + description: ExpansionTemplatePodStatusStatus defines the observed state of ExpansionTemplatePodStatus. + properties: + errors: + items: + properties: + message: + type: string + type: + type: string + required: + - message + type: object + type: array + id: + description: 'Important: Run "make" to regenerate code after modifying this file' + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + templateUID: + description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/modifyset-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/modifyset-customresourcedefinition.yaml new file mode 100644 index 0000000000..46574fd369 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/modifyset-customresourcedefinition.yaml @@ -0,0 +1,676 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: modifyset.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: ModifySet + listKind: ModifySetList + plural: modifyset + singular: modifyset + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: ModifySetSpec defines the desired state of ModifySet. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + operation: + default: merge + description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge" + enum: + - merge + - prune + type: string + pathTests: + description: PathTests are a series of existence tests that can be checked before a mutation is applied + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + values: + description: Values describes the values provided to the operation as `values.fromList`. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + status: + description: ModifySetStatus defines the observed state of ModifySet. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ModifySetSpec defines the desired state of ModifySet. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + operation: + default: merge + description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge" + enum: + - merge + - prune + type: string + pathTests: + description: PathTests are a series of existence tests that can be checked before a mutation is applied + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + values: + description: Values describes the values provided to the operation as `values.fromList`. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + status: + description: ModifySetStatus defines the observed state of ModifySet. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ModifySetSpec defines the desired state of ModifySet. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + operation: + default: merge + description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge" + enum: + - merge + - prune + type: string + pathTests: + description: PathTests are a series of existence tests that can be checked before a mutation is applied + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + values: + description: Values describes the values provided to the operation as `values.fromList`. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + status: + description: ModifySetStatus defines the observed state of ModifySet. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml new file mode 100644 index 0000000000..fd6a0f6dea --- /dev/null +++ b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml @@ -0,0 +1,65 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: mutatorpodstatuses.status.gatekeeper.sh +spec: + group: status.gatekeeper.sh + names: + kind: MutatorPodStatus + listKind: MutatorPodStatusList + plural: mutatorpodstatuses + singular: mutatorpodstatus + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: MutatorPodStatus is the Schema for the mutationpodstatuses API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/provider-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/provider-customresourcedefinition.yaml new file mode 100644 index 0000000000..95e66a8b8a --- /dev/null +++ b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/crd-manifest/provider-customresourcedefinition.yaml @@ -0,0 +1,78 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + labels: + gatekeeper.sh/system: "yes" + name: providers.externaldata.gatekeeper.sh +spec: + group: externaldata.gatekeeper.sh + names: + kind: Provider + listKind: ProviderList + plural: providers + singular: provider + preserveUnknownFields: false + scope: Cluster + versions: + - deprecated: true + deprecationWarning: externaldata.gatekeeper.sh/v1alpha1 is deprecated. Use externaldata.gatekeeper.sh/v1beta1 instead. + name: v1alpha1 + schema: + openAPIV3Schema: + description: Provider is the Schema for the Provider API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the Provider specifications. + properties: + caBundle: + description: CABundle is a base64-encoded string that contains the TLS CA bundle in PEM format. It is used to verify the signature of the provider's certificate. + type: string + timeout: + description: Timeout is the timeout when querying the provider. + type: integer + url: + description: URL is the url for the provider. URL is prefixed with https://. + type: string + type: object + type: object + served: true + storage: false + - name: v1beta1 + schema: + openAPIV3Schema: + description: Provider is the Schema for the providers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the Provider specifications. + properties: + caBundle: + description: CABundle is a base64-encoded string that contains the TLS CA bundle in PEM format. It is used to verify the signature of the provider's certificate. + type: string + timeout: + description: Timeout is the timeout when querying the provider. + type: integer + url: + description: URL is the url for the provider. URL is prefixed with https://. + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/templates/_helpers.tpl b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/templates/_helpers.tpl new file mode 100644 index 0000000000..6a89079bcb --- /dev/null +++ b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/templates/_helpers.tpl @@ -0,0 +1,22 @@ +# Rancher + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} diff --git a/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/templates/jobs.yaml b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/templates/jobs.yaml new file mode 100644 index 0000000000..e5589e68c0 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/templates/jobs.yaml @@ -0,0 +1,126 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Chart.Name }}-create + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} + annotations: + "helm.sh/hook": post-install, post-upgrade, post-rollback + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded +spec: + template: + metadata: + name: {{ .Chart.Name }}-create + labels: + app: {{ .Chart.Name }} + spec: + serviceAccountName: {{ .Chart.Name }}-manager + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: create-crds + image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: IfNotPresent + command: + - /bin/kubectl + - apply + - -f + - /etc/config/crd-manifest.yaml + volumeMounts: + - name: crd-manifest + readOnly: true + mountPath: /etc/config + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.securityContext | nindent 12 }} + restartPolicy: OnFailure + volumes: + - name: crd-manifest + configMap: + name: {{ .Chart.Name }}-manifest +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Chart.Name }}-delete + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ .Chart.Name }}-delete + labels: + app: {{ .Chart.Name }} + spec: + serviceAccountName: {{ .Chart.Name }}-manager + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + initContainers: + - name: remove-finalizers + image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: IfNotPresent + command: + - /bin/kubectl + - apply + - -f + - /etc/config/crd-manifest.yaml + volumeMounts: + - name: crd-manifest + readOnly: true + mountPath: /etc/config + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.securityContext | nindent 12 }} + containers: + - name: delete-crds + image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: IfNotPresent + command: + - /bin/kubectl + - delete + - -f + - /etc/config/crd-manifest.yaml + volumeMounts: + - name: crd-manifest + readOnly: true + mountPath: /etc/config + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.securityContext | nindent 12 }} + restartPolicy: OnFailure + volumes: + - name: crd-manifest + configMap: + name: {{ .Chart.Name }}-manifest diff --git a/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/templates/manifest.yaml b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/templates/manifest.yaml new file mode 100644 index 0000000000..31016b6efa --- /dev/null +++ b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/templates/manifest.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Chart.Name }}-manifest + namespace: {{ .Release.Namespace }} +data: + crd-manifest.yaml: | + {{- $currentScope := . -}} + {{- $crds := (.Files.Glob "crd-manifest/**.yaml") -}} + {{- range $path, $_ := $crds -}} + {{- with $currentScope -}} + {{ .Files.Get $path | nindent 4 }} + --- + {{- end -}}{{- end -}} diff --git a/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/templates/rbac.yaml b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/templates/rbac.yaml new file mode 100644 index 0000000000..d1df389610 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/templates/rbac.yaml @@ -0,0 +1,76 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Chart.Name }}-manager + labels: + app: {{ .Chart.Name }}-manager +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: ['create', 'get', 'patch', 'delete'] +{{- if .Values.global.cattle.psp.enabled }} +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ .Chart.Name }}-manager +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Chart.Name }}-manager + labels: + app: {{ .Chart.Name }}-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Chart.Name }}-manager +subjects: +- kind: ServiceAccount + name: {{ .Chart.Name }}-manager + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Chart.Name }}-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }}-manager +--- +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ .Chart.Name }}-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }}-manager +spec: + privileged: false + allowPrivilegeEscalation: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'configMap' + - 'secret' +{{- end }} diff --git a/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/templates/validate-psp-install.yaml b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/values.yaml b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/values.yaml new file mode 100644 index 0000000000..3304f097b3 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/104.0.1+up3.13.0/values.yaml @@ -0,0 +1,21 @@ +# Default values for rancher-gatekeeper-crd. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + +image: + repository: rancher/kubectl + tag: v1.20.2 + +enableRuntimeDefaultSeccompProfile: true + +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/.helmignore b/charts/rancher-gatekeeper/104.0.1+up3.13.0/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/CHANGELOG.md b/charts/rancher-gatekeeper/104.0.1+up3.13.0/CHANGELOG.md new file mode 100644 index 0000000000..c68d23c240 --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/CHANGELOG.md @@ -0,0 +1,15 @@ +# Changelog +All notable changes from the upstream OPA Gatekeeper chart will be added to this file + +## [Package Version 00] - 2020-09-10 +### Added +- Enabled the CRD chart generator in `package.yaml` + +### Modified +- Updated namespace to `cattle-gatekeeper-system` +- Updated for Helm 3 compatibility + - Moved crds to `crds` directory + - Removed `crd-install` hooks and templates from crds + +### Removed +- Removed `gatekeeper-system-namespace.yaml` as Rancher handles namespaces for chart installation diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/Chart.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/Chart.yaml new file mode 100644 index 0000000000..c2bd5dd341 --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/Chart.yaml @@ -0,0 +1,26 @@ +annotations: + catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: OPA Gatekeeper + catalog.cattle.io/kube-version: '>= 1.20.0-0' + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1 + catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0' + catalog.cattle.io/release-name: rancher-gatekeeper + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: gatekeeper +apiVersion: v2 +appVersion: v3.13.0 +description: Modifies Open Policy Agent's upstream gatekeeper chart that provides + policy-based control for cloud native environments +home: https://github.com/open-policy-agent/gatekeeper +icon: https://charts.rancher.io/assets/logos/gatekeeper.svg +keywords: +- open policy agent +- security +name: rancher-gatekeeper +sources: +- https://github.com/open-policy-agent/gatekeeper.git +version: 104.0.1+up3.13.0 diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/README.md b/charts/rancher-gatekeeper/104.0.1+up3.13.0/README.md new file mode 100644 index 0000000000..3ec0a2b756 --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/README.md @@ -0,0 +1,226 @@ +# Gatekeeper Helm Chart + +## Get Repo Info + +```console +helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Install Chart + +```console +# Helm install with gatekeeper-system namespace already created +$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper + +# Helm install and create namespace +$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace + +``` + +_See [parameters](#parameters) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Upgrade Chart + +**Upgrading from < v3.4.0** +Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within +the chart. This follows Helm 3 Best Practices. + +Option 1: +A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater. + +```console +$ helm uninstall gatekeeper +$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace + +``` + +Option 2: +Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the +original release, while keeping all of the resources. It then updates the annotations of the resources so that the new +chart can import and manage them. + +```console +$ helm_migrate.sh +$ helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper +``` + +**Upgrading from >= v3.4.0** + +```console +$ helm upgrade -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper +``` + +_See [helm 2 to 3](https://helm.sh/docs/topics/v2_v3_migration/) for Helm 2 migration documentation._ + +## Exempting Namespace + +The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt +the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during +a post-install hook. + +_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more +information._ + +## Parameters + +| Parameter | Description | Default | +|:-----------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | +| postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` | +| postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` | +| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.13.0` | +| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | +| postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | `[]` | +| postInstall.labelNamespace.priorityClassName | Priority class name for gatekeeper-update-namespace-label Job | `` | +| postInstall.probeWebhook.enabled | Probe webhook API post install. When enabled along with `postInstall.labelNamespace.enabled`, this probe will run as part of `postInstall.labelNamespace` Job as an initContainer | `true` | +| postInstall.probeWebhook.image.repository | Image with curl to probe the webhook API | `curlimages/curl` | +| postInstall.probeWebhook.image.tag | Image tag | `7.83.1` | +| postInstall.probeWebhook.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| postInstall.probeWebhook.image.pullSecrets | Image pullSecrets | `[]` | +| postInstall.probeWebhook.waitTimeout | Total time to wait for the webhook API to become available | `60` | +| postInstall.probeWebhook.httpTimeout | HTTP client timeout | `2` | +| postInstall.probeWebhook.insecureHTTPS | Ignore server SSL certificate | `false` | +| postInstall.probeWebhook.priorityClassName | Priority class name for gatekeeper-probe-webhook-post-install Job | `` | +| postInstall.affinity | The affinity to use for pod scheduling in postInstall hook jobs | `{}` | +| postInstall.tolerations | The tolerations to use for pod scheduling in postInstall hook jobs | `[]` | +| postInstall.nodeSelector | The node selector to use for pod scheduling in postInstall hook jobs | `kubernetes.io/os: linux` | +| postInstall.resources | The resource request/limits for the container image in postInstall hook jobs | `{}` | +| postInstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| postUpgrade.labelNamespace.enabled | Add labels to the namespace during post upgrade hooks | `false` | +| postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` | +| postUpgrade.labelNamespace.extraAnnotations | Extra annotations added to the post upgrade Job | `{}` | +| postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | +| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.13.0` | +| postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | +| postUpgrade.labelNamespace.priorityClassName | Priority class name for gatekeeper-update-namespace-label-post-upgrade Job | `` | +| postUpgrade.affinity | The affinity to use for pod scheduling in postUpgrade hook jobs | `{}` | +| postUpgrade.tolerations | The tolerations to use for pod scheduling in postUpgrade hook jobs | `[]` | +| postUpgrade.nodeSelector | The node selector to use for pod scheduling in postUpgrade hook jobs | `kubernetes.io/os: linux` | +| postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` | +| postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead. | `null` | +| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.13.0` | +| preUninstall.deleteWebhookConfigurations.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | +| preUninstall.deleteWebhookConfigurations.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | +| preUninstall.deleteWebhookConfigurations.image.tag | Image tag | Current release version: `v3.13.0` | +| preUninstall.deleteWebhookConfigurations.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| preUninstall.deleteWebhookConfigurations.image.pullSecrets | Image pullSecrets | `[]` | +| preUninstall.deleteWebhookConfigurations.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` | +| preUninstall.deleteWebhookConfigurations.priorityClassName | Priority class name for gatekeeper-delete-webhook-configs Job | `` | +| preUninstall.affinity | The affinity to use for pod scheduling in preUninstall hook jobs | `{}` | +| preUninstall.tolerations | The tolerations to use for pod scheduling in preUninstall hook jobs | `[]` | +| preUninstall.nodeSelector | The node selector to use for pod scheduling in preUninstall hook jobs | `kubernetes.io/os: linux` | +| preUninstall.resources | The resource request/limits for the container image in preUninstall hook jobs | `{}` | +| preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| psp.enabled | Enabled PodSecurityPolicy | `true` | +| upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` | +| upgradeCRDs.extraRules | Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole | `[]` | +| upgradeCRDs.priorityClassName | Priority class name for gatekeeper-update-crds-hook Job | `` | +| crds.affinity | The affinity to use for pod scheduling in crds hook jobs | `{}` | +| crds.tolerations | The tolerations to use for pod scheduling in crds hook jobs | `[]` | +| crds.nodeSelector | The node selector to use for pod scheduling in crds hook jobs | `kubernetes.io/os: linux` | +| crds.resources | The resource request/limits for the container image in crds hook jobs | `{}` | +| crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` | +| auditInterval | The frequency with which audit is run | `300` | +| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | +| auditFromCache | Take the roster of resources to audit from the audit cache | `false` | +| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `500` | +| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | +| disableValidatingWebhook | Disable the validating webhook | `false` | +| disableMutation | Disable mutation | `false` | +| validatingWebhookName | The name of the `ValidatingWebhookConfiguration` | `gatekeeper-validating-webhook-configuration` | +| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | +| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` | +| validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` | +| validatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set. | `{}` | +| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` | +| validatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | +| validatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | +| validatingWebhookURL | Custom URL for Kubernetes API server to use to reach the validating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` | +| enableDeleteOperations | Enable validating webhook for delete operations. Does not work with `validatingWebhookCustomRules` | `false` | +| enableExternalData | Enable external data | `true` | +| enableGeneratorResourceExpansion | Enable generator resource expansion (beta feature) | `true` | +| enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` | +| maxServingThreads | Limit the number of concurrent calls the validation backend made by the validation webhook. -1 limits this value to GOMAXPROCS. Configuring this value may lower max RAM usage and limit CPU throttling, Tuning it can optimize serving capacity. | `-1` | +| metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opencensus` | `["prometheus"]` | +| mutatingWebhookName | The name of the `MutatingWebhookConfiguration` | `gatekeeper-mutating-webhook-configuration` | +| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` | +| mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` | +| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | +| mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | +| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | `{}` | +| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` | +| mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | +| mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` | +| emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | +| emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` | +| auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | +| admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | +| logDenies | Log detailed info on each deny | `false` | +| logLevel | Minimum log level | `INFO` | +| image.pullPolicy | The image pull policy | `IfNotPresent` | +| image.repository | Image repository | `openpolicyagent/gatekeeper` | +| image.release | The image release tag to use | Current release version: `v3.13.0` | +| image.pullSecrets | Specify an array of imagePullSecrets | `[]` | +| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | +| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | +| controllerManager.affinity | The node affinity to use for controller manager pod scheduling | `{}` | +| controllerManager.topologySpreadConstraints | The topology spread constraints to use for controller manager pod scheduling | `[]` | +| controllerManager.tolerations | The tolerations to use for controller manager pod scheduling | `[]` | +| controllerManager.healthPort | Health port for controller manager | `9090` | +| controllerManager.port | Webhook-server port for controller manager | `8443` | +| controllerManager.metricsPort | Metrics port for controller manager | `8888` | +| controllerManager.readinessTimeout | Timeout in seconds for the controller manager's readiness probe | `1` | +| controllerManager.livenessTimeout | Timeout in seconds for the controller manager's liveness probe | `1` | +| controllerManager.logLevel | The minimum log level for the controller manager, takes precedence over `logLevel` when specified | `null` | +| controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | +| controllerManager.podSecurityContext | Security context on pod level for controller manager | {fsGroup: 999, suplementalGroups: [999]} | +| controllerManager.exemptNamespaces | The exact namespaces to exempt by the admission webhook | `[]` | +| controllerManager.exemptNamespacePrefixes | The namespace prefixes to exempt by the admission webhook | `[]` | +| controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | +| controllerManager.dnsPolicy | Set the dnsPolicy for controllerManager pods | `ClusterFirst` | +| controllerManager.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| controllerManager.tlsMinVersion | Set the minimum supported TLS version for validating and mutating webhook servers | `1.3` | +| controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` | +| controllerManager.networkPolicy.enabled | Should a network policy for the controller manager be created | `false` | +| controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` | +| controllerManager.strategyType | The strategy type to use for Controller Manager deployment | `RollingUpdate` | +| audit.affinity | The node affinity to use for audit pod scheduling | `{}` | +| audit.topologySpreadConstraints | The topology spread constraints to use for audit pod scheduling | `[]` | +| audit.tolerations | The tolerations to use for audit pod scheduling | `[]` | +| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | +| audit.podSecurityContext | Security context for audit on pod level | {fsGroup: 999, suplementalGroups: [999]} | +| audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | +| audit.dnsPolicy | Set the dnsPolicy for audit pods | `ClusterFirst` | +| audit.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| audit.healthPort | Health port for audit | `9090` | +| audit.metricsPort | Metrics port for audit | `8888` | +| audit.readinessTimeout | Timeout in seconds for audit's readiness probe | `1` | +| audit.livenessTimeout | Timeout in seconds for the audit's liveness probe | `1` | +| audit.logLevel | The minimum log level for audit, takes precedence over `logLevel` when specified | `null` | +| replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | +| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` | +| podLabels | The labels to add to the Gatekeeper pods | `{}` | +| podCountLimit | The maximum number of Gatekeeper pods to run | `100` | +| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` | +| pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` | +| service.type | Service type | `ClusterIP` | +| service.loadBalancerIP | The IP address of LoadBalancer service | `` | +| service.healthzPort | Service port to gatekeeper Webhook health port | `9090` | +| rbac.create | Enable the creation of RBAC resources | `true` | +| externalCertInjection.enabled | Enable the injection of an external certificate. This disables automatic certificate generation and rotation | `false` | +| externalCertInjection.secretName | Name of secret for injected certificate | `gatekeeper-webhook-server-cert` | + +## Contributing Changes + +Please refer +to [Contributing to Helm Chart](https://open-policy-agent.github.io/gatekeeper/website/docs/help#contributing-to-helm-chart) +for modifying the Helm chart. diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/app-readme.md b/charts/rancher-gatekeeper/104.0.1+up3.13.0/app-readme.md new file mode 100644 index 0000000000..dff688f517 --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/app-readme.md @@ -0,0 +1,32 @@ +# Rancher OPA Gatekeeper + +This chart is based off of the upstream [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper/tree/master/charts/gatekeeper) chart. + +For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/opa-gatekeper/). + +The chart installs the following components: + +- OPA Gatekeeper Controller-Manager - OPA Gatekeeper is a policy engine for providing policy based governance for Kubernetes clusters. The controller installs as a [validating admission controller webhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook) on the cluster and intercepts all admission requests that create, update or delete a resource in the cluster. +- [Audit](https://github.com/open-policy-agent/gatekeeper#audit) - A periodic audit of the cluster resources against the enforced policies. Any existing resource that violates a policy will be recorded as violations. +- [Constraint Template](https://github.com/open-policy-agent/gatekeeper#constraint-templates) - A template is a CRD (`ConstraintTemplate`) that defines the schema and Rego logic of a policy to be applied to the cluster by Gatekeeper's admission controller webhook. This chart installs a few default `ConstraintTemplate` custom resources. +- [Constraint](https://github.com/open-policy-agent/gatekeeper#constraints) - A constraint is a custom resource that defines the scope of resources which a specific constraint template should apply to. The complete policy is defined by a combination of `ConstraintTemplates` (i.e. what the policy is) and `Constraints` (i.e. what resource to apply the policy to). + +For more information on how to configure the Helm chart, refer to the Helm README. + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. + +> **Note:** +> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. + +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/_helpers.tpl b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/_helpers.tpl new file mode 100644 index 0000000000..79581551cb --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/_helpers.tpl @@ -0,0 +1,114 @@ + +{{/* +Expand the name of the chart. +*/}} +{{- define "gatekeeper.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "gatekeeper.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gatekeeper.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Adds additional pod labels to the common ones +*/}} +{{- define "gatekeeper.podLabels" -}} +{{- if .Values.podLabels }} +{{- toYaml .Values.podLabels | nindent 8 }} +{{- end }} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} + +{{/* +Output post install webhook probe container entry +*/}} +{{- define "gatekeeper.postInstallWebhookProbeContainer" -}} +- name: webhook-probe-post + image: "{{ template "system_default_registry" . }}{{ .Values.postInstall.probeWebhook.image.repository }}:{{ .Values.postInstall.probeWebhook.image.tag }}" + imagePullPolicy: {{ .Values.postInstall.probeWebhook.image.pullPolicy }} + command: + - "curl" + args: + - "--retry" + - "99999" + - "--retry-connrefused" + - "--retry-max-time" + - "{{ .Values.postInstall.probeWebhook.waitTimeout }}" + - "--retry-delay" + - "1" + - "--max-time" + - "{{ .Values.postInstall.probeWebhook.httpTimeout }}" + {{- if .Values.postInstall.probeWebhook.insecureHTTPS }} + - "--insecure" + {{- else }} + - "--cacert" + - /certs/ca.crt + {{- end }} + - "-v" + - "https://gatekeeper-webhook-service.{{ .Release.Namespace }}.svc/v1/admitlabel?timeout=2s" + resources: + {{- toYaml .Values.postInstall.resources | nindent 4 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postInstall.securityContext | nindent 4 }} + volumeMounts: + - mountPath: /certs + name: cert + readOnly: true +{{- end -}} + +{{/* +Output post install webhook probe volume entry +*/}} +{{- define "gatekeeper.postInstallWebhookProbeVolume" -}} +- name: cert + secret: + secretName: {{ .Values.externalCertInjection.secretName }} +{{- end -}} diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/allowedrepos.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/allowedrepos.yaml new file mode 100644 index 0000000000..9abb84ecb3 --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/allowedrepos.yaml @@ -0,0 +1,35 @@ +apiVersion: templates.gatekeeper.sh/v1beta1 +kind: ConstraintTemplate +metadata: + name: k8sallowedrepos +spec: + crd: + spec: + names: + kind: K8sAllowedRepos + validation: + # Schema for the `parameters` field + openAPIV3Schema: + properties: + repos: + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8sallowedrepos + + violation[{"msg": msg}] { + container := input.review.object.spec.containers[_] + satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)] + not any(satisfied) + msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) + } + + violation[{"msg": msg}] { + container := input.review.object.spec.initContainers[_] + satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)] + not any(satisfied) + msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) + } diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-admin-podsecuritypolicy.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-admin-podsecuritypolicy.yaml new file mode 100644 index 0000000000..2c179e570d --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-admin-podsecuritypolicy.yaml @@ -0,0 +1,38 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-admin +spec: + allowPrivilegeEscalation: false + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - projected + - secret + - downwardAPI + - emptyDir +{{- end }} diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-admin-serviceaccount.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-admin-serviceaccount.yaml new file mode 100644 index 0000000000..4b68998cb4 --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-admin-serviceaccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-admin + namespace: '{{ .Release.Namespace }}' diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-audit-deployment.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-audit-deployment.yaml new file mode 100644 index 0000000000..d03c6d3b55 --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-audit-deployment.yaml @@ -0,0 +1,164 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: audit-controller + gatekeeper.sh/operation: audit + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-audit + namespace: '{{ .Release.Namespace }}' +spec: + replicas: 1 + selector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: audit-controller + gatekeeper.sh/operation: audit + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + template: + metadata: + annotations: + {{- if .Values.podAnnotations }} + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + {{- end }} + {{- if .Values.auditPodAnnotations }} + {{- toYaml .Values.auditPodAnnotations | trim | nindent 8 }} + {{- end }} + labels: +{{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: audit-controller + gatekeeper.sh/operation: audit + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + affinity: + {{- toYaml .Values.audit.affinity | nindent 8 }} + automountServiceAccountToken: true + containers: + - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}' + args: + - --audit-interval={{ .Values.auditInterval }} + - --log-level={{ (.Values.audit.logLevel | empty | not) | ternary .Values.audit.logLevel .Values.logLevel }} + - --constraint-violations-limit={{ .Values.constraintViolationsLimit }} + - --validating-webhook-configuration-name={{ .Values.validatingWebhookName }} + - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }} + - --audit-from-cache={{ .Values.auditFromCache }} + - --audit-chunk-size={{ .Values.auditChunkSize }} + - --audit-match-kind-only={{ .Values.auditMatchKindOnly }} + - --emit-audit-events={{ .Values.emitAuditEvents }} + - --audit-events-involved-namespace={{ .Values.auditEventsInvolvedNamespace }} + - --operation=audit + - --operation=status + {{ if .Values.audit.enablePubsub}} + - --enable-pub-sub={{ .Values.audit.enablePubsub }} + - --audit-connection={{ .Values.audit.connection }} + - --audit-channel={{ .Values.audit.channel }} + {{- end }} + {{ if not .Values.disableMutation}}- --operation=mutation-status{{- end }} + - --logtostderr + - --health-addr=:{{ .Values.audit.healthPort }} + - --prometheus-port={{ .Values.audit.metricsPort }} + - --enable-external-data={{ .Values.enableExternalData }} + - --enable-generator-resource-expansion={{ .Values.enableGeneratorResourceExpansion }} + + {{- range .Values.metricsBackends}} + - --metrics-backend={{ . }} + {{- end }} + + {{- if .Values.audit.logFile}} + - --log-file={{ .Values.audit.logFile }} + {{- end }} + - --disable-cert-rotation={{ or .Values.audit.disableCertRotation .Values.externalCertInjection.enabled }} + command: + - /manager + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTAINER_NAME + value: manager + imagePullPolicy: '{{ .Values.images.pullPolicy }}' + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.audit.healthPort }} + timeoutSeconds: {{ .Values.audit.livenessTimeout }} + name: manager + ports: + - containerPort: {{ .Values.audit.metricsPort }} + name: metrics + protocol: TCP + - containerPort: {{ .Values.audit.healthPort }} + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: {{ .Values.audit.healthPort }} + timeoutSeconds: {{ .Values.audit.readinessTimeout }} + resources: + {{- toYaml .Values.audit.resources | nindent 10 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.audit.securityContext | nindent 10}} + volumeMounts: + - mountPath: /certs + name: cert + readOnly: true + - mountPath: /tmp/audit + name: tmp-volume + dnsPolicy: {{ .Values.audit.dnsPolicy }} + hostNetwork: {{ .Values.audit.hostNetwork }} + imagePullSecrets: + {{- toYaml .Values.images.pullSecrets | nindent 8 }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.audit.nodeSelector }} +{{ toYaml .Values.audit.nodeSelector | indent 8 }} +{{- end }} + {{- if .Values.audit.priorityClassName }} + priorityClassName: {{ .Values.audit.priorityClassName }} + {{- end }} + securityContext: + {{- toYaml .Values.audit.podSecurityContext | nindent 8 }} + serviceAccountName: gatekeeper-admin + terminationGracePeriodSeconds: 60 + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.audit.tolerations }} +{{ toYaml .Values.audit.tolerations | indent 8 }} +{{- end }} + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: gatekeeper-webhook-server-cert + {{- if .Values.audit.writeToRAMDisk }} + - emptyDir: + medium: Memory + {{ else }} + - emptyDir: {} + {{- end }} + name: tmp-volume diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-controller-manager-deployment.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-controller-manager-deployment.yaml new file mode 100644 index 0000000000..b2abb99e97 --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-controller-manager-deployment.yaml @@ -0,0 +1,171 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-controller-manager + namespace: '{{ .Release.Namespace }}' +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + strategy: + type: {{ .Values.controllerManager.strategyType }} + template: + metadata: + annotations: + {{- if .Values.podAnnotations }} + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + {{- end }} + labels: +{{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + affinity: + {{- toYaml .Values.controllerManager.affinity | nindent 8 }} + automountServiceAccountToken: true + containers: + - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}' + imagePullPolicy: '{{ .Values.images.pullPolicy }}' + args: + - --port={{ .Values.controllerManager.port }} + - --health-addr=:{{ .Values.controllerManager.healthPort }} + - --prometheus-port={{ .Values.controllerManager.metricsPort }} + - --logtostderr + - --log-denies={{ .Values.logDenies }} + - --emit-admission-events={{ .Values.emitAdmissionEvents }} + - --admission-events-involved-namespace={{ .Values.admissionEventsInvolvedNamespace }} + - --log-level={{ (.Values.controllerManager.logLevel | empty | not) | ternary .Values.controllerManager.logLevel .Values.logLevel }} + - --exempt-namespace={{ .Release.Namespace }} + - --operation=webhook + - --enable-external-data={{ .Values.enableExternalData }} + - --enable-generator-resource-expansion={{ .Values.enableGeneratorResourceExpansion }} + - --log-mutations={{ .Values.logMutations }} + - --mutation-annotations={{ .Values.mutationAnnotations }} + - --disable-cert-rotation={{ .Values.controllerManager.disableCertRotation }} + - --max-serving-threads={{ .Values.maxServingThreads }} + - --tls-min-version={{ .Values.controllerManager.tlsMinVersion }} + {{ if ne .Values.controllerManager.clientCertName "" }}- --client-cert-name={{ .Values.controllerManager.clientCertName }}{{- end }} + + {{- range .Values.metricsBackends}} + - --metrics-backend={{ . }} + {{- end }} + {{ if .Values.enableTLSHealthcheck}}- --enable-tls-healthcheck{{- end }} + {{ if not .Values.disableMutation}}- --operation=mutation-webhook{{- end }} + + {{- range .Values.disabledBuiltins}} + - --disable-opa-builtin={{ . }} + {{- end }} + + {{- range .Values.controllerManager.exemptNamespaces}} + - --exempt-namespace={{ . }} + {{- end }} + + {{- range .Values.controllerManager.exemptNamespacePrefixes}} + - --exempt-namespace-prefix={{ . }} + {{- end }} + + {{- range .Values.controllerManager.exemptNamespaceSuffixes}} + - --exempt-namespace-suffix={{ . }} + {{- end }} + + {{- if .Values.controllerManager.logFile}} + - --log-file={{ .Values.controllerManager.logFile }} + {{- end }} + command: + - /manager + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTAINER_NAME + value: manager + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.controllerManager.healthPort }} + timeoutSeconds: {{ .Values.controllerManager.livenessTimeout }} + name: manager + ports: + - containerPort: {{ .Values.controllerManager.port }} + name: webhook-server + protocol: TCP + - containerPort: {{ .Values.controllerManager.metricsPort }} + name: metrics + protocol: TCP + - containerPort: {{ .Values.controllerManager.healthPort }} + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: {{ .Values.controllerManager.healthPort }} + timeoutSeconds: {{ .Values.controllerManager.readinessTimeout }} + resources: + {{- toYaml .Values.controllerManager.resources | nindent 10 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.controllerManager.securityContext | nindent 10}} + volumeMounts: + - mountPath: /certs + name: cert + readOnly: true + dnsPolicy: {{ .Values.controllerManager.dnsPolicy }} + hostNetwork: {{ .Values.controllerManager.hostNetwork }} + imagePullSecrets: + {{- toYaml .Values.images.pullSecrets | nindent 8 }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.controllerManager.nodeSelector }} +{{ toYaml .Values.controllerManager.nodeSelector | indent 8 }} +{{- end }} + {{- if .Values.controllerManager.priorityClassName }} + priorityClassName: {{ .Values.controllerManager.priorityClassName }} + {{- end }} + securityContext: + {{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }} + serviceAccountName: gatekeeper-admin + terminationGracePeriodSeconds: 60 + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.controllerManager.tolerations }} +{{ toYaml .Values.controllerManager.tolerations | indent 8 }} +{{- end }} + topologySpreadConstraints: + {{- toYaml .Values.controllerManager.topologySpreadConstraints | nindent 8 }} + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: gatekeeper-webhook-server-cert diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-controller-manager-network-policy.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-controller-manager-network-policy.yaml new file mode 100644 index 0000000000..e05213feb4 --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-controller-manager-network-policy.yaml @@ -0,0 +1,30 @@ +{{- if .Values.controllerManager.networkPolicy.enabled -}} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-controller-manager +spec: + ingress: + - from: + - podSelector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + release: '{{ .Release.Name }}' + {{- with .Values.controllerManager.networkPolicy.ingress }} + {{- toYaml . | nindent 4 }} + {{- end }} + podSelector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' +{{- end -}} diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml new file mode 100644 index 0000000000..424f6a67c4 --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml @@ -0,0 +1,24 @@ +{{- $v1 := .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} +{{- $v1beta1 := .Capabilities.APIVersions.Has "policy/v1beta1/PodDisruptionBudget" -}} +apiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }} +kind: PodDisruptionBudget +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-controller-manager + namespace: '{{ .Release.Namespace }}' +spec: + minAvailable: {{ .Values.pdb.controllerManager.minAvailable }} + selector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-critical-pods-resourcequota.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-critical-pods-resourcequota.yaml new file mode 100644 index 0000000000..1546463669 --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-critical-pods-resourcequota.yaml @@ -0,0 +1,23 @@ +{{- if .Values.resourceQuota }} +apiVersion: v1 +kind: ResourceQuota +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-critical-pods + namespace: '{{ .Release.Namespace }}' +spec: + hard: + pods: {{ .Values.podCountLimit }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - {{ .Values.controllerManager.priorityClassName }} + - {{ .Values.audit.priorityClassName }} +{{- end }} diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-manager-role-clusterrole.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-manager-role-clusterrole.yaml new file mode 100644 index 0000000000..657460a5d6 --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-manager-role-clusterrole.yaml @@ -0,0 +1,186 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-manager-role +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - {{ .Values.mutatingWebhookName }} + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - config.gatekeeper.sh + resources: + - configs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - config.gatekeeper.sh + resources: + - configs/status + verbs: + - get + - patch + - update +- apiGroups: + - constraints.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - expansion.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - externaldata.gatekeeper.sh + resources: + - providers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - mutations.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- if .Values.global.cattle.psp.enabled }} +- apiGroups: + - policy + resourceNames: + - gatekeeper-admin + resources: + - podsecuritypolicies + verbs: + - use +{{- end }} +- apiGroups: + - status.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - templates.gatekeeper.sh + resources: + - constrainttemplates + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - templates.gatekeeper.sh + resources: + - constrainttemplates/finalizers + verbs: + - delete + - get + - patch + - update +- apiGroups: + - templates.gatekeeper.sh + resources: + - constrainttemplates/status + verbs: + - get + - patch + - update +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - {{ .Values.validatingWebhookName }} + resources: + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- end }} diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-manager-role-role.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-manager-role-role.yaml new file mode 100644 index 0000000000..1018dcdb66 --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-manager-role-role.yaml @@ -0,0 +1,37 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-manager-role + namespace: '{{ .Release.Namespace }}' +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- with .Values.controllerManager.extraRules }} + {{- toYaml . | nindent 0 }} +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml new file mode 100644 index 0000000000..1fb9f6c87a --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gatekeeper-manager-role +subjects: +- kind: ServiceAccount + name: gatekeeper-admin + namespace: '{{ .Release.Namespace }}' +{{- end }} diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml new file mode 100644 index 0000000000..fbe9580d57 --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-manager-rolebinding + namespace: '{{ .Release.Namespace }}' +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: gatekeeper-manager-role +subjects: +- kind: ServiceAccount + name: gatekeeper-admin + namespace: '{{ .Release.Namespace }}' +{{- end }} diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..ae85f8d08d --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -0,0 +1,64 @@ +{{- if not .Values.disableMutation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: {{- toYaml .Values.mutatingWebhookAnnotations | trim | nindent 4 }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: '{{ .Values.mutatingWebhookName }}' +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + {{- if .Values.mutatingWebhookURL }} + url: https://{{ .Values.mutatingWebhookURL }}/v1/mutate + {{- else }} + service: + name: gatekeeper-webhook-service + namespace: '{{ .Release.Namespace }}' + path: /v1/mutate + {{- end }} + failurePolicy: {{ .Values.mutatingWebhookFailurePolicy }} + matchPolicy: Exact + name: mutation.gatekeeper.sh + namespaceSelector: + matchExpressions: + - key: admission.gatekeeper.sh/ignore + operator: DoesNotExist + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - {{ .Release.Namespace }} + + {{- range $key, $value := .Values.mutatingWebhookExemptNamespacesLabels}} + - key: {{ $key }} + operator: NotIn + values: + {{- range $value }} + - {{ . }} + {{- end }} + {{- end }} + objectSelector: {{ toYaml .Values.mutatingWebhookObjectSelector }} + reinvocationPolicy: {{ .Values.mutatingWebhookReinvocationPolicy }} + rules: + {{- if .Values.mutatingWebhookCustomRules }} + {{- toYaml .Values.mutatingWebhookCustomRules | nindent 2 }} + {{- else }} + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - '*' + {{- end }} + sideEffects: None + timeoutSeconds: {{ .Values.mutatingWebhookTimeoutSeconds }} +{{- end }} diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..933fbbd3c3 --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -0,0 +1,113 @@ +{{- if not .Values.disableValidatingWebhook }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: {{- toYaml .Values.validatingWebhookAnnotations | trim | nindent 4 }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: '{{ .Values.validatingWebhookName }}' +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + {{- if .Values.validatingWebhookURL }} + url: https://{{ .Values.validatingWebhookURL }}/v1/admit + {{- else }} + service: + name: gatekeeper-webhook-service + namespace: '{{ .Release.Namespace }}' + path: /v1/admit + {{- end }} + failurePolicy: {{ .Values.validatingWebhookFailurePolicy }} + matchPolicy: Exact + name: validation.gatekeeper.sh + namespaceSelector: + matchExpressions: + - key: admission.gatekeeper.sh/ignore + operator: DoesNotExist + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - {{ .Release.Namespace }} + + {{- range $key, $value := .Values.validatingWebhookExemptNamespacesLabels}} + - key: {{ $key }} + operator: NotIn + values: + {{- range $value }} + - {{ . }} + {{- end }} + {{- end }} + objectSelector: {{ toYaml .Values.validatingWebhookObjectSelector }} + rules: + {{- if .Values.validatingWebhookCustomRules }} + {{- toYaml .Values.validatingWebhookCustomRules | nindent 2 }} + {{- else }} + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + {{- if .Values.enableDeleteOperations }} + - DELETE + {{- end }} + resources: + - '*' + # Explicitly list all known subresources except "status" (to avoid destabilizing the cluster and increasing load on gatekeeper). + # You can find a rough list of subresources by doing a case-sensitive search in the Kubernetes codebase for 'Subresource("' + - 'pods/ephemeralcontainers' + - 'pods/exec' + - 'pods/log' + - 'pods/eviction' + - 'pods/portforward' + - 'pods/proxy' + - 'pods/attach' + - 'pods/binding' + - 'deployments/scale' + - 'replicasets/scale' + - 'statefulsets/scale' + - 'replicationcontrollers/scale' + - 'services/proxy' + - 'nodes/proxy' + # For constraints that mitigate CVE-2020-8554 + - 'services/status' + {{- end }} + sideEffects: None + timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }} +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: gatekeeper-webhook-service + namespace: '{{ .Release.Namespace }}' + path: /v1/admitlabel + failurePolicy: {{ .Values.validatingWebhookCheckIgnoreFailurePolicy }} + matchPolicy: Exact + name: check-ignore-label.gatekeeper.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - {{ .Release.Namespace }} + rules: + - apiGroups: + - "" + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - namespaces + sideEffects: None + timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }} +{{- end }} diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-webhook-server-cert-secret.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-webhook-server-cert-secret.yaml new file mode 100644 index 0000000000..a841780a55 --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-webhook-server-cert-secret.yaml @@ -0,0 +1,14 @@ +{{- if not .Values.externalCertInjection.enabled }} +apiVersion: v1 +kind: Secret +metadata: + annotations: {{- toYaml .Values.secretAnnotations | trim | nindent 4 }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-webhook-server-cert + namespace: '{{ .Release.Namespace }}' +{{- end }} diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-webhook-service-service.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-webhook-service-service.yaml new file mode 100644 index 0000000000..3c0f4453a1 --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/gatekeeper-webhook-service-service.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-webhook-service + namespace: '{{ .Release.Namespace }}' +spec: + + ports: + - name: https-webhook-server + port: 443 + targetPort: webhook-server +{{- if .Values.service }} +{{- if .Values.service.healthzPort }} + - name: http-webhook-healthz + port: {{ .Values.service.healthzPort }} + targetPort: healthz + {{- end }} + {{- end }} + {{- if .Values.service }} + type: {{ .Values.service.type | default "ClusterIP" }} + {{- if .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- end }} + selector: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/namespace-post-install.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/namespace-post-install.yaml new file mode 100644 index 0000000000..46224f76a4 --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/namespace-post-install.yaml @@ -0,0 +1,168 @@ +{{- if .Values.postInstall.labelNamespace.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-update-namespace-label + namespace: {{ .Release.Namespace | quote }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + {{- if .Values.postInstall.labelNamespace.extraAnnotations }} + {{- toYaml .Values.postInstall.labelNamespace.extraAnnotations | trim | nindent 4 }} + {{- end }} +spec: + template: + metadata: + annotations: + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + restartPolicy: OnFailure + {{- if .Values.postInstall.labelNamespace.priorityClassName }} + priorityClassName: {{ .Values.postInstall.labelNamespace.priorityClassName }} + {{- end }} + {{- if .Values.postInstall.labelNamespace.image.pullSecrets }} + imagePullSecrets: + {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }} + {{- end }} + serviceAccount: gatekeeper-update-namespace-label + {{- if .Values.postInstall.probeWebhook.enabled }} + volumes: + {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }} + initContainers: + {{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }} + {{- end }} + containers: + - name: kubectl-label + image: '{{ template "system_default_registry" . }}{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}' + imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }} + args: + - label + - ns + - {{ .Release.Namespace }} + - admission.gatekeeper.sh/ignore=no-self-managing + {{- range .Values.postInstall.labelNamespace.podSecurity }} + - {{ . }} + {{- end }} + - --overwrite + resources: + {{- toYaml .Values.postInstall.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postInstall.securityContext | nindent 12 }} + {{- if .Values.postInstall.labelNamespace.extraNamespaces }} + - name: kubectl-label-extra + image: '{{ template "system_default_registry" . }}{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}' + imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }} + args: + - label + - ns + {{- range .Values.postInstall.labelNamespace.extraNamespaces }} + - {{ . }} + {{- end }} + - admission.gatekeeper.sh/ignore=extra-namespaces + - --overwrite + resources: + {{- toYaml .Values.postInstall.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postInstall.securityContext | nindent 12 }} + {{- end }} + {{- with .Values.postInstall }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gatekeeper-update-namespace-label + namespace: {{ .Release.Namespace | quote }} + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gatekeeper-update-namespace-label + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - update + - patch + resourceNames: + - {{ .Release.Namespace }} + {{- range .Values.postInstall.labelNamespace.extraNamespaces }} + - {{ . }} + {{- end }} + - apiGroups: + - management.cattle.io + resources: + - projects + verbs: + - updatepsa +{{- with .Values.postInstall.labelNamespace.extraRules }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gatekeeper-update-namespace-label + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gatekeeper-update-namespace-label +subjects: + - kind: ServiceAccount + name: gatekeeper-update-namespace-label + namespace: {{ .Release.Namespace | quote }} +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/namespace-post-upgrade.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/namespace-post-upgrade.yaml new file mode 100644 index 0000000000..e5fcecb41e --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/namespace-post-upgrade.yaml @@ -0,0 +1,156 @@ +{{- if .Values.postUpgrade.labelNamespace.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-update-namespace-label-post-upgrade + namespace: {{ .Release.Namespace | quote }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + {{- if .Values.postUpgrade.labelNamespace.extraAnnotations }} + {{- toYaml .Values.postUpgrade.labelNamespace.extraAnnotations | trim | nindent 4 }} + {{- end }} +spec: + template: + metadata: + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + restartPolicy: OnFailure + {{- if .Values.postUpgrade.labelNamespace.image.pullSecrets }} + imagePullSecrets: + {{- .Values.postUpgrade.labelNamespace.image.pullSecrets | toYaml | nindent 12 }} + {{- end }} + serviceAccount: gatekeeper-update-namespace-label-post-upgrade + {{- if .Values.postUpgrade.labelNamespace.priorityClassName }} + priorityClassName: {{ .Values.postUpgrade.labelNamespace.priorityClassName }} + {{- end }} + containers: + - name: kubectl-label + image: '{{ template "system_default_registry" . }}{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}' + imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }} + args: + - label + - ns + - {{ .Release.Namespace }} + - admission.gatekeeper.sh/ignore=no-self-managing + {{- range .Values.postUpgrade.labelNamespace.podSecurity }} + - {{ . }} + {{- end }} + - --overwrite + resources: + {{- toYaml .Values.postUpgrade.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }} + {{- if .Values.postUpgrade.labelNamespace.extraNamespaces }} + - name: kubectl-label-extra + image: '{{ template "system_default_registry" . }}{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}' + imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }} + args: + - label + - ns + {{- range .Values.postUpgrade.labelNamespace.extraNamespaces }} + - {{ . }} + {{- end }} + - admission.gatekeeper.sh/ignore=extra-namespaces + - --overwrite + resources: + {{- toYaml .Values.postUpgrade.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }} + {{- end }} + {{- with .Values.postUpgrade }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gatekeeper-update-namespace-label-post-upgrade + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gatekeeper-update-namespace-label-post-upgrade + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - update + - patch + resourceNames: + - {{ .Release.Namespace }} + {{- range .Values.postUpgrade.labelNamespace.extraNamespaces }} + - {{ . }} + {{- end }} + - apiGroups: + - management.cattle.io + resources: + - projects + verbs: + - updatepsa +{{- end }} +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gatekeeper-update-namespace-label-post-upgrade + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gatekeeper-update-namespace-label-post-upgrade +subjects: + - kind: ServiceAccount + name: gatekeeper-update-namespace-label-post-upgrade + namespace: {{ .Release.Namespace | quote }} +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/probe-webhook-post-install.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/probe-webhook-post-install.yaml new file mode 100644 index 0000000000..19e5a7c654 --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/probe-webhook-post-install.yaml @@ -0,0 +1,50 @@ +{{- if not .Values.disableValidatingWebhook }} +{{- if and (not .Values.postInstall.labelNamespace.enabled) .Values.postInstall.probeWebhook.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-probe-webhook-post-install + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + annotations: + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + restartPolicy: Never + {{- if .Values.postInstall.probeWebhook.priorityClassName }} + priorityClassName: {{ .Values.postInstall.probeWebhook.priorityClassName }} + {{- end }} + {{- if .Values.postInstall.probeWebhook.image.pullSecrets }} + imagePullSecrets: + {{- .Values.postInstall.probeWebhook.image.pullSecrets | toYaml | nindent 12 }} + {{- end }} + volumes: + {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }} + containers: + {{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }} + {{- with .Values.postInstall }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} + backoffLimit: 3 +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/requiredlabels.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/requiredlabels.yaml new file mode 100644 index 0000000000..e93e6a0a7d --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/requiredlabels.yaml @@ -0,0 +1,57 @@ +apiVersion: templates.gatekeeper.sh/v1beta1 +kind: ConstraintTemplate +metadata: + name: k8srequiredlabels +spec: + crd: + spec: + names: + kind: K8sRequiredLabels + validation: + # Schema for the `parameters` field + openAPIV3Schema: + properties: + message: + type: string + labels: + type: array + items: + type: object + properties: + key: + type: string + allowedRegex: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8srequiredlabels + + get_message(parameters, _default) = msg { + not parameters.message + msg := _default + } + + get_message(parameters, _default) = msg { + msg := parameters.message + } + + violation[{"msg": msg, "details": {"missing_labels": missing}}] { + provided := {label | input.review.object.metadata.labels[label]} + required := {label | label := input.parameters.labels[_].key} + missing := required - provided + count(missing) > 0 + def_msg := sprintf("you must provide labels: %v", [missing]) + msg := get_message(input.parameters, def_msg) + } + + violation[{"msg": msg}] { + value := input.review.object.metadata.labels[key] + expected := input.parameters.labels[_] + expected.key == key + # do not match if allowedRegex is not defined, or is an empty string + expected.allowedRegex != "" + not re_match(expected.allowedRegex, value) + def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex]) + msg := get_message(input.parameters, def_msg) + } diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/upgrade-crds-hook.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/upgrade-crds-hook.yaml new file mode 100644 index 0000000000..e37dcafd4e --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/upgrade-crds-hook.yaml @@ -0,0 +1,119 @@ +{{- if .Values.upgradeCRDs.enabled }} +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gatekeeper-admin-upgrade-crds + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" + helm.sh/hook-weight: "1" +rules: + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "create", "update", "patch"] +{{- with .Values.upgradeCRDs.extraRules }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gatekeeper-admin-upgrade-crds + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" + helm.sh/hook-weight: "1" +subjects: + - kind: ServiceAccount + name: gatekeeper-admin-upgrade-crds + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: gatekeeper-admin-upgrade-crds + apiGroup: rbac.authorization.k8s.io +{{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + name: gatekeeper-admin-upgrade-crds + namespace: '{{ .Release.Namespace }}' + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" + helm.sh/hook-weight: "1" +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-update-crds-hook + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gatekeeper.name" . }} + chart: {{ template "gatekeeper.name" . }} + gatekeeper.sh/system: "yes" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-weight: "1" + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" +spec: + backoffLimit: 3 + template: + metadata: + name: gatekeeper-update-crds-hook + annotations: + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + serviceAccountName: gatekeeper-admin-upgrade-crds + restartPolicy: Never + {{- if .Values.images.pullSecrets }} + imagePullSecrets: + {{- toYaml .Values.image.pullSecrets | nindent 8 }} + {{- end }} + {{- if .Values.upgradeCRDs.priorityClassName }} + priorityClassName: {{ .Values.upgradeCRDs.priorityClassName }} + {{- end }} + containers: + - name: crds-upgrade + image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeepercrd.repository }}:{{ .Values.images.gatekeepercrd.tag }}' + imagePullPolicy: '{{ .Values.images.pullPolicy }}' + args: + - apply + - -f + - crds/ + resources: + {{- toYaml .Values.crds.resources | nindent 10 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.crds.securityContext | nindent 10 }} + {{- with .Values.crds }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/validate-install-crd.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/validate-install-crd.yaml new file mode 100644 index 0000000000..c0c3039387 --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/validate-install-crd.yaml @@ -0,0 +1,25 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "mutations.gatekeeper.sh/v1/Assign" false -}} +# {{- set $found "mutations.gatekeeper.sh/v1alpha1/AssignImage" false -}} +# {{- set $found "mutations.gatekeeper.sh/v1/AssignMetadata" false -}} +# {{- set $found "config.gatekeeper.sh/v1alpha1/Config" false -}} +# {{- set $found "status.gatekeeper.sh/v1beta1/ConstraintPodStatus" false -}} +# {{- set $found "templates.gatekeeper.sh/v1/ConstraintTemplate" false -}} +# {{- set $found "status.gatekeeper.sh/v1beta1/ConstraintTemplatePodStatus" false -}} +# {{- set $found "expansion.gatekeeper.sh/v1alpha1/ExpansionTemplate" false -}} +# {{- set $found "status.gatekeeper.sh/v1beta1/ExpansionTemplatePodStatus" false -}} +# {{- set $found "mutations.gatekeeper.sh/v1/ModifySet" false -}} +# {{- set $found "status.gatekeeper.sh/v1beta1/MutatorPodStatus" false -}} +# {{- set $found "externaldata.gatekeeper.sh/v1alpha1/Provider" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/validate-psp-install.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/webhook-configs-pre-delete.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/webhook-configs-pre-delete.yaml new file mode 100644 index 0000000000..21c2411f0a --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/templates/webhook-configs-pre-delete.yaml @@ -0,0 +1,144 @@ +{{- if and (or (not .Values.disableValidatingWebhook) (not .Values.disableMutation)) .Values.preUninstall.deleteWebhookConfigurations.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-delete-webhook-configs + namespace: {{ .Release.Namespace | quote }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + annotations: + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + restartPolicy: OnFailure + {{- if .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets }} + imagePullSecrets: + {{- .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets | toYaml | nindent 12 }} + {{- end }} + serviceAccount: gatekeeper-delete-webhook-configs + {{- if .Values.preUninstall.deleteWebhookConfigurations.priorityClassName }} + priorityClassName: {{ .Values.preUninstall.deleteWebhookConfigurations.priorityClassName }} + {{- end }} + containers: + - name: kubectl-delete + image: '{{ template "system_default_registry" . }}{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}' + imagePullPolicy: {{ .Values.preUninstall.deleteWebhookConfigurations.image.pullPolicy }} + args: + - delete + {{- if not .Values.disableValidatingWebhook }} + - validatingwebhookconfiguration/{{ .Values.validatingWebhookName }} + {{- end }} + {{- if not .Values.disableMutation }} + - mutatingwebhookconfiguration/{{ .Values.mutatingWebhookName }} + {{- end }} + resources: + {{- toYaml .Values.preUninstall.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.preUninstall.securityContext | nindent 12 }} + {{- with .Values.preUninstall }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .nodeSelector }} +{{ toYaml .nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .tolerations }} +{{ toYaml .tolerations | indent 8 }} +{{- end }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gatekeeper-delete-webhook-configs + namespace: {{ .Release.Namespace | quote }} + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gatekeeper-delete-webhook-configs + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + {{- if not .Values.disableValidatingWebhook }} + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + resourceNames: + - {{ .Values.validatingWebhookName }} + verbs: + - delete + {{- end }} + {{- if not .Values.disableMutation }} + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + resourceNames: + - {{ .Values.mutatingWebhookName }} + verbs: + - delete + {{- end }} +{{- with .Values.preUninstall.deleteWebhookConfigurations.extraRules }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gatekeeper-delete-webhook-configs + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gatekeeper-delete-webhook-configs +subjects: + - kind: ServiceAccount + name: gatekeeper-delete-webhook-configs + namespace: {{ .Release.Namespace | quote }} +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/104.0.1+up3.13.0/values.yaml b/charts/rancher-gatekeeper/104.0.1+up3.13.0/values.yaml new file mode 100644 index 0000000000..5a7d6f94e3 --- /dev/null +++ b/charts/rancher-gatekeeper/104.0.1+up3.13.0/values.yaml @@ -0,0 +1,281 @@ +replicas: 3 +auditInterval: 60 +metricsBackends: ["prometheus"] +auditMatchKindOnly: false +constraintViolationsLimit: 20 +auditFromCache: false +disableMutation: false +disableValidatingWebhook: false +validatingWebhookName: gatekeeper-validating-webhook-configuration +validatingWebhookTimeoutSeconds: 3 +validatingWebhookFailurePolicy: Ignore +validatingWebhookAnnotations: {} +validatingWebhookExemptNamespacesLabels: {} +validatingWebhookObjectSelector: {} +validatingWebhookCheckIgnoreFailurePolicy: Fail +validatingWebhookCustomRules: {} +validatingWebhookURL: null +enableDeleteOperations: false +enableExternalData: true +enableGeneratorResourceExpansion: true +enableTLSHealthcheck: false +maxServingThreads: -1 +mutatingWebhookName: gatekeeper-mutating-webhook-configuration +mutatingWebhookFailurePolicy: Ignore +mutatingWebhookReinvocationPolicy: Never +mutatingWebhookAnnotations: {} +mutatingWebhookExemptNamespacesLabels: {} +mutatingWebhookObjectSelector: {} +mutatingWebhookTimeoutSeconds: 1 +mutatingWebhookCustomRules: {} +mutatingWebhookURL: null +mutationAnnotations: false +auditChunkSize: 500 +logLevel: INFO +logDenies: false +logMutations: false +emitAdmissionEvents: false +emitAuditEvents: false +admissionEventsInvolvedNamespace: false +auditEventsInvolvedNamespace: false +resourceQuota: true +images: + gatekeeper: + repository: rancher/mirrored-openpolicyagent-gatekeeper + tag: v3.13.0 + gatekeepercrd: + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds + tag: v3.13.0 + pullPolicy: IfNotPresent + pullSecrets: [] +preInstall: + crdRepository: + image: + repository: null + tag: v3.13.0 +postUpgrade: + labelNamespace: + enabled: false + image: + repository: rancher/kubectl + tag: v1.30.5 + pullPolicy: IfNotPresent + pullSecrets: [] + extraNamespaces: [] + podSecurity: ["pod-security.kubernetes.io/audit=restricted", + "pod-security.kubernetes.io/audit-version=latest", + "pod-security.kubernetes.io/warn=restricted", + "pod-security.kubernetes.io/warn-version=latest", + "pod-security.kubernetes.io/enforce=restricted", + "pod-security.kubernetes.io/enforce-version=v1.24"] + extraAnnotations: {} + priorityClassName: "" + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 +postInstall: + labelNamespace: + enabled: true + extraRules: [] + image: + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds + tag: v3.13.0 + pullPolicy: IfNotPresent + pullSecrets: [] + extraNamespaces: [] + podSecurity: ["pod-security.kubernetes.io/audit=restricted", + "pod-security.kubernetes.io/audit-version=latest", + "pod-security.kubernetes.io/warn=restricted", + "pod-security.kubernetes.io/warn-version=latest", + "pod-security.kubernetes.io/enforce=restricted", + "pod-security.kubernetes.io/enforce-version=v1.24"] + extraAnnotations: {} + priorityClassName: "" + probeWebhook: + enabled: true + image: + repository: rancher/mirrored-curlimages-curl + tag: 8.10.1 + pullPolicy: IfNotPresent + pullSecrets: [] + waitTimeout: 60 + httpTimeout: 2 + insecureHTTPS: false + priorityClassName: "" + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 +preUninstall: + deleteWebhookConfigurations: + extraRules: [] + enabled: false + image: + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds + tag: v3.13.0 + pullPolicy: IfNotPresent + pullSecrets: [] + priorityClassName: "" + affinity: {} + tolerations: [] + nodeSelector: {} + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 +podAnnotations: {} +auditPodAnnotations: {} +podLabels: {} +podCountLimit: "100" +secretAnnotations: {} +enableRuntimeDefaultSeccompProfile: true +controllerManager: + exemptNamespaces: [] + exemptNamespacePrefixes: [] + hostNetwork: false + dnsPolicy: ClusterFirst + port: 8443 + metricsPort: 8888 + healthPort: 9090 + readinessTimeout: 1 + livenessTimeout: 1 + priorityClassName: system-cluster-critical + disableCertRotation: false + tlsMinVersion: 1.3 + clientCertName: "" + strategyType: RollingUpdate + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: gatekeeper.sh/operation + operator: In + values: + - webhook + topologyKey: kubernetes.io/hostname + weight: 100 + topologySpreadConstraints: [] + tolerations: [] + nodeSelector: {} + resources: + limits: + memory: 512Mi + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 + podSecurityContext: + fsGroup: 999 + supplementalGroups: + - 999 + extraRules: [] + networkPolicy: + enabled: false + ingress: { } + # - from: + # - ipBlock: + # cidr: 0.0.0.0/0 +audit: + enablePubsub: false + hostNetwork: false + dnsPolicy: ClusterFirst + metricsPort: 8888 + healthPort: 9090 + readinessTimeout: 1 + livenessTimeout: 1 + priorityClassName: system-cluster-critical + disableCertRotation: true + affinity: {} + tolerations: [] + nodeSelector: {} + resources: + limits: + memory: 512Mi + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 + podSecurityContext: + fsGroup: 999 + supplementalGroups: + - 999 + writeToRAMDisk: false + extraRules: [] +crds: + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +pdb: + controllerManager: + minAvailable: 1 +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + kubectl: + repository: rancher/kubectl + tag: v1.30.5 +service: {} +disabledBuiltins: ["{http.send}"] +upgradeCRDs: + enabled: true + extraRules: [] + priorityClassName: "" +rbac: + create: true +externalCertInjection: + enabled: false + secretName: gatekeeper-webhook-server-cert diff --git a/charts/rancher-istio/104.4.1+up1.22.1/Chart.yaml b/charts/rancher-istio/104.4.1+up1.22.1/Chart.yaml new file mode 100644 index 0000000000..003db98543 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Istio + catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.31.0-0' + catalog.cattle.io/namespace: istio-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0' + catalog.cattle.io/release-name: rancher-istio + catalog.cattle.io/requests-cpu: 710m + catalog.cattle.io/requests-memory: 2314Mi + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: istio + catalog.cattle.io/upstream-version: 1.22.1 +apiVersion: v1 +appVersion: 1.22.1 +description: A basic Istio setup that installs with the istioctl. Refer to https://istio.io/latest/ + for details. +icon: https://charts.rancher.io/assets/logos/istio.svg +keywords: +- networking +- infrastructure +name: rancher-istio +version: 104.4.1+up1.22.1 diff --git a/charts/rancher-istio/104.4.1+up1.22.1/README.md b/charts/rancher-istio/104.4.1+up1.22.1/README.md new file mode 100644 index 0000000000..2230c61859 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/README.md @@ -0,0 +1,79 @@ +# Rancher-Istio Chart + +Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization. + +See the app-readme for known issues and deprecations. + +## Installation Requirements + +#### Chart Dependencies +- rancher-monitoring chart or other Prometheus installation + +#### Install +To install the rancher-istio chart with helm, use the following command: +``` +helm install rancher-istio --create-namespace -n istio-system +``` + +#### Uninstall +To ensure rancher-istio uninstalls correctly, you must uninstall rancher-istio prior to uninstalling chart dependencies (see chart dependencies for list of dependencies). This is because all definitions need to be available in order to properly build the rancher-istio objects for removal. + +**If you remove dependent CRD charts prior to removing rancher-istio, you may encounter the following error:** +`Error: uninstallation completed with 1 error(s): unable to build kubernetes objects for delete: unable to recognize "": no matches for kind "MonitoringDashboard" in version "monitoring.kiali.io/v1alpha1"` + +## Addons +The addons that are included with rancher-istio are: + +- Kiali +- Jaeger + +Each addon has additional customization and dependencies required for them to work as expected. Use the values.yaml to customize or to enable/disable each addon. +### Kiali Addon + +Kiali allows you to view and manage your istio-based service mesh through an easy to use dashboard. + +#### Kiali Dependencies +##### rancher-monitoring chart or other Prometheus installation + +This dependecy installs the required CRDs for installing Kiali. Since Kiali is bundled in with Istio in this chart, if you do not have these dependencies installed, your Istio installation will fail. If you do not plan on using Kiali, set `kiali.enabled=false` when installing Istio for a succesful installation. + +#### Prometheus Configuration for Kiali +> **Note:** The following configuration options assume you have installed the dependecies for Kiali. Please ensure you have Promtheus in your cluster before proceeding. + +The Rancher Monitoring app sets `prometheus.prometheusSpec.ignoreNamespaceSelectors=false` which means all namespaces will be scraped by Prometheus by default. This ensures you can view traffic, metrics and graphs for resources deployed in other namespaces. + +To limit scraping to specific namespaces, set `prometheus.prometheusSpec.ignoreNamespaceSelectors=true` and add one of the following configurations to ensure you can continue to view traffic, metrics and graphs for your deployed resources. + +1. Add a Service Monitor or Pod Monitor in the namespace with the targets you want to scrape. +1. Add an additionalScrapeConfig to your rancher-monitoring instance to scrape all targets in all namespaces. + +#### Kiali External Services + +The external services that can be configured in Kiali are: Prometheus, Grafana and Tracing. + +##### Prometheus +The `kiali.external_services.prometheus` url is set in the values.yaml: +``` +http://{{ .Values.nameOverride }}-prometheus.{{ .Values.namespaceOverride }}.svc:{{ prometheus.service.port }} +``` +The url depends on the default values for `nameOverride`, `namespaceOverride`, and `prometheus.service.port` being set in your rancher-monitoring or other monitoring instance. + +##### Grafana +The `kiali.external_services.grafana` url is set in the values.yaml: +``` +http://{{ .Values.nameOverride }}-grafana.{{ .Values.namespaceOverride }}.svc:{{ grafana.service.port }} +``` +The url depends on the default values for `nameOverride`, `namespaceOverride`, and `grafana.service.port` being set in your rancher-monitoring or other monitoring instance. + +##### Tracing +The `kiali.external_services.tracing` url and `.Values.tracing.contextPath` is set in the rancher-istio values.yaml: +``` +http://tracing.{{ .Values.namespaceOverride }}.svc:{{ .Values.service.externalPort }}/{{ .Values.tracing.contextPath }} +``` +The url depends on the default values for `namespaceOverride`, and `.Values.service.externalPort` being set in your rancher-tracing or other tracing instance. + +## Jaeger Addon + +Jaeger allows you to trace and monitor distributed microservices. + +> **Note:** This addon is using the all-in-one Jaeger installation which is not qualified for production. Use the [Jaeger Tracing](https://www.jaegertracing.io/docs/1.21/getting-started/) documentation to determine which installation you will need for your production needs. diff --git a/charts/rancher-istio/104.4.1+up1.22.1/app-readme.md b/charts/rancher-istio/104.4.1+up1.22.1/app-readme.md new file mode 100644 index 0000000000..284f0720f3 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/app-readme.md @@ -0,0 +1,65 @@ +# Rancher Istio + +Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization. It also includes: +* **[Kiali](https://kiali.io/)**: Used for graphing traffic flow throughout the mesh +* **[Jaeger](https://www.jaegertracing.io/)**: A quick start, all-in-one installation used for tracing distributed system. This is not production qualified, please refer to jaeger documentation to determine which installation you may need instead. + +For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/istio/v2.5/). + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. + +> **Note:** +> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. + +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. + +## Warnings +- Upgrading across more than two minor versions (e.g., 1.6.x to 1.9.x) in one step is not officially tested or recommended. See [Istio upgrade docs](https://istio.io/latest/docs/setup/upgrade/) for more details. + +## Known Issues + +#### Airgapped Environments +**A temporary fix has been added to this chart to allow upgrades to succeed in an airgapped environment. See [this issue](https://github.com/rancher/rancher/issues/30842) for details.** We are still advocating for an upstream fix in Istio to formally resolve this issue. The root cause is the Istio Operator upgrade command reaches out to an external repo on upgrades and the external repo is not configurable. We are tracking the fix for this issue [here](https://github.com/rancher/rancher/issues/33402) + +#### Installing Istio with CNI component enabled on RHEL 8.4 SElinux enabled cluster. +To install istio with CNI enabled, e.g. when cluster has a default PSP set to "restricted", on a cluster using nodes with RHEL 8.4 SElinux enabled, run the following command on each cluster node before creating a cluster. +`mkdir -p /var/run/istio-cni && semanage fcontext -a -t container_file_t /var/run/istio-cni && restorecon -v /var/run/istio-cni` +See [this issue](https://github.com/rancher/rancher/issues/33291) for details. + +## Installing istio with distroless-images. +Istio `104.4.0+up1.22.1` uses distroless images for `istio-proxyv2`, `istio-install-cni` and `istio-pilot`. Distroless images don't have the common debugging tools like `bash`, `curl`, etc. If you wish to troubleshoot Istio, you can switch to regular images by updating `values.yaml` file. + +## Deprecations + +#### v1alpha1 security policies +As of 1.6, Istio removed support for `v1alpha1` security policies resource and replaced the API with `v1beta1` authorization policies. https://istio.io/latest/docs/reference/config/security/authorization-policy/ + +If you are currently running rancher-istio <= 1.7.x, you need to migrate any existing `v1alpha1` security policies to `v1beta1` authorization policies prior to upgrading to the next minor version. + +> **Note:** If you attempt to upgrade prior to migrating your policy resources, you might see errors similar to: +``` +Error: found 6 CRD of unsupported v1alpha1 security policy +``` +``` + Error: found 1 unsupported v1alpha1 security policy + ``` + ``` + Control Plane - policy pod - istio-policy - version: x.x.x does not match the target version x.x.x + ``` + Continue with the migration steps below before retrying the upgrade process. + +#### Migrating Resources: +Migration steps can be found in this [istio blog post](https://istio.io/latest/blog/2021/migrate-alpha-policy/ "istio blog post"). + +You can also use these [quick steps](https://github.com/rancher/rancher/issues/34699#issuecomment-921995917 "quick steps") to determine if you need to follow the more extensive migration steps. diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/Chart.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/Chart.yaml new file mode 100644 index 0000000000..d117115029 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/Chart.yaml @@ -0,0 +1,28 @@ +annotations: + catalog.cattle.io/hidden: "true" + catalog.cattle.io/os: linux + catalog.cattle.io/requires-gvr: monitoring.coreos.com.prometheus/v1 + catalog.rancher.io/namespace: cattle-istio-system + catalog.rancher.io/release-name: rancher-kiali-server +apiVersion: v2 +appVersion: v1.86.0 +description: Kiali is an open source project for service mesh observability, refer + to https://www.kiali.io for details. This is installed as sub-chart with customized + values in Rancher's Istio. +home: https://github.com/kiali/kiali +icon: https://raw.githubusercontent.com/kiali/kiali.io/current/assets/icons/logo.svg +keywords: +- istio +- kiali +- networking +- infrastructure +maintainers: +- email: kiali-users@googlegroups.com + name: Kiali + url: https://kiali.io +name: kiali +sources: +- https://github.com/kiali/kiali +- https://github.com/kiali/kiali-operator +- https://github.com/kiali/helm-charts +version: 1.86.0 diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/NOTES.txt b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/NOTES.txt new file mode 100644 index 0000000000..751019401b --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/NOTES.txt @@ -0,0 +1,5 @@ +Welcome to Kiali! For more details on Kiali, see: https://kiali.io + +The Kiali Server [{{ .Chart.AppVersion }}] has been installed in namespace [{{ .Release.Namespace }}]. It will be ready soon. + +(Helm: Chart=[{{ .Chart.Name }}], Release=[{{ .Release.Name }}], Version=[{{ .Chart.Version }}]) diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/_helpers.tpl b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/_helpers.tpl new file mode 100644 index 0000000000..91c9ff0ca5 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/_helpers.tpl @@ -0,0 +1,222 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Create a default fully qualified instance name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +To simulate the way the operator works, use deployment.instance_name rather than the old fullnameOverride. +For backwards compatibility, if fullnameOverride is not kiali but deployment.instance_name is kiali, +use fullnameOverride, otherwise use deployment.instance_name. +*/}} +{{- define "kiali-server.fullname" -}} +{{- if (and (eq .Values.deployment.instance_name "kiali") (ne .Values.fullnameOverride "kiali")) }} + {{- .Values.fullnameOverride | trunc 63 }} +{{- else }} + {{- .Values.deployment.instance_name | trunc 63 }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kiali-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Identifies the log_level. +*/}} +{{- define "kiali-server.logLevel" -}} +{{- .Values.deployment.logger.log_level -}} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "kiali-server.labels" -}} +helm.sh/chart: {{ include "kiali-server.chart" . }} +app: kiali +{{ include "kiali-server.selectorLabels" . }} +version: {{ .Values.deployment.version_label | default .Chart.AppVersion | quote }} +app.kubernetes.io/version: {{ .Values.deployment.version_label | default .Chart.AppVersion | quote }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/part-of: "kiali" +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "kiali-server.selectorLabels" -}} +{{- $releaseName := .Release.Name -}} +{{- $fullName := include "kiali-server.fullname" . -}} +{{- $deployment := (lookup "apps/v1" "Deployment" .Release.Namespace $fullName) -}} +app.kubernetes.io/name: kiali +{{- if (and .Release.IsUpgrade $deployment)}} +app.kubernetes.io/instance: {{ (get (($deployment).metadata.labels) "app.kubernetes.io/instance") | default $fullName }} +{{- else }} +app.kubernetes.io/instance: {{ $fullName }} +{{- end }} +{{- end }} + +{{/* +Determine the default login token signing key. +*/}} +{{- define "kiali-server.login_token.signing_key" -}} +{{- if .Values.login_token.signing_key }} + {{- .Values.login_token.signing_key }} +{{- else }} + {{- randAlphaNum 16 }} +{{- end }} +{{- end }} + +{{/* +Determine the default web root. +*/}} +{{- define "kiali-server.server.web_root" -}} +{{- if .Values.server.web_root }} + {{- if (eq .Values.server.web_root "/") }} + {{- .Values.server.web_root }} + {{- else }} + {{- .Values.server.web_root | trimSuffix "/" }} + {{- end }} +{{- else }} + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- "/" }} + {{- else }} + {{- "/kiali" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the default identity cert file. There is no default if on k8s; only on OpenShift. +*/}} +{{- define "kiali-server.identity.cert_file" -}} +{{- if hasKey .Values.identity "cert_file" }} + {{- .Values.identity.cert_file }} +{{- else }} + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- "/kiali-cert/tls.crt" }} + {{- else }} + {{- "" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the default identity private key file. There is no default if on k8s; only on OpenShift. +*/}} +{{- define "kiali-server.identity.private_key_file" -}} +{{- if hasKey .Values.identity "private_key_file" }} + {{- .Values.identity.private_key_file }} +{{- else }} + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- "/kiali-cert/tls.key" }} + {{- else }} + {{- "" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the default deployment.ingress.enabled. Disable it on k8s; enable it on OpenShift. +*/}} +{{- define "kiali-server.deployment.ingress.enabled" -}} +{{- if hasKey .Values.deployment.ingress "enabled" }} + {{- .Values.deployment.ingress.enabled }} +{{- else }} + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- true }} + {{- else }} + {{- false }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the istio namespace - default is where Kiali is installed. +*/}} +{{- define "kiali-server.istio_namespace" -}} +{{- if .Values.istio_namespace }} + {{- .Values.istio_namespace }} +{{- else }} + {{- .Release.Namespace }} +{{- end }} +{{- end }} + +{{/* +Determine the auth strategy to use - default is "token" on Kubernetes and "openshift" on OpenShift. +*/}} +{{- define "kiali-server.auth.strategy" -}} +{{- if .Values.auth.strategy }} + {{- if (and (eq .Values.auth.strategy "openshift") (not .Values.kiali_route_url)) }} + {{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either set that or use a different auth strategy via the --set auth.strategy=... option." }} + {{- end }} + {{- .Values.auth.strategy }} +{{- else }} + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- if not .Values.kiali_route_url }} + {{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either set that or explicitly indicate another auth strategy you want via the --set auth.strategy=... option." }} + {{- end }} + {{- "openshift" }} + {{- else }} + {{- "token" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the root namespace - default is where Kiali is installed. +*/}} +{{- define "kiali-server.external_services.istio.root_namespace" -}} +{{- if .Values.external_services.istio.root_namespace }} + {{- .Values.external_services.istio.root_namespace }} +{{- else }} + {{- .Release.Namespace }} +{{- end }} +{{- end }} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} + +{{/* +Autodetect remote cluster secrets if enabled - looks for secrets in the same namespace where Kiali is installed. +Returns a JSON dict whose keys are the cluster names and values are the cluster secret data. +*/}} +{{- define "kiali-server.remote-cluster-secrets" -}} +{{- $theDict := dict }} +{{- if .Values.clustering.autodetect_secrets.enabled }} + {{- $secretLabelToLookFor := (regexSplit "=" .Values.clustering.autodetect_secrets.label 2) }} + {{- $secretLabelNameToLookFor := first $secretLabelToLookFor }} + {{- $secretLabelValueToLookFor := last $secretLabelToLookFor }} + {{- range $i, $secret := (lookup "v1" "Secret" .Release.Namespace "").items }} + {{- if (and (and (hasKey $secret.metadata "labels") (hasKey $secret.metadata.labels $secretLabelNameToLookFor)) (eq (get $secret.metadata.labels $secretLabelNameToLookFor) ($secretLabelValueToLookFor))) }} + {{- $clusterName := $secret.metadata.name }} + {{- if (and (hasKey $secret.metadata "annotations") (hasKey $secret.metadata.annotations "kiali.io/cluster")) }} + {{- $clusterName = get $secret.metadata.annotations "kiali.io/cluster" }} + {{- end }} + {{- $theDict = set $theDict $clusterName $secret.metadata.name }} + {{- end }} + {{- end }} +{{- end }} +{{- $theDict | toJson }} +{{- end }} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/cabundle.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/cabundle.yaml new file mode 100644 index 0000000000..7462b95a7f --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/cabundle.yaml @@ -0,0 +1,13 @@ +{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kiali-server.fullname" . }}-cabundle + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + annotations: + service.beta.openshift.io/inject-cabundle: "true" +... +{{- end }} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/configmap.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/configmap.yaml new file mode 100644 index 0000000000..f7b68294d7 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/configmap.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + {{- if .Values.deployment.configmap_annotations }} + annotations: + {{- toYaml .Values.deployment.configmap_annotations | nindent 4 }} + {{- end }} +data: + config.yaml: | + {{- /* Most of .Values is simply the ConfigMap - strip out the keys that are not part of the ConfigMap */}} + {{- $cm := omit .Values "nameOverride" "fullnameOverride" "kiali_route_url" }} + {{- /* The helm chart defines namespace for us, but pass it to the ConfigMap in case the server needs it */}} + {{- $_ := set $cm.deployment "namespace" .Release.Namespace }} + {{- /* Some values of the ConfigMap are generated, but might not be identical, from .Values */}} + {{- $_ := set $cm "istio_namespace" (include "kiali-server.istio_namespace" .) }} + {{- $_ := set $cm.auth "strategy" (include "kiali-server.auth.strategy" .) }} + {{- $_ := set $cm.auth.openshift "client_id_prefix" (include "kiali-server.fullname" .) }} + {{- $_ := set $cm.deployment "instance_name" (include "kiali-server.fullname" .) }} + {{- $_ := set $cm.identity "cert_file" (include "kiali-server.identity.cert_file" .) }} + {{- $_ := set $cm.identity "private_key_file" (include "kiali-server.identity.private_key_file" .) }} + {{- $_ := set $cm.login_token "signing_key" (include "kiali-server.login_token.signing_key" .) }} + {{- $_ := set $cm.external_services.istio "root_namespace" (include "kiali-server.external_services.istio.root_namespace" .) }} + {{- $_ := set $cm.server "web_root" (include "kiali-server.server.web_root" .) }} + {{- toYaml $cm | nindent 4 }} +... diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/deployment.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/deployment.yaml new file mode 100644 index 0000000000..b3da9a92b0 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/deployment.yaml @@ -0,0 +1,235 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.deployment.replicas }} + selector: + matchLabels: + {{- include "kiali-server.selectorLabels" . | nindent 6 }} + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + name: {{ include "kiali-server.fullname" . }} + labels: + {{- include "kiali-server.labels" . | nindent 8 }} + {{- if .Values.deployment.pod_labels }} + {{- toYaml .Values.deployment.pod_labels | nindent 8 }} + {{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- if .Values.server.observability.metrics.enabled }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.server.observability.metrics.port | quote }} + {{- else }} + prometheus.io/scrape: "false" + prometheus.io/port: "" + {{- end }} + kiali.io/dashboards: go,kiali + {{- if .Values.deployment.pod_annotations }} + {{- toYaml .Values.deployment.pod_annotations | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ include "kiali-server.fullname" . }} + {{- if .Values.deployment.priority_class_name }} + priorityClassName: {{ .Values.deployment.priority_class_name | quote }} + {{- end }} + {{- if .Values.deployment.image_pull_secrets }} + imagePullSecrets: + {{- range .Values.deployment.image_pull_secrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if .Values.deployment.host_aliases }} + hostAliases: + {{- toYaml .Values.deployment.host_aliases | nindent 6 }} + {{- end }} + {{- if .Values.deployment.dns }} + {{- if .Values.deployment.dns.policy }} + dnsPolicy: "{{ .Values.deployment.dns.policy }}" + {{- end }} + {{- if .Values.deployment.dns.config }} + dnsConfig: + {{- toYaml .Values.deployment.dns.config | nindent 8 }} + {{- end }} + {{- end }} + containers: + - image: "{{ template "system_default_registry" . }}{{ .Values.deployment.repository }}{{ if .Values.deployment.image_digest }}@{{ .Values.deployment.image_digest }}{{ end }}:{{ .Values.deployment.tag }}" + imagePullPolicy: {{ .Values.deployment.image_pull_policy | default "Always" }} + name: {{ include "kiali-server.fullname" . }} + command: + - "/opt/kiali/kiali" + - "-config" + - "/kiali-configuration/config.yaml" + securityContext: + {{- if .Values.deployment.security_context}} + {{- toYaml .Values.deployment.security_context | nindent 10 }} + {{- else }} + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + {{- end }} + ports: + - name: api-port + containerPort: {{ .Values.server.port | default 20001 }} + {{- if .Values.server.observability.metrics.enabled }} + - name: http-metrics + containerPort: {{ .Values.server.observability.metrics.port | default 9090 }} + {{- end }} + readinessProbe: + httpGet: + path: {{ include "kiali-server.server.web_root" . | trimSuffix "/" }}/healthz + port: api-port + {{- if (include "kiali-server.identity.cert_file" .) }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + initialDelaySeconds: 5 + periodSeconds: 30 + livenessProbe: + httpGet: + path: {{ include "kiali-server.server.web_root" . | trimSuffix "/" }}/healthz + port: api-port + {{- if (include "kiali-server.identity.cert_file" .) }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + initialDelaySeconds: 5 + periodSeconds: 30 + env: + - name: ACTIVE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LOG_LEVEL + value: "{{ include "kiali-server.logLevel" . }}" + - name: LOG_FORMAT + value: "{{ .Values.deployment.logger.log_format }}" + - name: LOG_TIME_FIELD_FORMAT + value: "{{ .Values.deployment.logger.time_field_format }}" + - name: LOG_SAMPLER_RATE + value: "{{ .Values.deployment.logger.sampler_rate }}" + volumeMounts: + {{- if .Values.web_root_override }} + - name: kiali-console + subPath: env.js + mountPath: /opt/kiali/console/env.js + {{- end }} + - name: {{ include "kiali-server.fullname" . }}-configuration + mountPath: "/kiali-configuration" + - name: {{ include "kiali-server.fullname" . }}-cert + mountPath: "/kiali-cert" + - name: {{ include "kiali-server.fullname" . }}-secret + mountPath: "/kiali-secret" + - name: {{ include "kiali-server.fullname" . }}-cabundle + mountPath: "/kiali-cabundle" + {{- range .Values.deployment.custom_secrets }} + - name: {{ .name }} + mountPath: "{{ .mount }}" + {{- end }} + {{- range $key, $val := (include "kiali-server.remote-cluster-secrets" .) | fromJson }} + - name: {{ $key }} + mountPath: "/kiali-remote-cluster-secrets/{{ $val }}" + {{- end }} + {{- range .Values.clustering.clusters }} + {{- if .secret_name }} + - name: {{ .name }} + mountPath: "/kiali-remote-cluster-secrets/{{ .secret_name }}" + {{- end }} + {{- end }} + {{- if .Values.deployment.resources }} + resources: + {{- toYaml .Values.deployment.resources | nindent 10 }} + {{- end }} + volumes: + {{- if .Values.web_root_override }} + - name: kiali-console + configMap: + name: kiali-console + items: + - key: env.js + path: env.js + {{- end }} + - name: {{ include "kiali-server.fullname" . }}-configuration + configMap: + name: {{ include "kiali-server.fullname" . }} + - name: {{ include "kiali-server.fullname" . }}-cert + secret: + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + secretName: {{ include "kiali-server.fullname" . }}-cert-secret + {{- else }} + secretName: istio.{{ include "kiali-server.fullname" . }}-service-account + {{- end }} + {{- if not (include "kiali-server.identity.cert_file" .) }} + optional: true + {{- end }} + - name: {{ include "kiali-server.fullname" . }}-secret + secret: + secretName: {{ .Values.deployment.secret_name }} + optional: true + - name: {{ include "kiali-server.fullname" . }}-cabundle + configMap: + name: {{ include "kiali-server.fullname" . }}-cabundle + {{- if not (.Capabilities.APIVersions.Has "route.openshift.io/v1") }} + optional: true + {{- end }} + {{- range .Values.deployment.custom_secrets }} + - name: {{ .name }} + {{- if .csi}} + csi: {{ toYaml .csi | nindent 10 }} + {{- else }} + secret: + secretName: {{ .name }} + optional: {{ .optional | default false }} + {{- end }} + {{- end }} + {{- range $key, $val := (include "kiali-server.remote-cluster-secrets" .) | fromJson }} + - name: {{ $key }} + secret: + secretName: {{ $val }} + {{- end }} + {{- range .Values.clustering.clusters }} + {{- if .secret_name }} + - name: {{ .name }} + secret: + secretName: {{ .secret_name }} + {{- end }} + {{- end }} + {{- if or (.Values.deployment.affinity.node) (or (.Values.deployment.affinity.pod) (.Values.deployment.affinity.pod_anti)) }} + affinity: + {{- if .Values.deployment.affinity.node }} + nodeAffinity: + {{- toYaml .Values.deployment.affinity.node | nindent 10 }} + {{- end }} + {{- if .Values.deployment.affinity.pod }} + podAffinity: + {{- toYaml .Values.deployment.affinity.pod | nindent 10 }} + {{- end }} + {{- if .Values.deployment.affinity.pod_anti }} + podAntiAffinity: + {{- toYaml .Values.deployment.affinity.pod_anti | nindent 10 }} + {{- end }} + {{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.deployment.tolerations }} +{{ toYaml .Values.deployment.tolerations | indent 8 }} +{{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.deployment.node_selector }} +{{ toYaml .Values.deployment.node_selector | indent 8 }} +{{- end }} +... diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/hpa.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/hpa.yaml new file mode 100644 index 0000000000..934c4c1e9d --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/hpa.yaml @@ -0,0 +1,17 @@ +{{- if .Values.deployment.hpa.spec }} +--- +apiVersion: {{ .Values.deployment.hpa.api_version }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kiali-server.fullname" . }} + {{- toYaml .Values.deployment.hpa.spec | nindent 2 }} +... +{{- end }} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/ingress.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/ingress.yaml new file mode 100644 index 0000000000..27807fc3de --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/ingress.yaml @@ -0,0 +1,62 @@ +{{- if not (.Capabilities.APIVersions.Has "route.openshift.io/v1") }} +{{- if eq "true" (include "kiali-server.deployment.ingress.enabled" .) }} +--- +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- if .Values.deployment.ingress.additional_labels }} + {{- toYaml .Values.deployment.ingress.additional_labels | nindent 4 }} + {{- end }} + {{- include "kiali-server.labels" . | nindent 4 }} + annotations: + {{- if .Values.deployment.ingress.override_yaml.metadata.annotations }} + {{- toYaml .Values.deployment.ingress.override_yaml.metadata.annotations | nindent 4 }} + {{- else }} + # For ingress-nginx versions older than 0.20.0 use secure-backends. + # (see: https://github.com/kubernetes/ingress-nginx/issues/3416#issuecomment-438247948) + # For ingress-nginx versions 0.20.0 and later use backend-protocol. + {{- if (include "kiali-server.identity.cert_file" .) }} + nginx.ingress.kubernetes.io/secure-backends: "true" + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + {{- else }} + nginx.ingress.kubernetes.io/secure-backends: "false" + nginx.ingress.kubernetes.io/backend-protocol: "HTTP" + {{- end }} + {{- end }} +spec: + {{- if hasKey .Values.deployment.ingress.override_yaml "spec" }} + {{- toYaml .Values.deployment.ingress.override_yaml.spec | nindent 2 }} + {{- else }} + {{- if .Values.deployment.ingress.class_name }} + ingressClassName: {{ .Values.deployment.ingress.class_name }} + {{- end }} + rules: + - http: + paths: + - path: {{ include "kiali-server.server.web_root" . }} + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + pathType: Prefix + backend: + service: + name: {{ include "kiali-server.fullname" . }} + port: + number: {{ .Values.server.port }} + {{- else }} + backend: + serviceName: {{ include "kiali-server.fullname" . }} + servicePort: {{ .Values.server.port }} + {{- end }} + {{- if not (empty .Values.server.web_fqdn) }} + host: {{ .Values.server.web_fqdn }} + {{- end }} + {{- end }} +... +{{- end }} +{{- end }} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/oauth.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/oauth.yaml new file mode 100644 index 0000000000..44c8d7cbb1 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/oauth.yaml @@ -0,0 +1,25 @@ +{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} +{{- if .Values.kiali_route_url }} +--- +apiVersion: oauth.openshift.io/v1 +kind: OAuthClient +metadata: + name: {{ include "kiali-server.fullname" . }}-{{ .Release.Namespace }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +redirectURIs: +- {{ .Values.kiali_route_url }} +{{- if .Values.server.web_port }} +- {{ .Values.kiali_route_url }}:{{ .Values.server.web_port }} +{{- end }} +grantMethod: auto +{{- if .Values.auth.openshift.token_inactivity_timeout }} +accessTokenInactivityTimeoutSeconds: {{ .Values.auth.openshift.token_inactivity_timeout }} +{{- end }} +{{- if .Values.auth.openshift.token_max_age }} +accessTokenMaxAgeSeconds: {{ .Values.auth.openshift.token_max_age }} +{{- end }} +... +{{- end }} +{{- end }} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/psp.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/psp.yaml new file mode 100644 index 0000000000..e31d706d4b --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/psp.yaml @@ -0,0 +1,67 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kiali-server.fullname" . }}-psp + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kiali-server.fullname" . }}-psp +subjects: + - kind: ServiceAccount + name: kiali +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kiali-server.fullname" . }}-psp + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - policy + resourceNames: + - {{ include "kiali-server.fullname" . }}-psp + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "kiali-server.fullname" . }}-psp + namespace: {{ .Release.Namespace }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim +{{- end }} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/role-controlplane.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/role-controlplane.yaml new file mode 100644 index 0000000000..707501c677 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/role-controlplane.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kiali-server.fullname" . }}-controlplane + namespace: {{ include "kiali-server.istio_namespace" . }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +rules: +{{- if .Values.kiali_feature_flags.certificates_information_indicators.enabled }} +- apiGroups: [""] + resourceNames: + {{- range .Values.kiali_feature_flags.certificates_information_indicators.secrets }} + - {{ . }} + {{- end }} + resources: + - secrets + verbs: + - get + - list + - watch +{{- end }} +... diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/role-viewer.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/role-viewer.yaml new file mode 100644 index 0000000000..0811b20118 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/role-viewer.yaml @@ -0,0 +1,96 @@ +{{- if or (.Values.deployment.view_only_mode) (ne .Values.auth.strategy "anonymous") -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kiali-server.fullname" . }}-viewer + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints +{{- if not (has "logs-tab" .Values.kiali_feature_flags.disabled_features) }} + - pods/log +{{- end }} + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - namespaces + - pods + - replicationcontrollers + - services + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - pods/portforward + verbs: + - create + - post +- apiGroups: ["extensions", "apps"] + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: + - networking.istio.io + - security.istio.io + - extensions.istio.io + - telemetry.istio.io + - gateway.networking.k8s.io + resources: ["*"] + verbs: + - get + - list + - watch +- apiGroups: ["apps.openshift.io"] + resources: + - deploymentconfigs + verbs: + - get + - list + - watch +- apiGroups: ["project.openshift.io"] + resources: + - projects + verbs: + - get +- apiGroups: ["route.openshift.io"] + resources: + - routes + verbs: + - get +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: + - create +- apiGroups: ["oauth.openshift.io"] + resources: + - oauthclients + resourceNames: + - {{ include "kiali-server.fullname" . }}-{{ .Release.Namespace }} + verbs: + - get +... +{{- end -}} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/role.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/role.yaml new file mode 100644 index 0000000000..de23cc5c83 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/role.yaml @@ -0,0 +1,103 @@ +{{- if not (or (.Values.deployment.view_only_mode) (ne .Values.auth.strategy "anonymous")) -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kiali-server.fullname" . }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints +{{- if not (has "logs-tab" .Values.kiali_feature_flags.disabled_features) }} + - pods/log +{{- end }} + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - namespaces + - pods + - replicationcontrollers + - services + verbs: + - get + - list + - watch + - patch +- apiGroups: [""] + resources: + - pods/portforward + verbs: + - create + - post +- apiGroups: ["extensions", "apps"] + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch + - patch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch + - patch +- apiGroups: + - networking.istio.io + - security.istio.io + - extensions.istio.io + - telemetry.istio.io + - gateway.networking.k8s.io + resources: ["*"] + verbs: + - get + - list + - watch + - create + - delete + - patch +- apiGroups: ["apps.openshift.io"] + resources: + - deploymentconfigs + verbs: + - get + - list + - watch + - patch +- apiGroups: ["project.openshift.io"] + resources: + - projects + verbs: + - get +- apiGroups: ["route.openshift.io"] + resources: + - routes + verbs: + - get +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: + - create +- apiGroups: ["oauth.openshift.io"] + resources: + - oauthclients + resourceNames: + - {{ include "kiali-server.fullname" . }}-{{ .Release.Namespace }} + verbs: + - get +... +{{- end -}} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/rolebinding-controlplane.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/rolebinding-controlplane.yaml new file mode 100644 index 0000000000..5a00158360 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/rolebinding-controlplane.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kiali-server.fullname" . }}-controlplane + namespace: {{ include "kiali-server.istio_namespace" . }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kiali-server.fullname" . }}-controlplane +subjects: +- kind: ServiceAccount + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} +... diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/rolebinding.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/rolebinding.yaml new file mode 100644 index 0000000000..63f1922ac1 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/rolebinding.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + {{- if or (.Values.deployment.view_only_mode) (ne .Values.auth.strategy "anonymous") }} + name: {{ include "kiali-server.fullname" . }}-viewer + {{- else }} + name: {{ include "kiali-server.fullname" . }} + {{- end }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + {{- if or (.Values.deployment.view_only_mode) (ne .Values.auth.strategy "anonymous") }} + name: {{ include "kiali-server.fullname" . }}-viewer + {{- else }} + name: {{ include "kiali-server.fullname" . }} + {{- end }} +subjects: +- kind: ServiceAccount + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} +... diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/route.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/route.yaml new file mode 100644 index 0000000000..8325c14a74 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/route.yaml @@ -0,0 +1,34 @@ +{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} +{{- if eq "true" (include "kiali-server.deployment.ingress.enabled" .) }} +# As of OpenShift 4.5, need to use --disable-openapi-validation when installing via Helm +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- if .Values.deployment.ingress.additional_labels }} + {{- toYaml .Values.deployment.ingress.additional_labels | nindent 4 }} + {{- end }} + {{- include "kiali-server.labels" . | nindent 4 }} + {{- if .Values.deployment.ingress.override_yaml.metadata.annotations }} + annotations: + {{- toYaml .Values.deployment.ingress.override_yaml.metadata.annotations | nindent 4 }} + {{- end }} +spec: + {{- if hasKey .Values.deployment.ingress.override_yaml "spec" }} + {{- toYaml .Values.deployment.ingress.override_yaml.spec | nindent 2 }} + {{- else }} + tls: + termination: reencrypt + insecureEdgeTerminationPolicy: Redirect + to: + kind: Service + name: {{ include "kiali-server.fullname" . }} + port: + targetPort: {{ .Values.server.port }} + {{- end }} +... +{{- end }} +{{- end }} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/service.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/service.yaml new file mode 100644 index 0000000000..111be7f879 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/service.yaml @@ -0,0 +1,51 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + annotations: + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + service.beta.openshift.io/serving-cert-secret-name: {{ include "kiali-server.fullname" . }}-cert-secret + {{- end }} + {{- if and (not (empty .Values.server.web_fqdn)) (not (empty .Values.server.web_schema)) }} + {{- if empty .Values.server.web_port }} + kiali.io/external-url: {{ .Values.server.web_schema }}://{{ .Values.server.web_fqdn }}{{ include "kiali-server.server.web_root" . }} + {{- else }} + kiali.io/external-url: {{ .Values.server.web_schema }}://{{ .Values.server.web_fqdn }}:{{ .Values.server.web_port }}{{ include "kiali-server.server.web_root" . }} + {{- end }} + {{- end }} + {{- if .Values.deployment.service_annotations }} + {{- toYaml .Values.deployment.service_annotations | nindent 4 }} + {{- end }} +spec: + {{- if .Values.deployment.service_type }} + type: {{ .Values.deployment.service_type }} + {{- end }} + ports: + {{- if (include "kiali-server.identity.cert_file" .) }} + - name: tcp + appProtocol: https + {{- else }} + - name: http + appProtocol: http + {{- end }} + protocol: TCP + port: {{ .Values.server.port }} + {{- if and (not (empty .Values.server.node_port)) (eq .Values.deployment.service_type "NodePort") }} + nodePort: {{ .Values.server.node_port }} + {{- end }} + {{- if .Values.server.observability.metrics.enabled }} + - name: http-metrics + appProtocol: http + protocol: TCP + port: {{ .Values.server.observability.metrics.port }} + {{- end }} + selector: + {{- include "kiali-server.selectorLabels" . | nindent 4 }} + {{- if .Values.deployment.additional_service_yaml }} + {{- toYaml .Values.deployment.additional_service_yaml | nindent 2 }} + {{- end }} +... diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/serviceaccount.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/serviceaccount.yaml new file mode 100644 index 0000000000..9151b6f6a1 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/serviceaccount.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +... diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/validate-psp-install.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/web-root-configmap.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/web-root-configmap.yaml new file mode 100644 index 0000000000..970d4e4f5d --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/templates/web-root-configmap.yaml @@ -0,0 +1,12 @@ +{{- if .Values.web_root_override }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: kiali-console + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +data: + env.js: | + window.WEB_ROOT='/k8s/clusters/{{ .Values.global.cattle.clusterId }}/api/v1/namespaces/{{ .Release.Namespace }}/services/http:kiali:20001/proxy/kiali'; +{{- end }} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/values.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/values.yaml new file mode 100644 index 0000000000..4e9c57da3d --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/kiali/values.yaml @@ -0,0 +1,136 @@ +# 'fullnameOverride' is deprecated. Use 'deployment.instance_name' instead. +# This is only supported for backward compatibility and will be removed in a future version. +# If 'fullnameOverride' is not "kiali" and 'deployment.instance_name' is "kiali", +# then 'deployment.instance_name' will take the value of 'fullnameOverride' value. +# Otherwise, 'fullnameOverride' is ignored and 'deployment.instance_name' is used. +fullnameOverride: "kiali" + +# This is required for "openshift" auth strategy. +# You have to know ahead of time what your Route URL will be because +# right now the helm chart can't figure this out at runtime (it would +# need to wait for the Kiali Route to be deployed and for OpenShift +# to start it up). If someone knows how to update this helm chart to +# do this, a PR would be welcome. +kiali_route_url: "" + +# rancher specific override that allows proxy access to kiali url +web_root_override: true +# +# Settings that mimic the Kiali CR which are placed in the ConfigMap. +# Note that only those values used by the Helm Chart will be here. +# + +additional_display_details: +- annotation: kiali.io/api-spec + icon_annotation: kiali.io/api-type + title: API Documentation + +istio_namespace: "" # default is where Kiali is installed + +auth: + openid: {} + openshift: {} + strategy: "" + +clustering: + autodetect_secrets: + enabled: true + label: "kiali.io/multiCluster=true" + clusters: [] + +deployment: + # This only limits what Kiali will attempt to see, but Kiali Service Account has permissions to see everything. + # For more control over what the Kial Service Account can see, use the Kiali Operator + accessible_namespaces: + - "**" + additional_service_yaml: {} + affinity: + node: {} + pod: {} + pod_anti: {} + configmap_annotations: {} + custom_secrets: [] + dns: + config: {} + policy: "" + host_aliases: [] + hpa: + api_version: "autoscaling/v2" + spec: {} + image_digest: "" # use "sha256" if image_version is a sha256 hash (do NOT prefix this value with a "@") + repository: rancher/mirrored-kiali-kiali + image_pull_policy: "Always" + image_pull_secrets: [] + tag: v1.86.0 # version like "v1.39" (see: https://quay.io/repository/kiali/kiali?tab=tags) or a digest hash + ingress: + additional_labels: {} + class_name: "nginx" + #enabled: + override_yaml: + metadata: {} + instance_name: "kiali" + logger: + log_format: "text" + log_level: "info" + time_field_format: "2006-01-02T15:04:05Z07:00" + sampler_rate: "1" + node_selector: {} + pod_annotations: {} + pod_labels: {} + priority_class_name: "" + replicas: 1 + resources: + requests: + cpu: "10m" + memory: "64Mi" + limits: + memory: "1Gi" + secret_name: "kiali" + security_context: {} + service_annotations: {} + service_type: "" + tolerations: [] + version_label: v1.86.0 # v1.39 # v1.39.0 # see: https://quay.io/repository/kiali/kiali?tab=tags + view_only_mode: false + +external_services: + custom_dashboards: + enabled: true + istio: + root_namespace: "" + +identity: {} + #cert_file: + #private_key_file: + +kiali_feature_flags: + certificates_information_indicators: + enabled: true + secrets: + - cacerts + - istio-ca-secret + disabled_features: [] + validations: + ignore: ["KIA1301"] + +login_token: + signing_key: "" + +server: + port: 20001 + #node_port: + observability: + metrics: + enabled: true + port: 9090 + web_root: "" + +# Common settings used among istio subcharts. +global: + # Specify rancher clusterId of external tracing config + # https://github.com/istio/istio.io/issues/4146#issuecomment-493543032 + cattle: + systemDefaultRegistry: "" + clusterId: + psp: + enabled: false \ No newline at end of file diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/.helmignore b/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/Chart.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/Chart.yaml new file mode 100644 index 0000000000..87c13ce47e --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/Chart.yaml @@ -0,0 +1,12 @@ +annotations: + catalog.cattle.io/hidden: "true" + catalog.cattle.io/os: linux + catalog.rancher.io/certified: rancher + catalog.rancher.io/namespace: istio-system + catalog.rancher.io/release-name: rancher-tracing +apiVersion: v1 +appVersion: 1.57.0 +description: A quick start Jaeger Tracing installation using the all-in-one demo. + This is not production qualified. Refer to https://www.jaegertracing.io/ for details. +name: tracing +version: 1.57.0 diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/README.md b/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/README.md new file mode 100644 index 0000000000..25534c6288 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/README.md @@ -0,0 +1,5 @@ +# Jaeger + +A Rancher chart based on the Jaeger all-in-one quick installation option. This chart will allow you to trace and monitor distributed microservices. + +> **Note:** The basic all-in-one Jaeger installation which is not qualified for production. Use the [Jaeger Tracing](https://www.jaegertracing.io) documentation to determine which installation you will need for your production needs. diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/templates/_affinity.tpl b/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/templates/_affinity.tpl new file mode 100644 index 0000000000..bf6a9aee5c --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/templates/_affinity.tpl @@ -0,0 +1,92 @@ +{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} +{{- define "nodeAffinity" }} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityPreferredDuringScheduling" . }} +{{- end }} + +{{- define "nodeAffinityRequiredDuringScheduling" }} + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + {{- range $key, $val := .Values.global.arch }} + {{- if gt ($val | int) 0 }} + - {{ $key | quote }} + {{- end }} + {{- end }} + {{- $nodeSelector := default .Values.global.defaultNodeSelector .Values.nodeSelector -}} + {{- range $key, $val := $nodeSelector }} + - key: {{ $key }} + operator: In + values: + - {{ $val | quote }} + {{- end }} +{{- end }} + +{{- define "nodeAffinityPreferredDuringScheduling" }} + {{- range $key, $val := .Values.global.arch }} + {{- if gt ($val | int) 0 }} + - weight: {{ $val | int }} + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - {{ $key | quote }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinity" }} +{{- if or .Values.podAntiAffinityLabelSelector .Values.podAntiAffinityTermLabelSelector}} + podAntiAffinity: + {{- if .Values.podAntiAffinityLabelSelector }} + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityRequiredDuringScheduling" . }} + {{- end }} + {{- if or .Values.podAntiAffinityTermLabelSelector}} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityPreferredDuringScheduling" . }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "podAntiAffinityRequiredDuringScheduling" }} + {{- range $index, $item := .Values.podAntiAffinityLabelSelector }} + - labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinityPreferredDuringScheduling" }} + {{- range $index, $item := .Values.podAntiAffinityTermLabelSelector }} + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + weight: 100 + {{- end }} +{{- end }} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/templates/_helpers.tpl b/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/templates/_helpers.tpl new file mode 100644 index 0000000000..09c6b05467 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/templates/_helpers.tpl @@ -0,0 +1,47 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "tracing.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "tracing.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/templates/deployment.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/templates/deployment.yaml new file mode 100644 index 0000000000..f8a6828085 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/templates/deployment.yaml @@ -0,0 +1,94 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + matchLabels: + app: {{ .Values.provider }} + template: + metadata: + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + sidecar.istio.io/inject: "false" + prometheus.io/scrape: "true" + prometheus.io/port: "14269" +{{- if .Values.jaeger.podAnnotations }} +{{ toYaml .Values.jaeger.podAnnotations | indent 8 }} +{{- end }} + spec: + containers: + - name: jaeger + image: "{{ template "system_default_registry" . }}{{ .Values.jaeger.repository }}:{{ .Values.jaeger.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + env: + {{- if eq .Values.jaeger.spanStorageType "badger" }} + - name: BADGER_EPHEMERAL + value: "false" + - name: SPAN_STORAGE_TYPE + value: "badger" + - name: BADGER_DIRECTORY_VALUE + value: "/badger/data" + - name: BADGER_DIRECTORY_KEY + value: "/badger/key" + {{- end }} + - name: COLLECTOR_ZIPKIN_HOST_PORT + value: "9411" + - name: MEMORY_MAX_TRACES + value: "{{ .Values.jaeger.memory.max_traces }}" + - name: QUERY_BASE_PATH + value: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} /{{ .Values.provider }} {{ end }} + livenessProbe: + httpGet: + path: / + port: 14269 + readinessProbe: + httpGet: + path: / + port: 14269 +{{- if eq .Values.jaeger.spanStorageType "badger" }} + volumeMounts: + - name: data + mountPath: /badger +{{- end }} + resources: +{{- if .Values.jaeger.resources }} +{{ toYaml .Values.jaeger.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + affinity: + {{- include "nodeAffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} + {{- if .Values.global.cattle.psp.enabled }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + {{- end }} + serviceAccountName: {{ include "tracing.fullname" . }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} +{{- if eq .Values.jaeger.spanStorageType "badger" }} + volumes: + - name: data +{{- if .Values.jaeger.persistentVolumeClaim.enabled }} + persistentVolumeClaim: + claimName: istio-jaeger-pvc +{{- else }} + emptyDir: {} +{{- end }} +{{- end }} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/templates/psp.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/templates/psp.yaml new file mode 100644 index 0000000000..4d5c271e1b --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/templates/psp.yaml @@ -0,0 +1,76 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "tracing.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "tracing.fullname" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - policy + resourceNames: + - {{ include "tracing.fullname" . }} + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - emptyDir + - secret + - persistentVolumeClaim +{{- end }} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/templates/pvc.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/templates/pvc.yaml new file mode 100644 index 0000000000..9b4c55e4fb --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/templates/pvc.yaml @@ -0,0 +1,16 @@ +{{- if .Values.jaeger.persistentVolumeClaim.enabled }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: istio-jaeger-pvc + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} +spec: + storageClassName: {{ .Values.jaeger.storageClassName }} + accessModes: + - {{ .Values.jaeger.accessMode }} + resources: + requests: + storage: {{.Values.jaeger.persistentVolumeClaim.storage }} +{{- end }} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/templates/service.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/templates/service.yaml new file mode 100644 index 0000000000..3ee5a54247 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/templates/service.yaml @@ -0,0 +1,70 @@ +apiVersion: v1 +kind: Service +metadata: + name: tracing + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := .Values.service.annotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + type: {{ .Values.service.type }} + ports: + - name: {{ .Values.service.name }} + port: {{ .Values.service.externalPort }} + protocol: TCP + targetPort: 16686 + selector: + app: {{ .Values.provider }} +--- +# Jaeger implements the Zipkin API. To support swapping out the tracing backend, we use a Service named Zipkin. +apiVersion: v1 +kind: Service +metadata: + name: zipkin + namespace: {{ .Release.Namespace }} + labels: + name: zipkin + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + ports: + - name: {{ .Values.service.name }} + port: {{ .Values.zipkin.queryPort }} + targetPort: {{ .Values.zipkin.queryPort }} + selector: + app: {{ .Values.provider }} +--- +apiVersion: v1 +kind: Service +metadata: + name: jaeger-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + type: ClusterIP + ports: + - name: jaeger-collector-http + port: 14268 + targetPort: 14268 + protocol: TCP + - name: jaeger-collector-grpc + port: 14250 + targetPort: 14250 + protocol: TCP + - port: 9411 + targetPort: 9411 + name: http-zipkin + - port: 4317 + name: grpc-otel + - port: 4318 + name: http-otel + selector: + app: {{ .Values.provider }} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/templates/serviceaccount.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/templates/serviceaccount.yaml new file mode 100644 index 0000000000..1bff77ff66 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/templates/serviceaccount.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} \ No newline at end of file diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/templates/validate-psp-install.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/values.yaml b/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/values.yaml new file mode 100644 index 0000000000..0070dee9d4 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/charts/tracing/values.yaml @@ -0,0 +1,53 @@ +provider: jaeger +contextPath: "" +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] +podAntiAffinityLabelSelector: [] +podAntiAffinityTermLabelSelector: [] +nameOverride: "" +fullnameOverride: "" + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + defaultResources: {} + imagePullPolicy: IfNotPresent + imagePullSecrets: [] + arch: + arm64: 2 + amd64: 2 + s390x: 2 + ppc64le: 2 + defaultNodeSelector: + kubernetes.io/os: linux + rbac: + pspEnabled: false + +jaeger: + repository: rancher/mirrored-jaegertracing-all-in-one + tag: 1.57.0 + # spanStorageType value can be "memory" and "badger" for all-in-one image + spanStorageType: badger + resources: + requests: + cpu: 10m + persistentVolumeClaim: + enabled: false + storage: 5Gi + storageClassName: "" + accessMode: ReadWriteMany + memory: + max_traces: 50000 +zipkin: + queryPort: 9411 +service: + annotations: {} + name: http-query + type: ClusterIP + externalPort: 16686 diff --git a/charts/rancher-istio/104.4.1+up1.22.1/configs/istio-base.yaml b/charts/rancher-istio/104.4.1+up1.22.1/configs/istio-base.yaml new file mode 100644 index 0000000000..17fb5ff8c3 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/configs/istio-base.yaml @@ -0,0 +1,140 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + base: + enabled: {{ .Values.base.enabled }} + cni: + enabled: {{ .Values.cni.enabled }} + k8s: + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + egressGateways: + - enabled: {{ .Values.egressGateways.enabled }} + name: istio-egressgateway + k8s: + {{- if .Values.egressGateways.hpaSpec }} + hpaSpec: {{ toYaml .Values.egressGateways.hpaSpec | nindent 12 }} + {{- end }} + {{- if .Values.egressGateways.podDisruptionBudget }} + podDisruptionBudget: {{ toYaml .Values.egressGateways.podDisruptionBudget | nindent 12 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + ingressGateways: + - enabled: {{ .Values.ingressGateways.enabled }} + name: istio-ingressgateway + k8s: + {{- if .Values.ingressGateways.hpaSpec }} + hpaSpec: {{ toYaml .Values.ingressGateways.hpaSpec | nindent 12 }} + {{- end }} + {{- if .Values.ingressGateways.podDisruptionBudget }} + podDisruptionBudget: {{ toYaml .Values.ingressGateways.podDisruptionBudget | nindent 12 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + service: + ports: + - name: status-port + port: 15021 + targetPort: 15021 + - name: http2 + port: 80 + targetPort: 8080 + nodePort: 31380 + - name: https + port: 443 + targetPort: 8443 + nodePort: 31390 + - name: tcp + port: 31400 + targetPort: 31400 + nodePort: 31400 + - name: tls + port: 15443 + targetPort: 15443 + istiodRemote: + enabled: {{ .Values.istiodRemote.enabled }} + pilot: + enabled: {{ .Values.pilot.enabled }} + k8s: + {{- if .Values.pilot.hpaSpec }} + hpaSpec: {{ toYaml .Values.pilot.hpaSpec | nindent 12 }} + {{- end }} + {{- if .Values.pilot.podDisruptionBudget }} + podDisruptionBudget: {{ toYaml .Values.pilot.podDisruptionBudget | nindent 12 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + hub: {{ .Values.systemDefaultRegistry | default "docker.io" }} + profile: default + tag: {{ .Values.tag }} + revision: {{ .Values.revision }} + meshConfig: + defaultConfig: + {{- if .Values.tracing.enabled }} + tracing: + zipkin: + address: {{ .Values.tracing.zipkinAddress }} + {{- end }} + proxyMetadata: + {{- if .Values.dns.enabled }} + ISTIO_META_DNS_CAPTURE: "true" + {{- end }} + values: + gateways: + istio-egressgateway: + name: istio-egressgateway + type: {{ .Values.egressGateways.type }} + istio-ingressgateway: + name: istio-ingressgateway + type: {{ .Values.ingressGateways.type }} + global: + istioNamespace: {{ template "istio.namespace" . }} + proxy: + image: {{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }} + proxy_init: + image: {{ template "system_default_registry" . }}{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }} + {{- if .Values.global.defaultPodDisruptionBudget.enabled }} + defaultPodDisruptionBudget: + enabled: {{ .Values.global.defaultPodDisruptionBudget.enabled }} + {{- end }} + {{- if .Values.pilot.enabled }} + pilot: + image: {{ template "system_default_registry" . }}{{ .Values.pilot.repository }}:{{ .Values.pilot.tag }} + {{- end }} + telemetry: + enabled: {{ .Values.telemetry.enabled }} + v2: + enabled: {{ .Values.telemetry.v2.enabled }} + {{- if .Values.cni.enabled }} + cni: + image: {{ template "system_default_registry" . }}{{ .Values.cni.repository }}:{{ .Values.cni.tag }} + excludeNamespaces: + {{- toYaml .Values.cni.excludeNamespaces | nindent 8 }} + logLevel: {{ .Values.cni.logLevel }} + {{- end }} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/requirements.yaml b/charts/rancher-istio/104.4.1+up1.22.1/requirements.yaml new file mode 100644 index 0000000000..9e21bd425d --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/requirements.yaml @@ -0,0 +1,9 @@ +dependencies: +- condition: kiali.enabled + name: kiali + repository: file://./charts/kiali + version: 1.86.0 +- condition: tracing.enabled + name: tracing + repository: file://./charts/tracing + version: 1.57.0 diff --git a/charts/rancher-istio/104.4.1+up1.22.1/samples/overlay-example.yaml b/charts/rancher-istio/104.4.1+up1.22.1/samples/overlay-example.yaml new file mode 100644 index 0000000000..5cf3cf3b0b --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/samples/overlay-example.yaml @@ -0,0 +1,37 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + ingressGateways: + - enabled: true + name: ilb-gateway + namespace: user-ingressgateway-ns + k8s: + resources: + requests: + cpu: 200m + service: + ports: + - name: tcp-citadel-grpc-tls + port: 8060 + targetPort: 8060 + - name: tcp-dns + port: 5353 + serviceAnnotations: + cloud.google.com/load-balancer-type: internal + - enabled: true + name: other-gateway + namespace: cattle-istio-system + k8s: + resources: + requests: + cpu: 200m + service: + ports: + - name: tcp-citadel-grpc-tls + port: 8060 + targetPort: 8060 + - name: tcp-dns + port: 5353 + serviceAnnotations: + cloud.google.com/load-balancer-type: internal diff --git a/charts/rancher-istio/104.4.1+up1.22.1/templates/_helpers.tpl b/charts/rancher-istio/104.4.1+up1.22.1/templates/_helpers.tpl new file mode 100644 index 0000000000..30b429a800 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/templates/_helpers.tpl @@ -0,0 +1,27 @@ +{{/* Ensure namespace is set the same everywhere */}} +{{- define "istio.namespace" -}} + {{- .Release.Namespace | default "istio-system" -}} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/charts/rancher-istio/104.4.1+up1.22.1/templates/admin-role.yaml b/charts/rancher-istio/104.4.1+up1.22.1/templates/admin-role.yaml new file mode 100644 index 0000000000..ad1313c4f1 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/templates/admin-role.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: istio-admin + namespace: {{ template "istio.namespace" . }} +rules: + - apiGroups: + - config.istio.io + resources: + - adapters + - attributemanifests + - handlers + - httpapispecbindings + - httpapispecs + - instances + - quotaspecbindings + - quotaspecs + - rules + - templates + verbs: ["get", "watch", "list"] + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + - workloadentries + verbs: + - '*' + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + - peerauthentications + - requestauthentications + verbs: + - '*' diff --git a/charts/rancher-istio/104.4.1+up1.22.1/templates/base-config-map.yaml b/charts/rancher-istio/104.4.1+up1.22.1/templates/base-config-map.yaml new file mode 100644 index 0000000000..5323917bc3 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/templates/base-config-map.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-installer-base + namespace: {{ template "istio.namespace" . }} +data: +{{ tpl (.Files.Glob "configs/*").AsConfig . | indent 2 }} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/templates/clusterrole.yaml b/charts/rancher-istio/104.4.1+up1.22.1/templates/clusterrole.yaml new file mode 100644 index 0000000000..31163f9325 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/templates/clusterrole.yaml @@ -0,0 +1,143 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-installer +rules: +# istio groups +- apiGroups: + - extensions.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - authentication.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - config.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - install.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - networking.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - rbac.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - security.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - telemetry.istio.io + resources: + - '*' + verbs: + - '*' +# k8s groups +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions.apiextensions.k8s.io + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - apps + - extensions + resources: + - daemonsets + - deployments + - deployments/finalizers + - ingresses + - replicasets + - statefulsets + verbs: + - '*' +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - '*' +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - roles + - rolebindings + verbs: + - '*' +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - events + - namespaces + - pods + - pods/exec + - pods/portforward + - persistentvolumeclaims + - secrets + - services + - serviceaccounts + verbs: + - '*' +- apiGroups: + - "" + resources: + - nodes + verbs: + - 'get' + - 'list' + - 'watch' +{{- if and .Values.global.cattle.psp.enabled }} +- apiGroups: + - policy + resourceNames: + - istio-installer + resources: + - podsecuritypolicies + verbs: + - use +{{- end }} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/templates/clusterrolebinding.yaml b/charts/rancher-istio/104.4.1+up1.22.1/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..9d74a04345 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/templates/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-installer +subjects: +- kind: ServiceAccount + name: istio-installer + namespace: {{ template "istio.namespace" . }} +roleRef: + kind: ClusterRole + name: istio-installer + apiGroup: rbac.authorization.k8s.io diff --git a/charts/rancher-istio/104.4.1+up1.22.1/templates/edit-role.yaml b/charts/rancher-istio/104.4.1+up1.22.1/templates/edit-role.yaml new file mode 100644 index 0000000000..d1059d58d7 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/templates/edit-role.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + namespace: {{ template "istio.namespace" . }} + name: istio-edit +rules: + - apiGroups: + - config.istio.io + resources: + - adapters + - attributemanifests + - handlers + - httpapispecbindings + - httpapispecs + - instances + - quotaspecbindings + - quotaspecs + - rules + - templates + verbs: ["get", "watch", "list"] + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + - workloadentries + verbs: + - '*' + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + - peerauthentications + - requestauthentications + verbs: + - '*' diff --git a/charts/rancher-istio/104.4.1+up1.22.1/templates/istio-cni-psp.yaml b/charts/rancher-istio/104.4.1+up1.22.1/templates/istio-cni-psp.yaml new file mode 100644 index 0000000000..a71561e676 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/templates/istio-cni-psp.yaml @@ -0,0 +1,51 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: psp-istio-cni + namespace: {{ template "istio.namespace" . }} +spec: + allowPrivilegeEscalation: true + fsGroup: + rule: RunAsAny + hostNetwork: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - secret + - configMap + - emptyDir + - hostPath +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: psp-istio-cni + namespace: {{ template "istio.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: psp-istio-cni +subjects: + - kind: ServiceAccount + name: istio-cni +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: psp-istio-cni + namespace: {{ template "istio.namespace" . }} +rules: +- apiGroups: + - policy + resourceNames: + - psp-istio-cni + resources: + - podsecuritypolicies + verbs: + - use +{{- end }} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/templates/istio-install-job.yaml b/charts/rancher-istio/104.4.1+up1.22.1/templates/istio-install-job.yaml new file mode 100644 index 0000000000..c2e362e684 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/templates/istio-install-job.yaml @@ -0,0 +1,66 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: istioctl-installer + namespace: {{ template "istio.namespace" . }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + backoffLimit: 1 + template: + spec: + {{- if .Values.installer.releaseMirror.enabled }} + hostAliases: + - ip: "127.0.0.1" + hostnames: + - "github.com" + {{- end }} + containers: + - name: istioctl-installer + image: {{ template "system_default_registry" . }}{{ .Values.installer.repository }}:{{ .Values.installer.tag }} + env: + - name: RELEASE_NAME + value: {{ .Release.Name }} + - name: ISTIO_NAMESPACE + value: {{ template "istio.namespace" . }} + - name: FORCE_INSTALL + value: {{ .Values.forceInstall | default "false" | quote }} + - name: RELEASE_MIRROR_ENABLED + value: {{ .Values.installer.releaseMirror.enabled | quote }} + - name: SECONDS_SLEEP + value: {{ .Values.installer.debug.secondsSleep | quote}} + command: ["/bin/sh","-c"] + args: ["/usr/local/app/scripts/run.sh"] + volumeMounts: + - name: config-volume + mountPath: /app/istio-base.yaml + subPath: istio-base.yaml + {{- if .Values.overlayFile }} + - name: overlay-volume + mountPath: /app/overlay-config.yaml + subPath: overlay-config.yaml + {{- end }} + volumes: + - name: config-volume + configMap: + name: istio-installer-base + {{- if .Values.overlayFile }} + - name: overlay-volume + configMap: + name: istio-installer-overlay + {{- end }} + serviceAccountName: istio-installer + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsUser: 499 + runAsGroup: 487 + restartPolicy: Never diff --git a/charts/rancher-istio/104.4.1+up1.22.1/templates/istio-install-psp.yaml b/charts/rancher-istio/104.4.1+up1.22.1/templates/istio-install-psp.yaml new file mode 100644 index 0000000000..9da3391d40 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/templates/istio-install-psp.yaml @@ -0,0 +1,30 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: istio-installer + namespace: {{ template "istio.namespace" . }} +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'configMap' + - 'secret' +{{- end }} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/templates/istio-psp.yaml b/charts/rancher-istio/104.4.1+up1.22.1/templates/istio-psp.yaml new file mode 100644 index 0000000000..cfada1bf7f --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/templates/istio-psp.yaml @@ -0,0 +1,81 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istio-psp + namespace: {{ template "istio.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istio-psp +subjects: + - kind: ServiceAccount + name: istio-egressgateway-service-account + - kind: ServiceAccount + name: istio-ingressgateway-service-account + - kind: ServiceAccount + name: istio-mixer-service-account + - kind: ServiceAccount + name: istio-operator-authproxy + - kind: ServiceAccount + name: istiod-service-account + - kind: ServiceAccount + name: istio-sidecar-injector-service-account + - kind: ServiceAccount + name: istiocoredns-service-account + - kind: ServiceAccount + name: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istio-psp + namespace: {{ template "istio.namespace" . }} +rules: +- apiGroups: + - policy + resourceNames: + - istio-psp + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: istio-psp + namespace: {{ template "istio.namespace" . }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim +{{- end }} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/templates/istio-uninstall-job.yaml b/charts/rancher-istio/104.4.1+up1.22.1/templates/istio-uninstall-job.yaml new file mode 100644 index 0000000000..0091d0c176 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/templates/istio-uninstall-job.yaml @@ -0,0 +1,53 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: istioctl-uninstaller + namespace: {{ template "istio.namespace" . }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + spec: + containers: + - name: istioctl-uninstaller + image: {{ template "system_default_registry" . }}{{ .Values.installer.repository }}:{{ .Values.installer.tag }} + env: + - name: RELEASE_NAME + value: {{ .Release.Name }} + - name: ISTIO_NAMESPACE + value: {{ template "istio.namespace" . }} + command: ["/bin/sh","-c"] + args: ["/usr/local/app/scripts/uninstall_istio_system.sh"] + volumeMounts: + - name: config-volume + mountPath: /app/istio-base.yaml + subPath: istio-base.yaml + {{- if .Values.overlayFile }} + - name: overlay-volume + mountPath: /app/overlay-config.yaml + subPath: overlay-config.yaml + {{ end }} + volumes: + - name: config-volume + configMap: + name: istio-installer-base + {{- if .Values.overlayFile }} + - name: overlay-volume + configMap: + name: istio-installer-overlay + {{ end }} + serviceAccountName: istio-installer + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsUser: 101 + runAsGroup: 101 + restartPolicy: OnFailure diff --git a/charts/rancher-istio/104.4.1+up1.22.1/templates/overlay-config-map.yaml b/charts/rancher-istio/104.4.1+up1.22.1/templates/overlay-config-map.yaml new file mode 100644 index 0000000000..287d26b2c3 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/templates/overlay-config-map.yaml @@ -0,0 +1,9 @@ +{{- if .Values.overlayFile }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-installer-overlay + namespace: {{ template "istio.namespace" . }} +data: + overlay-config.yaml: {{ toYaml .Values.overlayFile | indent 2 }} +{{- end }} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/templates/service-monitors.yaml b/charts/rancher-istio/104.4.1+up1.22.1/templates/service-monitors.yaml new file mode 100644 index 0000000000..c3d60c4fce --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/templates/service-monitors.yaml @@ -0,0 +1,51 @@ +{{- if .Values.kiali.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: envoy-stats-monitor + namespace: {{ template "istio.namespace" . }} + labels: + monitoring: istio-proxies +spec: + selector: + matchExpressions: + - {key: istio-prometheus-ignore, operator: DoesNotExist} + namespaceSelector: + any: true + jobLabel: envoy-stats + endpoints: + - path: /stats/prometheus + targetPort: 15090 + interval: 15s + relabelings: + - sourceLabels: [__meta_kubernetes_pod_container_port_name] + action: keep + regex: '.*-envoy-prom' + - action: labeldrop + regex: "__meta_kubernetes_pod_label_(.+)" + - sourceLabels: [__meta_kubernetes_namespace] + action: replace + targetLabel: namespace + - sourceLabels: [__meta_kubernetes_pod_name] + action: replace + targetLabel: pod_name +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: istio-component-monitor + namespace: {{ template "istio.namespace" . }} + labels: + monitoring: istio-components +spec: + jobLabel: istio + targetLabels: [app] + selector: + matchExpressions: + - {key: istio, operator: In, values: [pilot]} + namespaceSelector: + any: true + endpoints: + - port: http-monitoring + interval: 15s +{{- end -}} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/templates/serviceaccount.yaml b/charts/rancher-istio/104.4.1+up1.22.1/templates/serviceaccount.yaml new file mode 100644 index 0000000000..82b6cbb7e6 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/templates/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-installer + namespace: {{ template "istio.namespace" . }} diff --git a/charts/rancher-istio/104.4.1+up1.22.1/templates/validate-psp-install.yaml b/charts/rancher-istio/104.4.1+up1.22.1/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..4b0e5cfb65 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} \ No newline at end of file diff --git a/charts/rancher-istio/104.4.1+up1.22.1/templates/view-role.yaml b/charts/rancher-istio/104.4.1+up1.22.1/templates/view-role.yaml new file mode 100644 index 0000000000..5947d3eba9 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/templates/view-role.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + namespace: {{ template "istio.namespace" . }} + name: istio-view +rules: + - apiGroups: + - config.istio.io + resources: + - adapters + - attributemanifests + - handlers + - httpapispecbindings + - httpapispecs + - instances + - quotaspecbindings + - quotaspecs + - rules + - templates + verbs: ["get", "watch", "list"] + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + - workloadentries + verbs: ["get", "watch", "list"] + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + - peerauthentications + - requestauthentications + verbs: ["get", "watch", "list"] diff --git a/charts/rancher-istio/104.4.1+up1.22.1/values.yaml b/charts/rancher-istio/104.4.1+up1.22.1/values.yaml new file mode 100644 index 0000000000..8c7bfa8d89 --- /dev/null +++ b/charts/rancher-istio/104.4.1+up1.22.1/values.yaml @@ -0,0 +1,120 @@ +overlayFile: "" +tag: 1.22.1 +##Setting forceInstall: true will remove the check for istio version < 1.6.x and will not analyze your install cluster prior to install +forceInstall: false + +installer: + repository: rancher/istio-installer + tag: 1.22.1-rancher1 + ##releaseMirror are configurations for istio upgrades. + ##Setting releaseMirror.enabled: true will cause istio to use bundled in images from rancher/istio-installer to perfom an upgrade - this is ideal + ##for airgap setups. Setting releaseMirror.enabled to false means istio will call externally to github to fetch the required assets. + releaseMirror: + enabled: false + + ##Set the secondsSleep to run a sleep command `sleep s` to allow time to exec into istio-installer pod for debugging + debug: + secondsSleep: 0 + +##Native support for dns added in 1.8 +dns: + enabled: false + +base: + enabled: true + +cni: + enabled: false + repository: rancher/mirrored-istio-install-cni +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.22.1 + tag: 1.22.1-distroless + logLevel: info + excludeNamespaces: + - istio-system + - kube-system + +egressGateways: + enabled: false + type: NodePort + hpaSpec: {} + podDisruptionBudget: {} + +ingressGateways: + enabled: true + type: NodePort + hpaSpec: {} + podDisruptionBudget: {} + +istiodRemote: + enabled: false + +pilot: + enabled: true + repository: rancher/mirrored-istio-pilot +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.22.1 + tag: 1.22.1-distroless + hpaSpec: {} + podDisruptionBudget: {} + +telemetry: + enabled: true + v2: + enabled: true + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + proxy: + repository: rancher/mirrored-istio-proxyv2 +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.22.1 + tag: 1.22.1-distroless + proxy_init: + repository: rancher/mirrored-istio-proxyv2 +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.22.1 + tag: 1.22.1-distroless + defaultPodDisruptionBudget: + enabled: true + +# Kiali subchart from rancher-kiali-server +kiali: + enabled: true + # If you wish to change the authentication you can check the options in the Kiali documentation https://kiali.io/docs/configuration/authentication/ + auth: + strategy: token + server: + web_root: / + deployment: + ingress_enabled: false + external_services: + prometheus: + custom_metrics_url: "http://rancher-monitoring-prometheus.cattle-monitoring-system.svc:9090" + url: "http://rancher-monitoring-prometheus.cattle-monitoring-system.svc:9090" + tracing: + in_cluster_url: "http://tracing.istio-system.svc:16686/jaeger" + use_grpc: false + grafana: + in_cluster_url: "http://rancher-monitoring-grafana.cattle-monitoring-system.svc:80" + url: "http://rancher-monitoring-grafana.cattle-monitoring-system.svc:80" + +tracing: + enabled: false + contextPath: "/jaeger" + zipkinAddress: zipkin.istio-system.svc:9411 + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] diff --git a/charts/rancher-istio/104.5.0+up1.23.2/Chart.yaml b/charts/rancher-istio/104.5.0+up1.23.2/Chart.yaml new file mode 100644 index 0000000000..a784c1ba63 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Istio + catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.31.0-0' + catalog.cattle.io/namespace: istio-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0' + catalog.cattle.io/release-name: rancher-istio + catalog.cattle.io/requests-cpu: 710m + catalog.cattle.io/requests-memory: 2314Mi + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: istio + catalog.cattle.io/upstream-version: 1.23.2 +apiVersion: v1 +appVersion: 1.23.2 +description: A basic Istio setup that installs with the istioctl. Refer to https://istio.io/latest/ + for details. +icon: https://charts.rancher.io/assets/logos/istio.svg +keywords: +- networking +- infrastructure +name: rancher-istio +version: 104.5.0+up1.23.2 diff --git a/charts/rancher-istio/104.5.0+up1.23.2/README.md b/charts/rancher-istio/104.5.0+up1.23.2/README.md new file mode 100644 index 0000000000..2230c61859 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/README.md @@ -0,0 +1,79 @@ +# Rancher-Istio Chart + +Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization. + +See the app-readme for known issues and deprecations. + +## Installation Requirements + +#### Chart Dependencies +- rancher-monitoring chart or other Prometheus installation + +#### Install +To install the rancher-istio chart with helm, use the following command: +``` +helm install rancher-istio --create-namespace -n istio-system +``` + +#### Uninstall +To ensure rancher-istio uninstalls correctly, you must uninstall rancher-istio prior to uninstalling chart dependencies (see chart dependencies for list of dependencies). This is because all definitions need to be available in order to properly build the rancher-istio objects for removal. + +**If you remove dependent CRD charts prior to removing rancher-istio, you may encounter the following error:** +`Error: uninstallation completed with 1 error(s): unable to build kubernetes objects for delete: unable to recognize "": no matches for kind "MonitoringDashboard" in version "monitoring.kiali.io/v1alpha1"` + +## Addons +The addons that are included with rancher-istio are: + +- Kiali +- Jaeger + +Each addon has additional customization and dependencies required for them to work as expected. Use the values.yaml to customize or to enable/disable each addon. +### Kiali Addon + +Kiali allows you to view and manage your istio-based service mesh through an easy to use dashboard. + +#### Kiali Dependencies +##### rancher-monitoring chart or other Prometheus installation + +This dependecy installs the required CRDs for installing Kiali. Since Kiali is bundled in with Istio in this chart, if you do not have these dependencies installed, your Istio installation will fail. If you do not plan on using Kiali, set `kiali.enabled=false` when installing Istio for a succesful installation. + +#### Prometheus Configuration for Kiali +> **Note:** The following configuration options assume you have installed the dependecies for Kiali. Please ensure you have Promtheus in your cluster before proceeding. + +The Rancher Monitoring app sets `prometheus.prometheusSpec.ignoreNamespaceSelectors=false` which means all namespaces will be scraped by Prometheus by default. This ensures you can view traffic, metrics and graphs for resources deployed in other namespaces. + +To limit scraping to specific namespaces, set `prometheus.prometheusSpec.ignoreNamespaceSelectors=true` and add one of the following configurations to ensure you can continue to view traffic, metrics and graphs for your deployed resources. + +1. Add a Service Monitor or Pod Monitor in the namespace with the targets you want to scrape. +1. Add an additionalScrapeConfig to your rancher-monitoring instance to scrape all targets in all namespaces. + +#### Kiali External Services + +The external services that can be configured in Kiali are: Prometheus, Grafana and Tracing. + +##### Prometheus +The `kiali.external_services.prometheus` url is set in the values.yaml: +``` +http://{{ .Values.nameOverride }}-prometheus.{{ .Values.namespaceOverride }}.svc:{{ prometheus.service.port }} +``` +The url depends on the default values for `nameOverride`, `namespaceOverride`, and `prometheus.service.port` being set in your rancher-monitoring or other monitoring instance. + +##### Grafana +The `kiali.external_services.grafana` url is set in the values.yaml: +``` +http://{{ .Values.nameOverride }}-grafana.{{ .Values.namespaceOverride }}.svc:{{ grafana.service.port }} +``` +The url depends on the default values for `nameOverride`, `namespaceOverride`, and `grafana.service.port` being set in your rancher-monitoring or other monitoring instance. + +##### Tracing +The `kiali.external_services.tracing` url and `.Values.tracing.contextPath` is set in the rancher-istio values.yaml: +``` +http://tracing.{{ .Values.namespaceOverride }}.svc:{{ .Values.service.externalPort }}/{{ .Values.tracing.contextPath }} +``` +The url depends on the default values for `namespaceOverride`, and `.Values.service.externalPort` being set in your rancher-tracing or other tracing instance. + +## Jaeger Addon + +Jaeger allows you to trace and monitor distributed microservices. + +> **Note:** This addon is using the all-in-one Jaeger installation which is not qualified for production. Use the [Jaeger Tracing](https://www.jaegertracing.io/docs/1.21/getting-started/) documentation to determine which installation you will need for your production needs. diff --git a/charts/rancher-istio/104.5.0+up1.23.2/app-readme.md b/charts/rancher-istio/104.5.0+up1.23.2/app-readme.md new file mode 100644 index 0000000000..8be230ff00 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/app-readme.md @@ -0,0 +1,65 @@ +# Rancher Istio + +Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization. It also includes: +* **[Kiali](https://kiali.io/)**: Used for graphing traffic flow throughout the mesh +* **[Jaeger](https://www.jaegertracing.io/)**: A quick start, all-in-one installation used for tracing distributed system. This is not production qualified, please refer to jaeger documentation to determine which installation you may need instead. + +For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/istio/v2.5/). + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. + +> **Note:** +> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. + +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. + +## Warnings +- Upgrading across more than two minor versions (e.g., 1.6.x to 1.9.x) in one step is not officially tested or recommended. See [Istio upgrade docs](https://istio.io/latest/docs/setup/upgrade/) for more details. + +## Known Issues + +#### Airgapped Environments +**A temporary fix has been added to this chart to allow upgrades to succeed in an airgapped environment. See [this issue](https://github.com/rancher/rancher/issues/30842) for details.** We are still advocating for an upstream fix in Istio to formally resolve this issue. The root cause is the Istio Operator upgrade command reaches out to an external repo on upgrades and the external repo is not configurable. We are tracking the fix for this issue [here](https://github.com/rancher/rancher/issues/33402) + +#### Installing Istio with CNI component enabled on RHEL 8.4 SElinux enabled cluster. +To install istio with CNI enabled, e.g. when cluster has a default PSP set to "restricted", on a cluster using nodes with RHEL 8.4 SElinux enabled, run the following command on each cluster node before creating a cluster. +`mkdir -p /var/run/istio-cni && semanage fcontext -a -t container_file_t /var/run/istio-cni && restorecon -v /var/run/istio-cni` +See [this issue](https://github.com/rancher/rancher/issues/33291) for details. + +## Installing istio with distroless-images. +Istio `104.5.0+up1.23.2` uses distroless images for `istio-proxyv2`, `istio-install-cni` and `istio-pilot`. Distroless images don't have the common debugging tools like `bash`, `curl`, etc. If you wish to troubleshoot Istio, you can switch to regular images by updating `values.yaml` file. + +## Deprecations + +#### v1alpha1 security policies +As of 1.6, Istio removed support for `v1alpha1` security policies resource and replaced the API with `v1beta1` authorization policies. https://istio.io/latest/docs/reference/config/security/authorization-policy/ + +If you are currently running rancher-istio <= 1.7.x, you need to migrate any existing `v1alpha1` security policies to `v1beta1` authorization policies prior to upgrading to the next minor version. + +> **Note:** If you attempt to upgrade prior to migrating your policy resources, you might see errors similar to: +``` +Error: found 6 CRD of unsupported v1alpha1 security policy +``` +``` + Error: found 1 unsupported v1alpha1 security policy + ``` + ``` + Control Plane - policy pod - istio-policy - version: x.x.x does not match the target version x.x.x + ``` + Continue with the migration steps below before retrying the upgrade process. + +#### Migrating Resources: +Migration steps can be found in this [istio blog post](https://istio.io/latest/blog/2021/migrate-alpha-policy/ "istio blog post"). + +You can also use these [quick steps](https://github.com/rancher/rancher/issues/34699#issuecomment-921995917 "quick steps") to determine if you need to follow the more extensive migration steps. diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/Chart.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/Chart.yaml new file mode 100644 index 0000000000..e282a06c7b --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/Chart.yaml @@ -0,0 +1,28 @@ +annotations: + catalog.cattle.io/hidden: "true" + catalog.cattle.io/os: linux + catalog.cattle.io/requires-gvr: monitoring.coreos.com.prometheus/v1 + catalog.rancher.io/namespace: cattle-istio-system + catalog.rancher.io/release-name: rancher-kiali-server +apiVersion: v2 +appVersion: v1.89.3 +description: Kiali is an open source project for service mesh observability, refer + to https://www.kiali.io for details. This is installed as sub-chart with customized + values in Rancher's Istio. +home: https://github.com/kiali/kiali +icon: https://raw.githubusercontent.com/kiali/kiali.io/current/assets/icons/logo.svg +keywords: +- istio +- kiali +- networking +- infrastructure +maintainers: +- email: kiali-users@googlegroups.com + name: Kiali + url: https://kiali.io +name: kiali +sources: +- https://github.com/kiali/kiali +- https://github.com/kiali/kiali-operator +- https://github.com/kiali/helm-charts +version: 1.89.3 diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/NOTES.txt b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/NOTES.txt new file mode 100644 index 0000000000..751019401b --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/NOTES.txt @@ -0,0 +1,5 @@ +Welcome to Kiali! For more details on Kiali, see: https://kiali.io + +The Kiali Server [{{ .Chart.AppVersion }}] has been installed in namespace [{{ .Release.Namespace }}]. It will be ready soon. + +(Helm: Chart=[{{ .Chart.Name }}], Release=[{{ .Release.Name }}], Version=[{{ .Chart.Version }}]) diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/_helpers.tpl b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/_helpers.tpl new file mode 100644 index 0000000000..91c9ff0ca5 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/_helpers.tpl @@ -0,0 +1,222 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Create a default fully qualified instance name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +To simulate the way the operator works, use deployment.instance_name rather than the old fullnameOverride. +For backwards compatibility, if fullnameOverride is not kiali but deployment.instance_name is kiali, +use fullnameOverride, otherwise use deployment.instance_name. +*/}} +{{- define "kiali-server.fullname" -}} +{{- if (and (eq .Values.deployment.instance_name "kiali") (ne .Values.fullnameOverride "kiali")) }} + {{- .Values.fullnameOverride | trunc 63 }} +{{- else }} + {{- .Values.deployment.instance_name | trunc 63 }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kiali-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Identifies the log_level. +*/}} +{{- define "kiali-server.logLevel" -}} +{{- .Values.deployment.logger.log_level -}} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "kiali-server.labels" -}} +helm.sh/chart: {{ include "kiali-server.chart" . }} +app: kiali +{{ include "kiali-server.selectorLabels" . }} +version: {{ .Values.deployment.version_label | default .Chart.AppVersion | quote }} +app.kubernetes.io/version: {{ .Values.deployment.version_label | default .Chart.AppVersion | quote }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/part-of: "kiali" +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "kiali-server.selectorLabels" -}} +{{- $releaseName := .Release.Name -}} +{{- $fullName := include "kiali-server.fullname" . -}} +{{- $deployment := (lookup "apps/v1" "Deployment" .Release.Namespace $fullName) -}} +app.kubernetes.io/name: kiali +{{- if (and .Release.IsUpgrade $deployment)}} +app.kubernetes.io/instance: {{ (get (($deployment).metadata.labels) "app.kubernetes.io/instance") | default $fullName }} +{{- else }} +app.kubernetes.io/instance: {{ $fullName }} +{{- end }} +{{- end }} + +{{/* +Determine the default login token signing key. +*/}} +{{- define "kiali-server.login_token.signing_key" -}} +{{- if .Values.login_token.signing_key }} + {{- .Values.login_token.signing_key }} +{{- else }} + {{- randAlphaNum 16 }} +{{- end }} +{{- end }} + +{{/* +Determine the default web root. +*/}} +{{- define "kiali-server.server.web_root" -}} +{{- if .Values.server.web_root }} + {{- if (eq .Values.server.web_root "/") }} + {{- .Values.server.web_root }} + {{- else }} + {{- .Values.server.web_root | trimSuffix "/" }} + {{- end }} +{{- else }} + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- "/" }} + {{- else }} + {{- "/kiali" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the default identity cert file. There is no default if on k8s; only on OpenShift. +*/}} +{{- define "kiali-server.identity.cert_file" -}} +{{- if hasKey .Values.identity "cert_file" }} + {{- .Values.identity.cert_file }} +{{- else }} + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- "/kiali-cert/tls.crt" }} + {{- else }} + {{- "" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the default identity private key file. There is no default if on k8s; only on OpenShift. +*/}} +{{- define "kiali-server.identity.private_key_file" -}} +{{- if hasKey .Values.identity "private_key_file" }} + {{- .Values.identity.private_key_file }} +{{- else }} + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- "/kiali-cert/tls.key" }} + {{- else }} + {{- "" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the default deployment.ingress.enabled. Disable it on k8s; enable it on OpenShift. +*/}} +{{- define "kiali-server.deployment.ingress.enabled" -}} +{{- if hasKey .Values.deployment.ingress "enabled" }} + {{- .Values.deployment.ingress.enabled }} +{{- else }} + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- true }} + {{- else }} + {{- false }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the istio namespace - default is where Kiali is installed. +*/}} +{{- define "kiali-server.istio_namespace" -}} +{{- if .Values.istio_namespace }} + {{- .Values.istio_namespace }} +{{- else }} + {{- .Release.Namespace }} +{{- end }} +{{- end }} + +{{/* +Determine the auth strategy to use - default is "token" on Kubernetes and "openshift" on OpenShift. +*/}} +{{- define "kiali-server.auth.strategy" -}} +{{- if .Values.auth.strategy }} + {{- if (and (eq .Values.auth.strategy "openshift") (not .Values.kiali_route_url)) }} + {{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either set that or use a different auth strategy via the --set auth.strategy=... option." }} + {{- end }} + {{- .Values.auth.strategy }} +{{- else }} + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- if not .Values.kiali_route_url }} + {{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either set that or explicitly indicate another auth strategy you want via the --set auth.strategy=... option." }} + {{- end }} + {{- "openshift" }} + {{- else }} + {{- "token" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the root namespace - default is where Kiali is installed. +*/}} +{{- define "kiali-server.external_services.istio.root_namespace" -}} +{{- if .Values.external_services.istio.root_namespace }} + {{- .Values.external_services.istio.root_namespace }} +{{- else }} + {{- .Release.Namespace }} +{{- end }} +{{- end }} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} + +{{/* +Autodetect remote cluster secrets if enabled - looks for secrets in the same namespace where Kiali is installed. +Returns a JSON dict whose keys are the cluster names and values are the cluster secret data. +*/}} +{{- define "kiali-server.remote-cluster-secrets" -}} +{{- $theDict := dict }} +{{- if .Values.clustering.autodetect_secrets.enabled }} + {{- $secretLabelToLookFor := (regexSplit "=" .Values.clustering.autodetect_secrets.label 2) }} + {{- $secretLabelNameToLookFor := first $secretLabelToLookFor }} + {{- $secretLabelValueToLookFor := last $secretLabelToLookFor }} + {{- range $i, $secret := (lookup "v1" "Secret" .Release.Namespace "").items }} + {{- if (and (and (hasKey $secret.metadata "labels") (hasKey $secret.metadata.labels $secretLabelNameToLookFor)) (eq (get $secret.metadata.labels $secretLabelNameToLookFor) ($secretLabelValueToLookFor))) }} + {{- $clusterName := $secret.metadata.name }} + {{- if (and (hasKey $secret.metadata "annotations") (hasKey $secret.metadata.annotations "kiali.io/cluster")) }} + {{- $clusterName = get $secret.metadata.annotations "kiali.io/cluster" }} + {{- end }} + {{- $theDict = set $theDict $clusterName $secret.metadata.name }} + {{- end }} + {{- end }} +{{- end }} +{{- $theDict | toJson }} +{{- end }} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/cabundle.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/cabundle.yaml new file mode 100644 index 0000000000..7462b95a7f --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/cabundle.yaml @@ -0,0 +1,13 @@ +{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kiali-server.fullname" . }}-cabundle + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + annotations: + service.beta.openshift.io/inject-cabundle: "true" +... +{{- end }} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/configmap.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/configmap.yaml new file mode 100644 index 0000000000..f7b68294d7 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/configmap.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + {{- if .Values.deployment.configmap_annotations }} + annotations: + {{- toYaml .Values.deployment.configmap_annotations | nindent 4 }} + {{- end }} +data: + config.yaml: | + {{- /* Most of .Values is simply the ConfigMap - strip out the keys that are not part of the ConfigMap */}} + {{- $cm := omit .Values "nameOverride" "fullnameOverride" "kiali_route_url" }} + {{- /* The helm chart defines namespace for us, but pass it to the ConfigMap in case the server needs it */}} + {{- $_ := set $cm.deployment "namespace" .Release.Namespace }} + {{- /* Some values of the ConfigMap are generated, but might not be identical, from .Values */}} + {{- $_ := set $cm "istio_namespace" (include "kiali-server.istio_namespace" .) }} + {{- $_ := set $cm.auth "strategy" (include "kiali-server.auth.strategy" .) }} + {{- $_ := set $cm.auth.openshift "client_id_prefix" (include "kiali-server.fullname" .) }} + {{- $_ := set $cm.deployment "instance_name" (include "kiali-server.fullname" .) }} + {{- $_ := set $cm.identity "cert_file" (include "kiali-server.identity.cert_file" .) }} + {{- $_ := set $cm.identity "private_key_file" (include "kiali-server.identity.private_key_file" .) }} + {{- $_ := set $cm.login_token "signing_key" (include "kiali-server.login_token.signing_key" .) }} + {{- $_ := set $cm.external_services.istio "root_namespace" (include "kiali-server.external_services.istio.root_namespace" .) }} + {{- $_ := set $cm.server "web_root" (include "kiali-server.server.web_root" .) }} + {{- toYaml $cm | nindent 4 }} +... diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/deployment.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/deployment.yaml new file mode 100644 index 0000000000..d5047dba36 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/deployment.yaml @@ -0,0 +1,237 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +spec: +{{- if not .Values.deployment.hpa.spec }} + replicas: {{ .Values.deployment.replicas }} +{{- end }} + selector: + matchLabels: + {{- include "kiali-server.selectorLabels" . | nindent 6 }} + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + name: {{ include "kiali-server.fullname" . }} + labels: + {{- include "kiali-server.labels" . | nindent 8 }} + {{- if .Values.deployment.pod_labels }} + {{- toYaml .Values.deployment.pod_labels | nindent 8 }} + {{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- if .Values.server.observability.metrics.enabled }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.server.observability.metrics.port | quote }} + {{- else }} + prometheus.io/scrape: "false" + prometheus.io/port: "" + {{- end }} + kiali.io/dashboards: go,kiali + {{- if .Values.deployment.pod_annotations }} + {{- toYaml .Values.deployment.pod_annotations | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ include "kiali-server.fullname" . }} + {{- if .Values.deployment.priority_class_name }} + priorityClassName: {{ .Values.deployment.priority_class_name | quote }} + {{- end }} + {{- if .Values.deployment.image_pull_secrets }} + imagePullSecrets: + {{- range .Values.deployment.image_pull_secrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if .Values.deployment.host_aliases }} + hostAliases: + {{- toYaml .Values.deployment.host_aliases | nindent 6 }} + {{- end }} + {{- if .Values.deployment.dns }} + {{- if .Values.deployment.dns.policy }} + dnsPolicy: "{{ .Values.deployment.dns.policy }}" + {{- end }} + {{- if .Values.deployment.dns.config }} + dnsConfig: + {{- toYaml .Values.deployment.dns.config | nindent 8 }} + {{- end }} + {{- end }} + containers: + - image: "{{ template "system_default_registry" . }}{{ .Values.deployment.repository }}{{ if .Values.deployment.image_digest }}@{{ .Values.deployment.image_digest }}{{ end }}:{{ .Values.deployment.tag }}" + imagePullPolicy: {{ .Values.deployment.image_pull_policy | default "Always" }} + name: {{ include "kiali-server.fullname" . }} + command: + - "/opt/kiali/kiali" + - "-config" + - "/kiali-configuration/config.yaml" + securityContext: + {{- if .Values.deployment.security_context}} + {{- toYaml .Values.deployment.security_context | nindent 10 }} + {{- else }} + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + {{- end }} + ports: + - name: api-port + containerPort: {{ .Values.server.port | default 20001 }} + {{- if .Values.server.observability.metrics.enabled }} + - name: http-metrics + containerPort: {{ .Values.server.observability.metrics.port | default 9090 }} + {{- end }} + readinessProbe: + httpGet: + path: {{ include "kiali-server.server.web_root" . | trimSuffix "/" }}/healthz + port: api-port + {{- if (include "kiali-server.identity.cert_file" .) }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + initialDelaySeconds: 5 + periodSeconds: 30 + livenessProbe: + httpGet: + path: {{ include "kiali-server.server.web_root" . | trimSuffix "/" }}/healthz + port: api-port + {{- if (include "kiali-server.identity.cert_file" .) }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + initialDelaySeconds: 5 + periodSeconds: 30 + env: + - name: ACTIVE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LOG_LEVEL + value: "{{ include "kiali-server.logLevel" . }}" + - name: LOG_FORMAT + value: "{{ .Values.deployment.logger.log_format }}" + - name: LOG_TIME_FIELD_FORMAT + value: "{{ .Values.deployment.logger.time_field_format }}" + - name: LOG_SAMPLER_RATE + value: "{{ .Values.deployment.logger.sampler_rate }}" + volumeMounts: + {{- if .Values.web_root_override }} + - name: kiali-console + subPath: env.js + mountPath: /opt/kiali/console/env.js + {{- end }} + - name: {{ include "kiali-server.fullname" . }}-configuration + mountPath: "/kiali-configuration" + - name: {{ include "kiali-server.fullname" . }}-cert + mountPath: "/kiali-cert" + - name: {{ include "kiali-server.fullname" . }}-secret + mountPath: "/kiali-secret" + - name: {{ include "kiali-server.fullname" . }}-cabundle + mountPath: "/kiali-cabundle" + {{- range .Values.deployment.custom_secrets }} + - name: {{ .name }} + mountPath: "{{ .mount }}" + {{- end }} + {{- range $key, $val := (include "kiali-server.remote-cluster-secrets" .) | fromJson }} + - name: {{ $key }} + mountPath: "/kiali-remote-cluster-secrets/{{ $val }}" + {{- end }} + {{- range .Values.clustering.clusters }} + {{- if .secret_name }} + - name: {{ .name }} + mountPath: "/kiali-remote-cluster-secrets/{{ .secret_name }}" + {{- end }} + {{- end }} + {{- if .Values.deployment.resources }} + resources: + {{- toYaml .Values.deployment.resources | nindent 10 }} + {{- end }} + volumes: + {{- if .Values.web_root_override }} + - name: kiali-console + configMap: + name: kiali-console + items: + - key: env.js + path: env.js + {{- end }} + - name: {{ include "kiali-server.fullname" . }}-configuration + configMap: + name: {{ include "kiali-server.fullname" . }} + - name: {{ include "kiali-server.fullname" . }}-cert + secret: + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + secretName: {{ include "kiali-server.fullname" . }}-cert-secret + {{- else }} + secretName: istio.{{ include "kiali-server.fullname" . }}-service-account + {{- end }} + {{- if not (include "kiali-server.identity.cert_file" .) }} + optional: true + {{- end }} + - name: {{ include "kiali-server.fullname" . }}-secret + secret: + secretName: {{ .Values.deployment.secret_name }} + optional: true + - name: {{ include "kiali-server.fullname" . }}-cabundle + configMap: + name: {{ include "kiali-server.fullname" . }}-cabundle + {{- if not (.Capabilities.APIVersions.Has "route.openshift.io/v1") }} + optional: true + {{- end }} + {{- range .Values.deployment.custom_secrets }} + - name: {{ .name }} + {{- if .csi}} + csi: {{ toYaml .csi | nindent 10 }} + {{- else }} + secret: + secretName: {{ .name }} + optional: {{ .optional | default false }} + {{- end }} + {{- end }} + {{- range $key, $val := (include "kiali-server.remote-cluster-secrets" .) | fromJson }} + - name: {{ $key }} + secret: + secretName: {{ $val }} + {{- end }} + {{- range .Values.clustering.clusters }} + {{- if .secret_name }} + - name: {{ .name }} + secret: + secretName: {{ .secret_name }} + {{- end }} + {{- end }} + {{- if or (.Values.deployment.affinity.node) (or (.Values.deployment.affinity.pod) (.Values.deployment.affinity.pod_anti)) }} + affinity: + {{- if .Values.deployment.affinity.node }} + nodeAffinity: + {{- toYaml .Values.deployment.affinity.node | nindent 10 }} + {{- end }} + {{- if .Values.deployment.affinity.pod }} + podAffinity: + {{- toYaml .Values.deployment.affinity.pod | nindent 10 }} + {{- end }} + {{- if .Values.deployment.affinity.pod_anti }} + podAntiAffinity: + {{- toYaml .Values.deployment.affinity.pod_anti | nindent 10 }} + {{- end }} + {{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.deployment.tolerations }} +{{ toYaml .Values.deployment.tolerations | indent 8 }} +{{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.deployment.node_selector }} +{{ toYaml .Values.deployment.node_selector | indent 8 }} +{{- end }} +... diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/hpa.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/hpa.yaml new file mode 100644 index 0000000000..934c4c1e9d --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/hpa.yaml @@ -0,0 +1,17 @@ +{{- if .Values.deployment.hpa.spec }} +--- +apiVersion: {{ .Values.deployment.hpa.api_version }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kiali-server.fullname" . }} + {{- toYaml .Values.deployment.hpa.spec | nindent 2 }} +... +{{- end }} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/ingress.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/ingress.yaml new file mode 100644 index 0000000000..27807fc3de --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/ingress.yaml @@ -0,0 +1,62 @@ +{{- if not (.Capabilities.APIVersions.Has "route.openshift.io/v1") }} +{{- if eq "true" (include "kiali-server.deployment.ingress.enabled" .) }} +--- +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- if .Values.deployment.ingress.additional_labels }} + {{- toYaml .Values.deployment.ingress.additional_labels | nindent 4 }} + {{- end }} + {{- include "kiali-server.labels" . | nindent 4 }} + annotations: + {{- if .Values.deployment.ingress.override_yaml.metadata.annotations }} + {{- toYaml .Values.deployment.ingress.override_yaml.metadata.annotations | nindent 4 }} + {{- else }} + # For ingress-nginx versions older than 0.20.0 use secure-backends. + # (see: https://github.com/kubernetes/ingress-nginx/issues/3416#issuecomment-438247948) + # For ingress-nginx versions 0.20.0 and later use backend-protocol. + {{- if (include "kiali-server.identity.cert_file" .) }} + nginx.ingress.kubernetes.io/secure-backends: "true" + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + {{- else }} + nginx.ingress.kubernetes.io/secure-backends: "false" + nginx.ingress.kubernetes.io/backend-protocol: "HTTP" + {{- end }} + {{- end }} +spec: + {{- if hasKey .Values.deployment.ingress.override_yaml "spec" }} + {{- toYaml .Values.deployment.ingress.override_yaml.spec | nindent 2 }} + {{- else }} + {{- if .Values.deployment.ingress.class_name }} + ingressClassName: {{ .Values.deployment.ingress.class_name }} + {{- end }} + rules: + - http: + paths: + - path: {{ include "kiali-server.server.web_root" . }} + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + pathType: Prefix + backend: + service: + name: {{ include "kiali-server.fullname" . }} + port: + number: {{ .Values.server.port }} + {{- else }} + backend: + serviceName: {{ include "kiali-server.fullname" . }} + servicePort: {{ .Values.server.port }} + {{- end }} + {{- if not (empty .Values.server.web_fqdn) }} + host: {{ .Values.server.web_fqdn }} + {{- end }} + {{- end }} +... +{{- end }} +{{- end }} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/oauth.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/oauth.yaml new file mode 100644 index 0000000000..8658c7f947 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/oauth.yaml @@ -0,0 +1,25 @@ +{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} +{{- if .Values.kiali_route_url }} +--- +apiVersion: oauth.openshift.io/v1 +kind: OAuthClient +metadata: + name: {{ include "kiali-server.fullname" . }}-{{ .Release.Namespace }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +redirectURIs: +- {{ .Values.kiali_route_url }}/api/auth/callback +{{- if .Values.server.web_port }} +- {{ .Values.kiali_route_url }}:{{ .Values.server.web_port }}/api/auth/callback +{{- end }} +grantMethod: auto +{{- if .Values.auth.openshift.token_inactivity_timeout }} +accessTokenInactivityTimeoutSeconds: {{ .Values.auth.openshift.token_inactivity_timeout }} +{{- end }} +{{- if .Values.auth.openshift.token_max_age }} +accessTokenMaxAgeSeconds: {{ .Values.auth.openshift.token_max_age }} +{{- end }} +... +{{- end }} +{{- end }} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/psp.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/psp.yaml new file mode 100644 index 0000000000..e31d706d4b --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/psp.yaml @@ -0,0 +1,67 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kiali-server.fullname" . }}-psp + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kiali-server.fullname" . }}-psp +subjects: + - kind: ServiceAccount + name: kiali +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kiali-server.fullname" . }}-psp + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - policy + resourceNames: + - {{ include "kiali-server.fullname" . }}-psp + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "kiali-server.fullname" . }}-psp + namespace: {{ .Release.Namespace }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim +{{- end }} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/role-controlplane.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/role-controlplane.yaml new file mode 100644 index 0000000000..707501c677 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/role-controlplane.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kiali-server.fullname" . }}-controlplane + namespace: {{ include "kiali-server.istio_namespace" . }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +rules: +{{- if .Values.kiali_feature_flags.certificates_information_indicators.enabled }} +- apiGroups: [""] + resourceNames: + {{- range .Values.kiali_feature_flags.certificates_information_indicators.secrets }} + - {{ . }} + {{- end }} + resources: + - secrets + verbs: + - get + - list + - watch +{{- end }} +... diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/role-viewer.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/role-viewer.yaml new file mode 100644 index 0000000000..0811b20118 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/role-viewer.yaml @@ -0,0 +1,96 @@ +{{- if or (.Values.deployment.view_only_mode) (ne .Values.auth.strategy "anonymous") -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kiali-server.fullname" . }}-viewer + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints +{{- if not (has "logs-tab" .Values.kiali_feature_flags.disabled_features) }} + - pods/log +{{- end }} + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - namespaces + - pods + - replicationcontrollers + - services + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - pods/portforward + verbs: + - create + - post +- apiGroups: ["extensions", "apps"] + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: + - networking.istio.io + - security.istio.io + - extensions.istio.io + - telemetry.istio.io + - gateway.networking.k8s.io + resources: ["*"] + verbs: + - get + - list + - watch +- apiGroups: ["apps.openshift.io"] + resources: + - deploymentconfigs + verbs: + - get + - list + - watch +- apiGroups: ["project.openshift.io"] + resources: + - projects + verbs: + - get +- apiGroups: ["route.openshift.io"] + resources: + - routes + verbs: + - get +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: + - create +- apiGroups: ["oauth.openshift.io"] + resources: + - oauthclients + resourceNames: + - {{ include "kiali-server.fullname" . }}-{{ .Release.Namespace }} + verbs: + - get +... +{{- end -}} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/role.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/role.yaml new file mode 100644 index 0000000000..de23cc5c83 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/role.yaml @@ -0,0 +1,103 @@ +{{- if not (or (.Values.deployment.view_only_mode) (ne .Values.auth.strategy "anonymous")) -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kiali-server.fullname" . }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints +{{- if not (has "logs-tab" .Values.kiali_feature_flags.disabled_features) }} + - pods/log +{{- end }} + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - namespaces + - pods + - replicationcontrollers + - services + verbs: + - get + - list + - watch + - patch +- apiGroups: [""] + resources: + - pods/portforward + verbs: + - create + - post +- apiGroups: ["extensions", "apps"] + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch + - patch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch + - patch +- apiGroups: + - networking.istio.io + - security.istio.io + - extensions.istio.io + - telemetry.istio.io + - gateway.networking.k8s.io + resources: ["*"] + verbs: + - get + - list + - watch + - create + - delete + - patch +- apiGroups: ["apps.openshift.io"] + resources: + - deploymentconfigs + verbs: + - get + - list + - watch + - patch +- apiGroups: ["project.openshift.io"] + resources: + - projects + verbs: + - get +- apiGroups: ["route.openshift.io"] + resources: + - routes + verbs: + - get +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: + - create +- apiGroups: ["oauth.openshift.io"] + resources: + - oauthclients + resourceNames: + - {{ include "kiali-server.fullname" . }}-{{ .Release.Namespace }} + verbs: + - get +... +{{- end -}} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/rolebinding-controlplane.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/rolebinding-controlplane.yaml new file mode 100644 index 0000000000..5a00158360 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/rolebinding-controlplane.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kiali-server.fullname" . }}-controlplane + namespace: {{ include "kiali-server.istio_namespace" . }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kiali-server.fullname" . }}-controlplane +subjects: +- kind: ServiceAccount + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} +... diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/rolebinding.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/rolebinding.yaml new file mode 100644 index 0000000000..63f1922ac1 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/rolebinding.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + {{- if or (.Values.deployment.view_only_mode) (ne .Values.auth.strategy "anonymous") }} + name: {{ include "kiali-server.fullname" . }}-viewer + {{- else }} + name: {{ include "kiali-server.fullname" . }} + {{- end }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + {{- if or (.Values.deployment.view_only_mode) (ne .Values.auth.strategy "anonymous") }} + name: {{ include "kiali-server.fullname" . }}-viewer + {{- else }} + name: {{ include "kiali-server.fullname" . }} + {{- end }} +subjects: +- kind: ServiceAccount + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} +... diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/route.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/route.yaml new file mode 100644 index 0000000000..8325c14a74 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/route.yaml @@ -0,0 +1,34 @@ +{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} +{{- if eq "true" (include "kiali-server.deployment.ingress.enabled" .) }} +# As of OpenShift 4.5, need to use --disable-openapi-validation when installing via Helm +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- if .Values.deployment.ingress.additional_labels }} + {{- toYaml .Values.deployment.ingress.additional_labels | nindent 4 }} + {{- end }} + {{- include "kiali-server.labels" . | nindent 4 }} + {{- if .Values.deployment.ingress.override_yaml.metadata.annotations }} + annotations: + {{- toYaml .Values.deployment.ingress.override_yaml.metadata.annotations | nindent 4 }} + {{- end }} +spec: + {{- if hasKey .Values.deployment.ingress.override_yaml "spec" }} + {{- toYaml .Values.deployment.ingress.override_yaml.spec | nindent 2 }} + {{- else }} + tls: + termination: reencrypt + insecureEdgeTerminationPolicy: Redirect + to: + kind: Service + name: {{ include "kiali-server.fullname" . }} + port: + targetPort: {{ .Values.server.port }} + {{- end }} +... +{{- end }} +{{- end }} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/service.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/service.yaml new file mode 100644 index 0000000000..111be7f879 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/service.yaml @@ -0,0 +1,51 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + annotations: + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + service.beta.openshift.io/serving-cert-secret-name: {{ include "kiali-server.fullname" . }}-cert-secret + {{- end }} + {{- if and (not (empty .Values.server.web_fqdn)) (not (empty .Values.server.web_schema)) }} + {{- if empty .Values.server.web_port }} + kiali.io/external-url: {{ .Values.server.web_schema }}://{{ .Values.server.web_fqdn }}{{ include "kiali-server.server.web_root" . }} + {{- else }} + kiali.io/external-url: {{ .Values.server.web_schema }}://{{ .Values.server.web_fqdn }}:{{ .Values.server.web_port }}{{ include "kiali-server.server.web_root" . }} + {{- end }} + {{- end }} + {{- if .Values.deployment.service_annotations }} + {{- toYaml .Values.deployment.service_annotations | nindent 4 }} + {{- end }} +spec: + {{- if .Values.deployment.service_type }} + type: {{ .Values.deployment.service_type }} + {{- end }} + ports: + {{- if (include "kiali-server.identity.cert_file" .) }} + - name: tcp + appProtocol: https + {{- else }} + - name: http + appProtocol: http + {{- end }} + protocol: TCP + port: {{ .Values.server.port }} + {{- if and (not (empty .Values.server.node_port)) (eq .Values.deployment.service_type "NodePort") }} + nodePort: {{ .Values.server.node_port }} + {{- end }} + {{- if .Values.server.observability.metrics.enabled }} + - name: http-metrics + appProtocol: http + protocol: TCP + port: {{ .Values.server.observability.metrics.port }} + {{- end }} + selector: + {{- include "kiali-server.selectorLabels" . | nindent 4 }} + {{- if .Values.deployment.additional_service_yaml }} + {{- toYaml .Values.deployment.additional_service_yaml | nindent 2 }} + {{- end }} +... diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/serviceaccount.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/serviceaccount.yaml new file mode 100644 index 0000000000..9151b6f6a1 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/serviceaccount.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +... diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/validate-psp-install.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/web-root-configmap.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/web-root-configmap.yaml new file mode 100644 index 0000000000..970d4e4f5d --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/templates/web-root-configmap.yaml @@ -0,0 +1,12 @@ +{{- if .Values.web_root_override }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: kiali-console + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +data: + env.js: | + window.WEB_ROOT='/k8s/clusters/{{ .Values.global.cattle.clusterId }}/api/v1/namespaces/{{ .Release.Namespace }}/services/http:kiali:20001/proxy/kiali'; +{{- end }} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/values.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/values.yaml new file mode 100644 index 0000000000..984432789a --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/kiali/values.yaml @@ -0,0 +1,137 @@ +# 'fullnameOverride' is deprecated. Use 'deployment.instance_name' instead. +# This is only supported for backward compatibility and will be removed in a future version. +# If 'fullnameOverride' is not "kiali" and 'deployment.instance_name' is "kiali", +# then 'deployment.instance_name' will take the value of 'fullnameOverride' value. +# Otherwise, 'fullnameOverride' is ignored and 'deployment.instance_name' is used. +fullnameOverride: "kiali" + +# This is required for "openshift" auth strategy. +# You have to know ahead of time what your Route URL will be because +# right now the helm chart can't figure this out at runtime (it would +# need to wait for the Kiali Route to be deployed and for OpenShift +# to start it up). If someone knows how to update this helm chart to +# do this, a PR would be welcome. +kiali_route_url: "" + +# rancher specific override that allows proxy access to kiali url +web_root_override: true +# +# Settings that mimic the Kiali CR which are placed in the ConfigMap. +# Note that only those values used by the Helm Chart will be here. +# + +additional_display_details: +- annotation: kiali.io/api-spec + icon_annotation: kiali.io/api-type + title: API Documentation + +istio_namespace: "" # default is where Kiali is installed + +auth: + openid: {} + openshift: {} + strategy: "" + +clustering: + autodetect_secrets: + enabled: true + label: "kiali.io/multiCluster=true" + clusters: [] + +deployment: + # This only limits what Kiali will attempt to see, but Kiali Service Account has permissions to see everything. + # For more control over what the Kial Service Account can see, use the Kiali Operator + accessible_namespaces: + - "**" + additional_service_yaml: {} + affinity: + node: {} + pod: {} + pod_anti: {} + configmap_annotations: {} + custom_secrets: [] + dns: + config: {} + policy: "" + host_aliases: [] + hpa: + api_version: "autoscaling/v2" + spec: {} + image_digest: "" # use "sha256" if image_version is a sha256 hash (do NOT prefix this value with a "@") + repository: rancher/mirrored-kiali-kiali + image_pull_policy: "Always" + image_pull_secrets: [] + tag: v1.89.3 # version like "v1.39" (see: https://quay.io/repository/kiali/kiali?tab=tags) or a digest hash + ingress: + additional_labels: {} + class_name: "nginx" + #enabled: + override_yaml: + metadata: {} + instance_name: "kiali" + logger: + log_format: "text" + log_level: "info" + time_field_format: "2006-01-02T15:04:05Z07:00" + sampler_rate: "1" + node_selector: {} + pod_annotations: {} + pod_labels: {} + priority_class_name: "" + # if deployment.hpa is defined, this replicas setting will be ignored + replicas: 1 + resources: + requests: + cpu: "10m" + memory: "64Mi" + limits: + memory: "1Gi" + secret_name: "kiali" + security_context: {} + service_annotations: {} + service_type: "" + tolerations: [] + version_label: v1.89.3 # v1.39 # v1.39.0 # see: https://quay.io/repository/kiali/kiali?tab=tags + view_only_mode: false + +external_services: + custom_dashboards: + enabled: true + istio: + root_namespace: "" + +identity: {} + #cert_file: + #private_key_file: + +kiali_feature_flags: + certificates_information_indicators: + enabled: true + secrets: + - cacerts + - istio-ca-secret + disabled_features: [] + validations: + ignore: ["KIA1301"] + +login_token: + signing_key: "" + +server: + port: 20001 + #node_port: + observability: + metrics: + enabled: true + port: 9090 + web_root: "" + +# Common settings used among istio subcharts. +global: + # Specify rancher clusterId of external tracing config + # https://github.com/istio/istio.io/issues/4146#issuecomment-493543032 + cattle: + systemDefaultRegistry: "" + clusterId: + psp: + enabled: false \ No newline at end of file diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/.helmignore b/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/Chart.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/Chart.yaml new file mode 100644 index 0000000000..b27e4ed2ce --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/Chart.yaml @@ -0,0 +1,12 @@ +annotations: + catalog.cattle.io/hidden: "true" + catalog.cattle.io/os: linux + catalog.rancher.io/certified: rancher + catalog.rancher.io/namespace: istio-system + catalog.rancher.io/release-name: rancher-tracing +apiVersion: v1 +appVersion: 1.60.0 +description: A quick start Jaeger Tracing installation using the all-in-one demo. + This is not production qualified. Refer to https://www.jaegertracing.io/ for details. +name: tracing +version: 1.60.0 diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/README.md b/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/README.md new file mode 100644 index 0000000000..25534c6288 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/README.md @@ -0,0 +1,5 @@ +# Jaeger + +A Rancher chart based on the Jaeger all-in-one quick installation option. This chart will allow you to trace and monitor distributed microservices. + +> **Note:** The basic all-in-one Jaeger installation which is not qualified for production. Use the [Jaeger Tracing](https://www.jaegertracing.io) documentation to determine which installation you will need for your production needs. diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/templates/_affinity.tpl b/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/templates/_affinity.tpl new file mode 100644 index 0000000000..bf6a9aee5c --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/templates/_affinity.tpl @@ -0,0 +1,92 @@ +{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} +{{- define "nodeAffinity" }} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityPreferredDuringScheduling" . }} +{{- end }} + +{{- define "nodeAffinityRequiredDuringScheduling" }} + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + {{- range $key, $val := .Values.global.arch }} + {{- if gt ($val | int) 0 }} + - {{ $key | quote }} + {{- end }} + {{- end }} + {{- $nodeSelector := default .Values.global.defaultNodeSelector .Values.nodeSelector -}} + {{- range $key, $val := $nodeSelector }} + - key: {{ $key }} + operator: In + values: + - {{ $val | quote }} + {{- end }} +{{- end }} + +{{- define "nodeAffinityPreferredDuringScheduling" }} + {{- range $key, $val := .Values.global.arch }} + {{- if gt ($val | int) 0 }} + - weight: {{ $val | int }} + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - {{ $key | quote }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinity" }} +{{- if or .Values.podAntiAffinityLabelSelector .Values.podAntiAffinityTermLabelSelector}} + podAntiAffinity: + {{- if .Values.podAntiAffinityLabelSelector }} + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityRequiredDuringScheduling" . }} + {{- end }} + {{- if or .Values.podAntiAffinityTermLabelSelector}} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityPreferredDuringScheduling" . }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "podAntiAffinityRequiredDuringScheduling" }} + {{- range $index, $item := .Values.podAntiAffinityLabelSelector }} + - labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinityPreferredDuringScheduling" }} + {{- range $index, $item := .Values.podAntiAffinityTermLabelSelector }} + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + weight: 100 + {{- end }} +{{- end }} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/templates/_helpers.tpl b/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/templates/_helpers.tpl new file mode 100644 index 0000000000..09c6b05467 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/templates/_helpers.tpl @@ -0,0 +1,47 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "tracing.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "tracing.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/templates/deployment.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/templates/deployment.yaml new file mode 100644 index 0000000000..f8a6828085 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/templates/deployment.yaml @@ -0,0 +1,94 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + matchLabels: + app: {{ .Values.provider }} + template: + metadata: + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + sidecar.istio.io/inject: "false" + prometheus.io/scrape: "true" + prometheus.io/port: "14269" +{{- if .Values.jaeger.podAnnotations }} +{{ toYaml .Values.jaeger.podAnnotations | indent 8 }} +{{- end }} + spec: + containers: + - name: jaeger + image: "{{ template "system_default_registry" . }}{{ .Values.jaeger.repository }}:{{ .Values.jaeger.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + env: + {{- if eq .Values.jaeger.spanStorageType "badger" }} + - name: BADGER_EPHEMERAL + value: "false" + - name: SPAN_STORAGE_TYPE + value: "badger" + - name: BADGER_DIRECTORY_VALUE + value: "/badger/data" + - name: BADGER_DIRECTORY_KEY + value: "/badger/key" + {{- end }} + - name: COLLECTOR_ZIPKIN_HOST_PORT + value: "9411" + - name: MEMORY_MAX_TRACES + value: "{{ .Values.jaeger.memory.max_traces }}" + - name: QUERY_BASE_PATH + value: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} /{{ .Values.provider }} {{ end }} + livenessProbe: + httpGet: + path: / + port: 14269 + readinessProbe: + httpGet: + path: / + port: 14269 +{{- if eq .Values.jaeger.spanStorageType "badger" }} + volumeMounts: + - name: data + mountPath: /badger +{{- end }} + resources: +{{- if .Values.jaeger.resources }} +{{ toYaml .Values.jaeger.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + affinity: + {{- include "nodeAffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} + {{- if .Values.global.cattle.psp.enabled }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + {{- end }} + serviceAccountName: {{ include "tracing.fullname" . }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} +{{- if eq .Values.jaeger.spanStorageType "badger" }} + volumes: + - name: data +{{- if .Values.jaeger.persistentVolumeClaim.enabled }} + persistentVolumeClaim: + claimName: istio-jaeger-pvc +{{- else }} + emptyDir: {} +{{- end }} +{{- end }} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/templates/psp.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/templates/psp.yaml new file mode 100644 index 0000000000..4d5c271e1b --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/templates/psp.yaml @@ -0,0 +1,76 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "tracing.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "tracing.fullname" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - policy + resourceNames: + - {{ include "tracing.fullname" . }} + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - emptyDir + - secret + - persistentVolumeClaim +{{- end }} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/templates/pvc.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/templates/pvc.yaml new file mode 100644 index 0000000000..9b4c55e4fb --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/templates/pvc.yaml @@ -0,0 +1,16 @@ +{{- if .Values.jaeger.persistentVolumeClaim.enabled }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: istio-jaeger-pvc + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} +spec: + storageClassName: {{ .Values.jaeger.storageClassName }} + accessModes: + - {{ .Values.jaeger.accessMode }} + resources: + requests: + storage: {{.Values.jaeger.persistentVolumeClaim.storage }} +{{- end }} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/templates/service.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/templates/service.yaml new file mode 100644 index 0000000000..3ee5a54247 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/templates/service.yaml @@ -0,0 +1,70 @@ +apiVersion: v1 +kind: Service +metadata: + name: tracing + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := .Values.service.annotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + type: {{ .Values.service.type }} + ports: + - name: {{ .Values.service.name }} + port: {{ .Values.service.externalPort }} + protocol: TCP + targetPort: 16686 + selector: + app: {{ .Values.provider }} +--- +# Jaeger implements the Zipkin API. To support swapping out the tracing backend, we use a Service named Zipkin. +apiVersion: v1 +kind: Service +metadata: + name: zipkin + namespace: {{ .Release.Namespace }} + labels: + name: zipkin + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + ports: + - name: {{ .Values.service.name }} + port: {{ .Values.zipkin.queryPort }} + targetPort: {{ .Values.zipkin.queryPort }} + selector: + app: {{ .Values.provider }} +--- +apiVersion: v1 +kind: Service +metadata: + name: jaeger-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + type: ClusterIP + ports: + - name: jaeger-collector-http + port: 14268 + targetPort: 14268 + protocol: TCP + - name: jaeger-collector-grpc + port: 14250 + targetPort: 14250 + protocol: TCP + - port: 9411 + targetPort: 9411 + name: http-zipkin + - port: 4317 + name: grpc-otel + - port: 4318 + name: http-otel + selector: + app: {{ .Values.provider }} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/templates/serviceaccount.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/templates/serviceaccount.yaml new file mode 100644 index 0000000000..1bff77ff66 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/templates/serviceaccount.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} \ No newline at end of file diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/templates/validate-psp-install.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/values.yaml b/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/values.yaml new file mode 100644 index 0000000000..cb58f51fdb --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/charts/tracing/values.yaml @@ -0,0 +1,53 @@ +provider: jaeger +contextPath: "" +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] +podAntiAffinityLabelSelector: [] +podAntiAffinityTermLabelSelector: [] +nameOverride: "" +fullnameOverride: "" + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + defaultResources: {} + imagePullPolicy: IfNotPresent + imagePullSecrets: [] + arch: + arm64: 2 + amd64: 2 + s390x: 2 + ppc64le: 2 + defaultNodeSelector: + kubernetes.io/os: linux + rbac: + pspEnabled: false + +jaeger: + repository: rancher/mirrored-jaegertracing-all-in-one + tag: 1.60.0 + # spanStorageType value can be "memory" and "badger" for all-in-one image + spanStorageType: badger + resources: + requests: + cpu: 10m + persistentVolumeClaim: + enabled: false + storage: 5Gi + storageClassName: "" + accessMode: ReadWriteMany + memory: + max_traces: 50000 +zipkin: + queryPort: 9411 +service: + annotations: {} + name: http-query + type: ClusterIP + externalPort: 16686 diff --git a/charts/rancher-istio/104.5.0+up1.23.2/configs/istio-base.yaml b/charts/rancher-istio/104.5.0+up1.23.2/configs/istio-base.yaml new file mode 100644 index 0000000000..17fb5ff8c3 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/configs/istio-base.yaml @@ -0,0 +1,140 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + base: + enabled: {{ .Values.base.enabled }} + cni: + enabled: {{ .Values.cni.enabled }} + k8s: + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + egressGateways: + - enabled: {{ .Values.egressGateways.enabled }} + name: istio-egressgateway + k8s: + {{- if .Values.egressGateways.hpaSpec }} + hpaSpec: {{ toYaml .Values.egressGateways.hpaSpec | nindent 12 }} + {{- end }} + {{- if .Values.egressGateways.podDisruptionBudget }} + podDisruptionBudget: {{ toYaml .Values.egressGateways.podDisruptionBudget | nindent 12 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + ingressGateways: + - enabled: {{ .Values.ingressGateways.enabled }} + name: istio-ingressgateway + k8s: + {{- if .Values.ingressGateways.hpaSpec }} + hpaSpec: {{ toYaml .Values.ingressGateways.hpaSpec | nindent 12 }} + {{- end }} + {{- if .Values.ingressGateways.podDisruptionBudget }} + podDisruptionBudget: {{ toYaml .Values.ingressGateways.podDisruptionBudget | nindent 12 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + service: + ports: + - name: status-port + port: 15021 + targetPort: 15021 + - name: http2 + port: 80 + targetPort: 8080 + nodePort: 31380 + - name: https + port: 443 + targetPort: 8443 + nodePort: 31390 + - name: tcp + port: 31400 + targetPort: 31400 + nodePort: 31400 + - name: tls + port: 15443 + targetPort: 15443 + istiodRemote: + enabled: {{ .Values.istiodRemote.enabled }} + pilot: + enabled: {{ .Values.pilot.enabled }} + k8s: + {{- if .Values.pilot.hpaSpec }} + hpaSpec: {{ toYaml .Values.pilot.hpaSpec | nindent 12 }} + {{- end }} + {{- if .Values.pilot.podDisruptionBudget }} + podDisruptionBudget: {{ toYaml .Values.pilot.podDisruptionBudget | nindent 12 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + hub: {{ .Values.systemDefaultRegistry | default "docker.io" }} + profile: default + tag: {{ .Values.tag }} + revision: {{ .Values.revision }} + meshConfig: + defaultConfig: + {{- if .Values.tracing.enabled }} + tracing: + zipkin: + address: {{ .Values.tracing.zipkinAddress }} + {{- end }} + proxyMetadata: + {{- if .Values.dns.enabled }} + ISTIO_META_DNS_CAPTURE: "true" + {{- end }} + values: + gateways: + istio-egressgateway: + name: istio-egressgateway + type: {{ .Values.egressGateways.type }} + istio-ingressgateway: + name: istio-ingressgateway + type: {{ .Values.ingressGateways.type }} + global: + istioNamespace: {{ template "istio.namespace" . }} + proxy: + image: {{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }} + proxy_init: + image: {{ template "system_default_registry" . }}{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }} + {{- if .Values.global.defaultPodDisruptionBudget.enabled }} + defaultPodDisruptionBudget: + enabled: {{ .Values.global.defaultPodDisruptionBudget.enabled }} + {{- end }} + {{- if .Values.pilot.enabled }} + pilot: + image: {{ template "system_default_registry" . }}{{ .Values.pilot.repository }}:{{ .Values.pilot.tag }} + {{- end }} + telemetry: + enabled: {{ .Values.telemetry.enabled }} + v2: + enabled: {{ .Values.telemetry.v2.enabled }} + {{- if .Values.cni.enabled }} + cni: + image: {{ template "system_default_registry" . }}{{ .Values.cni.repository }}:{{ .Values.cni.tag }} + excludeNamespaces: + {{- toYaml .Values.cni.excludeNamespaces | nindent 8 }} + logLevel: {{ .Values.cni.logLevel }} + {{- end }} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/requirements.yaml b/charts/rancher-istio/104.5.0+up1.23.2/requirements.yaml new file mode 100644 index 0000000000..cb4c3fe75c --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/requirements.yaml @@ -0,0 +1,9 @@ +dependencies: +- condition: kiali.enabled + name: kiali + repository: file://./charts/kiali + version: 1.89.3 +- condition: tracing.enabled + name: tracing + repository: file://./charts/tracing + version: 1.60.0 diff --git a/charts/rancher-istio/104.5.0+up1.23.2/samples/overlay-example.yaml b/charts/rancher-istio/104.5.0+up1.23.2/samples/overlay-example.yaml new file mode 100644 index 0000000000..5cf3cf3b0b --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/samples/overlay-example.yaml @@ -0,0 +1,37 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + ingressGateways: + - enabled: true + name: ilb-gateway + namespace: user-ingressgateway-ns + k8s: + resources: + requests: + cpu: 200m + service: + ports: + - name: tcp-citadel-grpc-tls + port: 8060 + targetPort: 8060 + - name: tcp-dns + port: 5353 + serviceAnnotations: + cloud.google.com/load-balancer-type: internal + - enabled: true + name: other-gateway + namespace: cattle-istio-system + k8s: + resources: + requests: + cpu: 200m + service: + ports: + - name: tcp-citadel-grpc-tls + port: 8060 + targetPort: 8060 + - name: tcp-dns + port: 5353 + serviceAnnotations: + cloud.google.com/load-balancer-type: internal diff --git a/charts/rancher-istio/104.5.0+up1.23.2/templates/_helpers.tpl b/charts/rancher-istio/104.5.0+up1.23.2/templates/_helpers.tpl new file mode 100644 index 0000000000..30b429a800 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/templates/_helpers.tpl @@ -0,0 +1,27 @@ +{{/* Ensure namespace is set the same everywhere */}} +{{- define "istio.namespace" -}} + {{- .Release.Namespace | default "istio-system" -}} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/charts/rancher-istio/104.5.0+up1.23.2/templates/admin-role.yaml b/charts/rancher-istio/104.5.0+up1.23.2/templates/admin-role.yaml new file mode 100644 index 0000000000..ad1313c4f1 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/templates/admin-role.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: istio-admin + namespace: {{ template "istio.namespace" . }} +rules: + - apiGroups: + - config.istio.io + resources: + - adapters + - attributemanifests + - handlers + - httpapispecbindings + - httpapispecs + - instances + - quotaspecbindings + - quotaspecs + - rules + - templates + verbs: ["get", "watch", "list"] + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + - workloadentries + verbs: + - '*' + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + - peerauthentications + - requestauthentications + verbs: + - '*' diff --git a/charts/rancher-istio/104.5.0+up1.23.2/templates/base-config-map.yaml b/charts/rancher-istio/104.5.0+up1.23.2/templates/base-config-map.yaml new file mode 100644 index 0000000000..5323917bc3 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/templates/base-config-map.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-installer-base + namespace: {{ template "istio.namespace" . }} +data: +{{ tpl (.Files.Glob "configs/*").AsConfig . | indent 2 }} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/templates/clusterrole.yaml b/charts/rancher-istio/104.5.0+up1.23.2/templates/clusterrole.yaml new file mode 100644 index 0000000000..31163f9325 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/templates/clusterrole.yaml @@ -0,0 +1,143 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-installer +rules: +# istio groups +- apiGroups: + - extensions.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - authentication.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - config.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - install.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - networking.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - rbac.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - security.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - telemetry.istio.io + resources: + - '*' + verbs: + - '*' +# k8s groups +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions.apiextensions.k8s.io + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - apps + - extensions + resources: + - daemonsets + - deployments + - deployments/finalizers + - ingresses + - replicasets + - statefulsets + verbs: + - '*' +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - '*' +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - roles + - rolebindings + verbs: + - '*' +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - events + - namespaces + - pods + - pods/exec + - pods/portforward + - persistentvolumeclaims + - secrets + - services + - serviceaccounts + verbs: + - '*' +- apiGroups: + - "" + resources: + - nodes + verbs: + - 'get' + - 'list' + - 'watch' +{{- if and .Values.global.cattle.psp.enabled }} +- apiGroups: + - policy + resourceNames: + - istio-installer + resources: + - podsecuritypolicies + verbs: + - use +{{- end }} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/templates/clusterrolebinding.yaml b/charts/rancher-istio/104.5.0+up1.23.2/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..9d74a04345 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/templates/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-installer +subjects: +- kind: ServiceAccount + name: istio-installer + namespace: {{ template "istio.namespace" . }} +roleRef: + kind: ClusterRole + name: istio-installer + apiGroup: rbac.authorization.k8s.io diff --git a/charts/rancher-istio/104.5.0+up1.23.2/templates/edit-role.yaml b/charts/rancher-istio/104.5.0+up1.23.2/templates/edit-role.yaml new file mode 100644 index 0000000000..d1059d58d7 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/templates/edit-role.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + namespace: {{ template "istio.namespace" . }} + name: istio-edit +rules: + - apiGroups: + - config.istio.io + resources: + - adapters + - attributemanifests + - handlers + - httpapispecbindings + - httpapispecs + - instances + - quotaspecbindings + - quotaspecs + - rules + - templates + verbs: ["get", "watch", "list"] + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + - workloadentries + verbs: + - '*' + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + - peerauthentications + - requestauthentications + verbs: + - '*' diff --git a/charts/rancher-istio/104.5.0+up1.23.2/templates/istio-cni-psp.yaml b/charts/rancher-istio/104.5.0+up1.23.2/templates/istio-cni-psp.yaml new file mode 100644 index 0000000000..a71561e676 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/templates/istio-cni-psp.yaml @@ -0,0 +1,51 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: psp-istio-cni + namespace: {{ template "istio.namespace" . }} +spec: + allowPrivilegeEscalation: true + fsGroup: + rule: RunAsAny + hostNetwork: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - secret + - configMap + - emptyDir + - hostPath +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: psp-istio-cni + namespace: {{ template "istio.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: psp-istio-cni +subjects: + - kind: ServiceAccount + name: istio-cni +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: psp-istio-cni + namespace: {{ template "istio.namespace" . }} +rules: +- apiGroups: + - policy + resourceNames: + - psp-istio-cni + resources: + - podsecuritypolicies + verbs: + - use +{{- end }} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/templates/istio-install-job.yaml b/charts/rancher-istio/104.5.0+up1.23.2/templates/istio-install-job.yaml new file mode 100644 index 0000000000..c2e362e684 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/templates/istio-install-job.yaml @@ -0,0 +1,66 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: istioctl-installer + namespace: {{ template "istio.namespace" . }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + backoffLimit: 1 + template: + spec: + {{- if .Values.installer.releaseMirror.enabled }} + hostAliases: + - ip: "127.0.0.1" + hostnames: + - "github.com" + {{- end }} + containers: + - name: istioctl-installer + image: {{ template "system_default_registry" . }}{{ .Values.installer.repository }}:{{ .Values.installer.tag }} + env: + - name: RELEASE_NAME + value: {{ .Release.Name }} + - name: ISTIO_NAMESPACE + value: {{ template "istio.namespace" . }} + - name: FORCE_INSTALL + value: {{ .Values.forceInstall | default "false" | quote }} + - name: RELEASE_MIRROR_ENABLED + value: {{ .Values.installer.releaseMirror.enabled | quote }} + - name: SECONDS_SLEEP + value: {{ .Values.installer.debug.secondsSleep | quote}} + command: ["/bin/sh","-c"] + args: ["/usr/local/app/scripts/run.sh"] + volumeMounts: + - name: config-volume + mountPath: /app/istio-base.yaml + subPath: istio-base.yaml + {{- if .Values.overlayFile }} + - name: overlay-volume + mountPath: /app/overlay-config.yaml + subPath: overlay-config.yaml + {{- end }} + volumes: + - name: config-volume + configMap: + name: istio-installer-base + {{- if .Values.overlayFile }} + - name: overlay-volume + configMap: + name: istio-installer-overlay + {{- end }} + serviceAccountName: istio-installer + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsUser: 499 + runAsGroup: 487 + restartPolicy: Never diff --git a/charts/rancher-istio/104.5.0+up1.23.2/templates/istio-install-psp.yaml b/charts/rancher-istio/104.5.0+up1.23.2/templates/istio-install-psp.yaml new file mode 100644 index 0000000000..9da3391d40 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/templates/istio-install-psp.yaml @@ -0,0 +1,30 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: istio-installer + namespace: {{ template "istio.namespace" . }} +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'configMap' + - 'secret' +{{- end }} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/templates/istio-psp.yaml b/charts/rancher-istio/104.5.0+up1.23.2/templates/istio-psp.yaml new file mode 100644 index 0000000000..cfada1bf7f --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/templates/istio-psp.yaml @@ -0,0 +1,81 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istio-psp + namespace: {{ template "istio.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istio-psp +subjects: + - kind: ServiceAccount + name: istio-egressgateway-service-account + - kind: ServiceAccount + name: istio-ingressgateway-service-account + - kind: ServiceAccount + name: istio-mixer-service-account + - kind: ServiceAccount + name: istio-operator-authproxy + - kind: ServiceAccount + name: istiod-service-account + - kind: ServiceAccount + name: istio-sidecar-injector-service-account + - kind: ServiceAccount + name: istiocoredns-service-account + - kind: ServiceAccount + name: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istio-psp + namespace: {{ template "istio.namespace" . }} +rules: +- apiGroups: + - policy + resourceNames: + - istio-psp + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: istio-psp + namespace: {{ template "istio.namespace" . }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim +{{- end }} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/templates/istio-uninstall-job.yaml b/charts/rancher-istio/104.5.0+up1.23.2/templates/istio-uninstall-job.yaml new file mode 100644 index 0000000000..0091d0c176 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/templates/istio-uninstall-job.yaml @@ -0,0 +1,53 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: istioctl-uninstaller + namespace: {{ template "istio.namespace" . }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + spec: + containers: + - name: istioctl-uninstaller + image: {{ template "system_default_registry" . }}{{ .Values.installer.repository }}:{{ .Values.installer.tag }} + env: + - name: RELEASE_NAME + value: {{ .Release.Name }} + - name: ISTIO_NAMESPACE + value: {{ template "istio.namespace" . }} + command: ["/bin/sh","-c"] + args: ["/usr/local/app/scripts/uninstall_istio_system.sh"] + volumeMounts: + - name: config-volume + mountPath: /app/istio-base.yaml + subPath: istio-base.yaml + {{- if .Values.overlayFile }} + - name: overlay-volume + mountPath: /app/overlay-config.yaml + subPath: overlay-config.yaml + {{ end }} + volumes: + - name: config-volume + configMap: + name: istio-installer-base + {{- if .Values.overlayFile }} + - name: overlay-volume + configMap: + name: istio-installer-overlay + {{ end }} + serviceAccountName: istio-installer + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsUser: 101 + runAsGroup: 101 + restartPolicy: OnFailure diff --git a/charts/rancher-istio/104.5.0+up1.23.2/templates/overlay-config-map.yaml b/charts/rancher-istio/104.5.0+up1.23.2/templates/overlay-config-map.yaml new file mode 100644 index 0000000000..287d26b2c3 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/templates/overlay-config-map.yaml @@ -0,0 +1,9 @@ +{{- if .Values.overlayFile }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-installer-overlay + namespace: {{ template "istio.namespace" . }} +data: + overlay-config.yaml: {{ toYaml .Values.overlayFile | indent 2 }} +{{- end }} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/templates/service-monitors.yaml b/charts/rancher-istio/104.5.0+up1.23.2/templates/service-monitors.yaml new file mode 100644 index 0000000000..c3d60c4fce --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/templates/service-monitors.yaml @@ -0,0 +1,51 @@ +{{- if .Values.kiali.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: envoy-stats-monitor + namespace: {{ template "istio.namespace" . }} + labels: + monitoring: istio-proxies +spec: + selector: + matchExpressions: + - {key: istio-prometheus-ignore, operator: DoesNotExist} + namespaceSelector: + any: true + jobLabel: envoy-stats + endpoints: + - path: /stats/prometheus + targetPort: 15090 + interval: 15s + relabelings: + - sourceLabels: [__meta_kubernetes_pod_container_port_name] + action: keep + regex: '.*-envoy-prom' + - action: labeldrop + regex: "__meta_kubernetes_pod_label_(.+)" + - sourceLabels: [__meta_kubernetes_namespace] + action: replace + targetLabel: namespace + - sourceLabels: [__meta_kubernetes_pod_name] + action: replace + targetLabel: pod_name +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: istio-component-monitor + namespace: {{ template "istio.namespace" . }} + labels: + monitoring: istio-components +spec: + jobLabel: istio + targetLabels: [app] + selector: + matchExpressions: + - {key: istio, operator: In, values: [pilot]} + namespaceSelector: + any: true + endpoints: + - port: http-monitoring + interval: 15s +{{- end -}} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/templates/serviceaccount.yaml b/charts/rancher-istio/104.5.0+up1.23.2/templates/serviceaccount.yaml new file mode 100644 index 0000000000..82b6cbb7e6 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/templates/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-installer + namespace: {{ template "istio.namespace" . }} diff --git a/charts/rancher-istio/104.5.0+up1.23.2/templates/validate-psp-install.yaml b/charts/rancher-istio/104.5.0+up1.23.2/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..4b0e5cfb65 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} \ No newline at end of file diff --git a/charts/rancher-istio/104.5.0+up1.23.2/templates/view-role.yaml b/charts/rancher-istio/104.5.0+up1.23.2/templates/view-role.yaml new file mode 100644 index 0000000000..5947d3eba9 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/templates/view-role.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + namespace: {{ template "istio.namespace" . }} + name: istio-view +rules: + - apiGroups: + - config.istio.io + resources: + - adapters + - attributemanifests + - handlers + - httpapispecbindings + - httpapispecs + - instances + - quotaspecbindings + - quotaspecs + - rules + - templates + verbs: ["get", "watch", "list"] + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + - workloadentries + verbs: ["get", "watch", "list"] + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + - peerauthentications + - requestauthentications + verbs: ["get", "watch", "list"] diff --git a/charts/rancher-istio/104.5.0+up1.23.2/values.yaml b/charts/rancher-istio/104.5.0+up1.23.2/values.yaml new file mode 100644 index 0000000000..ad46defdb6 --- /dev/null +++ b/charts/rancher-istio/104.5.0+up1.23.2/values.yaml @@ -0,0 +1,121 @@ +overlayFile: "" +tag: 1.23.2 +##Setting forceInstall: true will remove the check for istio version < 1.6.x and will not analyze your install cluster prior to install +forceInstall: false + +installer: + repository: rancher/istio-installer + tag: 1.23.2-rancher1 + ##releaseMirror are configurations for istio upgrades. + ##Setting releaseMirror.enabled: true will cause istio to use bundled in images from rancher/istio-installer to perfom an upgrade - this is ideal + ##for airgap setups. Setting releaseMirror.enabled to false means istio will call externally to github to fetch the required assets. + releaseMirror: + enabled: false + + ##Set the secondsSleep to run a sleep command `sleep s` to allow time to exec into istio-installer pod for debugging + debug: + secondsSleep: 0 + +##Native support for dns added in 1.8 +dns: + enabled: false + +base: + enabled: true + +cni: + enabled: false + repository: rancher/mirrored-istio-install-cni +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.23.2 + tag: 1.23.2-distroless + logLevel: info + excludeNamespaces: + - istio-system + - kube-system + +egressGateways: + enabled: false + type: NodePort + hpaSpec: {} + podDisruptionBudget: {} + +ingressGateways: + enabled: true + type: NodePort + hpaSpec: {} + podDisruptionBudget: {} + +istiodRemote: + enabled: false + +pilot: + enabled: true + repository: rancher/mirrored-istio-pilot +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.23.2 + tag: 1.23.2-distroless + hpaSpec: {} + podDisruptionBudget: {} + +telemetry: + enabled: true + v2: + enabled: true + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + proxy: + repository: rancher/mirrored-istio-proxyv2 +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.23.2 + tag: 1.23.2-distroless + proxy_init: + repository: rancher/mirrored-istio-proxyv2 +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.23.2 + tag: 1.23.2-distroless + defaultPodDisruptionBudget: + enabled: true + +# Kiali subchart from rancher-kiali-server +kiali: + enabled: true + # If you wish to change the authentication you can check the options in the Kiali documentation https://kiali.io/docs/configuration/authentication/ + auth: + strategy: token + server: + web_root: / + deployment: + ingress_enabled: false + external_services: + prometheus: + custom_metrics_url: "http://rancher-monitoring-prometheus.cattle-monitoring-system.svc:9090" + url: "http://rancher-monitoring-prometheus.cattle-monitoring-system.svc:9090" + tracing: + in_cluster_url: "http://tracing.istio-system.svc:16686/jaeger" + use_grpc: false + grafana: + in_cluster_url: "http://rancher-monitoring-grafana.cattle-monitoring-system.svc:80" + url: "http://rancher-monitoring-grafana.cattle-monitoring-system.svc:80" + +tracing: + enabled: false + contextPath: "/jaeger" + zipkinAddress: zipkin.istio-system.svc:9411 + + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] diff --git a/index.yaml b/index.yaml index 62e5584206..3d9e527e63 100755 --- a/index.yaml +++ b/index.yaml @@ -1,6 +1,30 @@ apiVersion: v1 entries: elemental: + - annotations: + catalog.cattle.io/auto-install: elemental-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Elemental + catalog.cattle.io/kube-version: '>= 1.23.0-0' + catalog.cattle.io/namespace: cattle-elemental-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux + catalog.cattle.io/provides-gvr: elemental.cattle.io/v1beta1 + catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0' + catalog.cattle.io/release-name: elemental-operator + catalog.cattle.io/scope: management + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/upstream-version: 1.6.5 + apiVersion: v2 + appVersion: 1.6.5 + created: "2024-11-08T15:08:41.225231345-03:00" + description: Elemental provides Cloud Native OS Management for Cluster Nodes. + digest: bbce3e8919c099b71d1625e464e39265cb05ed2c5c2ed39e9d0ab6d31aea1c92 + icon: https://raw.githubusercontent.com/rancher/elemental/main/logo/icon-elemental.svg + name: elemental + urls: + - assets/elemental/elemental-104.2.1+up1.6.5.tgz + version: 104.2.1+up1.6.5 - annotations: catalog.cattle.io/auto-install: elemental-crd=match catalog.cattle.io/certified: rancher @@ -242,6 +266,21 @@ entries: - assets/elemental/elemental-103.0.0+up1.3.4.tgz version: 103.0.0+up1.3.4 elemental-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-elemental-system + catalog.cattle.io/release-name: elemental-operator-crds + apiVersion: v2 + appVersion: 1.6.5 + created: "2024-11-08T15:08:53.745722888-03:00" + description: A Helm chart for deploying Rancher Elemental Operator CRDs + digest: e59f10e5ffd24c4813b5385f4dc211ca31b4288ac9941c771deade39c3bb657b + name: elemental-crd + type: application + urls: + - assets/elemental-crd/elemental-crd-104.2.1+up1.6.5.tgz + version: 104.2.1+up1.6.5 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" @@ -806,6 +845,28 @@ entries: - assets/epinio-crd/epinio-crd-102.0.1+up1.6.2.tgz version: 102.0.1+up1.6.2 fleet: + - annotations: + catalog.cattle.io/auto-install: fleet-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/experimental: "true" + catalog.cattle.io/hidden: "true" + catalog.cattle.io/kube-version: '>= 1.18.0-0 < 1.31.0-0' + catalog.cattle.io/namespace: cattle-fleet-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: clusters.fleet.cattle.io/v1alpha1 + catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0' + catalog.cattle.io/release-name: fleet + apiVersion: v2 + appVersion: 0.10.5 + created: "2024-11-08T15:37:46.871324077-03:00" + description: Fleet Manager - GitOps at Scale + digest: f8612ed98cb1fa36bff7787692dc23d3a493d9ab8ac1499f875709fdf12ad79c + icon: https://charts.rancher.io/assets/logos/fleet.svg + name: fleet + urls: + - assets/fleet/fleet-104.1.1+up0.10.5.tgz + version: 104.1.1+up0.10.5 - annotations: catalog.cattle.io/auto-install: fleet-crd=match catalog.cattle.io/certified: rancher @@ -1465,6 +1526,25 @@ entries: - assets/fleet/fleet-101.0.0+up0.5.0.tgz version: 101.0.0+up0.5.0 fleet-agent: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/kube-version: '>= 1.18.0-0 < 1.31.0-0' + catalog.cattle.io/namespace: cattle-fleet-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0' + catalog.cattle.io/release-name: fleet-agent + apiVersion: v2 + appVersion: 0.10.5 + created: "2024-11-08T15:38:17.013172795-03:00" + description: Fleet Manager Agent - GitOps at Scale + digest: f106536a45bcb10c969b1c5d87b2439e9221e9b1453af875915338fa4c36fde4 + icon: https://charts.rancher.io/assets/logos/fleet.svg + name: fleet-agent + urls: + - assets/fleet-agent/fleet-agent-104.1.1+up0.10.5.tgz + version: 104.1.1+up0.10.5 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" @@ -1960,6 +2040,23 @@ entries: - assets/fleet-agent/fleet-agent-101.0.0+up0.5.0.tgz version: 101.0.0+up0.5.0 fleet-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-fleet-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/release-name: fleet-crd + apiVersion: v2 + appVersion: 0.10.5 + created: "2024-11-08T15:38:28.464888767-03:00" + description: Fleet Manager CustomResourceDefinitions + digest: 8e5b23f81d8a4a32e560a27abf42fbea39a96476902f6d3d13b80821cd0c2c6b + icon: https://charts.rancher.io/assets/logos/fleet.svg + name: fleet-crd + urls: + - assets/fleet-crd/fleet-crd-104.1.1+up0.10.5.tgz + version: 104.1.1+up0.10.5 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" @@ -11211,6 +11308,36 @@ entries: - assets/rancher-eks-operator-crd/rancher-eks-operator-crd-101.0.0+up1.1.5.tgz version: 101.0.0+up1.1.5 rancher-gatekeeper: + - annotations: + catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: OPA Gatekeeper + catalog.cattle.io/kube-version: '>= 1.20.0-0' + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1 + catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0' + catalog.cattle.io/release-name: rancher-gatekeeper + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: gatekeeper + apiVersion: v2 + appVersion: v3.13.0 + created: "2024-11-08T15:39:32.38291664-03:00" + description: Modifies Open Policy Agent's upstream gatekeeper chart that provides + policy-based control for cloud native environments + digest: 5af38d02530f66e6daac1a612d3db5c187015aadb2e40687a179cd22308054cd + home: https://github.com/open-policy-agent/gatekeeper + icon: https://charts.rancher.io/assets/logos/gatekeeper.svg + keywords: + - open policy agent + - security + name: rancher-gatekeeper + sources: + - https://github.com/open-policy-agent/gatekeeper.git + urls: + - assets/rancher-gatekeeper/rancher-gatekeeper-104.0.1+up3.13.0.tgz + version: 104.0.1+up3.13.0 - annotations: catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match catalog.cattle.io/certified: rancher @@ -11452,6 +11579,20 @@ entries: - assets/rancher-gatekeeper/rancher-gatekeeper-101.0.0+up3.9.0.tgz version: 101.0.0+up3.9.0 rancher-gatekeeper-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/release-name: rancher-gatekeeper-crd + apiVersion: v1 + created: "2024-11-08T15:45:37.34688194-03:00" + description: Installs the CRDs for rancher-gatekeeper. + digest: aded1b187535e1ea20c78ad575aedb5e04f551f72198f781f04a52e81b5bb3b9 + name: rancher-gatekeeper-crd + type: application + urls: + - assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-104.0.1+up3.13.0.tgz + version: 104.0.1+up3.13.0 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" @@ -12207,6 +12348,80 @@ entries: - assets/rancher-gke-operator-crd/rancher-gke-operator-crd-101.0.0+up1.1.5.tgz version: 101.0.0+up1.1.5 rancher-istio: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Istio + catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.31.0-0' + catalog.cattle.io/namespace: istio-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0' + catalog.cattle.io/release-name: rancher-istio + catalog.cattle.io/requests-cpu: 710m + catalog.cattle.io/requests-memory: 2314Mi + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: istio + catalog.cattle.io/upstream-version: 1.23.2 + apiVersion: v1 + appVersion: 1.23.2 + created: "2024-11-08T15:35:50.658615677-03:00" + dependencies: + - condition: kiali.enabled + name: kiali + repository: file://./charts/kiali + version: 1.89.3 + - condition: tracing.enabled + name: tracing + repository: file://./charts/tracing + version: 1.60.0 + description: A basic Istio setup that installs with the istioctl. Refer to https://istio.io/latest/ + for details. + digest: 07bb1381c205cb125207fa282bda584745458706bf2678dbae6d4a28d06c1207 + icon: https://charts.rancher.io/assets/logos/istio.svg + keywords: + - networking + - infrastructure + name: rancher-istio + urls: + - assets/rancher-istio/rancher-istio-104.5.0+up1.23.2.tgz + version: 104.5.0+up1.23.2 + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Istio + catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.31.0-0' + catalog.cattle.io/namespace: istio-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0' + catalog.cattle.io/release-name: rancher-istio + catalog.cattle.io/requests-cpu: 710m + catalog.cattle.io/requests-memory: 2314Mi + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: istio + catalog.cattle.io/upstream-version: 1.22.1 + apiVersion: v1 + appVersion: 1.22.1 + created: "2024-11-08T15:36:16.041492992-03:00" + dependencies: + - condition: kiali.enabled + name: kiali + repository: file://./charts/kiali + version: 1.86.0 + - condition: tracing.enabled + name: tracing + repository: file://./charts/tracing + version: 1.57.0 + description: A basic Istio setup that installs with the istioctl. Refer to https://istio.io/latest/ + for details. + digest: 72b587e1f0b63b6d242dc5ea8ec9086bcd45b7fdee9dd41130c6d6609ab06c39 + icon: https://charts.rancher.io/assets/logos/istio.svg + keywords: + - networking + - infrastructure + name: rancher-istio + urls: + - assets/rancher-istio/rancher-istio-104.4.1+up1.22.1.tgz + version: 104.4.1+up1.22.1 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/display-name: Istio diff --git a/regsync.yaml b/regsync.yaml index de5fb64f69..331efcebc9 100644 --- a/regsync.yaml +++ b/regsync.yaml @@ -121,6 +121,7 @@ sync: - v0.10.2 - v0.10.3 - v0.10.4 + - v0.10.5 - v0.5.0 - v0.5.1 - v0.6.0 @@ -151,6 +152,7 @@ sync: - v0.10.2 - v0.10.3 - v0.10.4 + - v0.10.5 - v0.5.0 - v0.5.1 - v0.6.0 @@ -337,6 +339,7 @@ sync: - 1.20.3-rancher1 - 1.21.1-rancher1 - 1.22.1-rancher1 + - 1.23.2-rancher1 - source: docker.io/rancher/klipper-helm target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/klipper-helm' type: repository @@ -367,6 +370,7 @@ sync: - v1.29.2 - v1.29.4 - v1.29.7 + - v1.30.5 - source: docker.io/rancher/mirrored-amazon-aws-cli target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-amazon-aws-cli' type: repository @@ -473,6 +477,7 @@ sync: - 7.77.0 - 7.83.1 - 7.85.0 + - 8.10.1 - source: docker.io/rancher/mirrored-dexidp-dex target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-dexidp-dex' type: repository @@ -492,6 +497,7 @@ sync: - 1.5.3 - 1.5.4 - 1.6.4 + - 1.6.5 - source: docker.io/rancher/mirrored-elemental-seedimage-builder target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-elemental-seedimage-builder' type: repository @@ -503,6 +509,7 @@ sync: - 1.5.3 - 1.5.4 - 1.6.4 + - 1.6.5 - source: docker.io/rancher/mirrored-epinio-epinio-server target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-epinio-epinio-server' type: repository @@ -592,6 +599,7 @@ sync: - 1.20.3-distroless - 1.21.1-distroless - 1.22.1-distroless + - 1.23.2-distroless - source: docker.io/rancher/mirrored-istio-pilot target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-istio-pilot' type: repository @@ -606,6 +614,7 @@ sync: - 1.20.3-distroless - 1.21.1-distroless - 1.22.1-distroless + - 1.23.2-distroless - source: docker.io/rancher/mirrored-istio-proxyv2 target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-istio-proxyv2' type: repository @@ -620,6 +629,7 @@ sync: - 1.20.3-distroless - 1.21.1-distroless - 1.22.1-distroless + - 1.23.2-distroless - source: docker.io/rancher/mirrored-jaegertracing-all-in-one target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-jaegertracing-all-in-one' type: repository @@ -634,6 +644,7 @@ sync: - 1.53.0 - 1.56.0 - 1.57.0 + - 1.60.0 - source: docker.io/rancher/mirrored-jimmidyson-configmap-reload target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-jimmidyson-configmap-reload' type: repository @@ -655,6 +666,7 @@ sync: - v1.78.0 - v1.79.0 - v1.86.0 + - v1.89.3 - source: docker.io/rancher/mirrored-kiwigrid-k8s-sidecar target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-kiwigrid-k8s-sidecar' type: repository @@ -1323,6 +1335,7 @@ sync: - v0.2.7 - v0.2.9 - v0.3.0 + - v0.3.13 - v0.3.2 - v0.3.3 - v0.3.4 diff --git a/release.yaml b/release.yaml index 91eacaa2b6..3530d93ed1 100644 --- a/release.yaml +++ b/release.yaml @@ -1,2 +1,17 @@ -rancher-webhook: - - 2.0.13+up0.3.13 +elemental: + - 104.2.1+up1.6.5 +elemental-crd: + - 104.2.1+up1.6.5 +fleet: + - 104.1.1+up0.10.5 +fleet-agent: + - 104.1.1+up0.10.5 +fleet-crd: + - 104.1.1+up0.10.5 +rancher-gatekeeper: + - 104.0.1+up3.13.0 +rancher-gatekeeper-crd: + - 104.0.1+up3.13.0 +rancher-istio: + - 104.5.0+up1.23.2 + - 104.4.1+up1.22.1