From 8d569fc281dc3189b344eff121350142bf727d52 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Fri, 19 Jan 2024 15:11:23 -0300
Subject: [PATCH 01/73] setting default keto dsn as secret
---
charts/orb/values.yaml | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/charts/orb/values.yaml b/charts/orb/values.yaml
index fe1b056..e552317 100644
--- a/charts/orb/values.yaml
+++ b/charts/orb/values.yaml
@@ -349,6 +349,10 @@ nginx_internal:
annotations: {}
keto:
+ secret:
+ # Set this field with false if you want to use credentials as k8s secret manually created
+ enabled: false
+ nameOverride: "orb-keto-dsn"
keto:
autoMigrate: true
config:
From 0376d3d051e1a2de049541faf35f5dd76381c86b Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Fri, 19 Jan 2024 15:21:54 -0300
Subject: [PATCH 02/73] Update Chart.yaml
---
charts/orb/Chart.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/charts/orb/Chart.yaml b/charts/orb/Chart.yaml
index c86e3cb..09dc170 100644
--- a/charts/orb/Chart.yaml
+++ b/charts/orb/Chart.yaml
@@ -10,7 +10,7 @@ name: orb
description: Orb Observability Platform
icon: https://avatars1.githubusercontent.com/u/13207490
type: application
-version: 1.0.54
+version: 1.0.55
appVersion: "0.27.0"
home: https://getorb.io
sources:
From f3f505fa7f5475cc5558874a98c706d52aaa113a Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Fri, 19 Jan 2024 15:26:24 -0300
Subject: [PATCH 03/73] set with correct cmd for onprem
---
charts/orb/README.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/charts/orb/README.md b/charts/orb/README.md
index 40f527f..d61a3b2 100644
--- a/charts/orb/README.md
+++ b/charts/orb/README.md
@@ -44,7 +44,7 @@ kubectl create secret generic orb-sinks-encryption-key --from-literal=key=mainfl
* Create keto dsn secret
```
-kubectl create secret generic orb-keto-dsn --from-literal=dsn='postgres://postgres:password@db.host.com:5432/keto' -n orb
+kubectl create secret generic orb-keto-dsn --from-literal=dsn='postgres://postgres:orb@orb-postgresql-keto:5432/keto' -n orb
```
* Create admin user secrets
@@ -96,4 +96,4 @@ helm install --set ingress.hostname=HOSTNAME -n orb my-orb .
- `smtp.fromName`: E-mail sender display name. Defaults to `Orb`.
- `smtp.fromAddress`: E-mail address of the sender.
- `smtp.usernmame`: username used when authenticating to the SMTP server used for sending e-emails.
- - `smtp.password`: password used when authenticating to the SMTP server used for sending e-emails.
\ No newline at end of file
+ - `smtp.password`: password used when authenticating to the SMTP server used for sending e-emails.
From 6638e77a4cfd01abc97185e503a0e553fe41d247 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Fri, 19 Jan 2024 15:33:57 -0300
Subject: [PATCH 04/73] remove comment
---
charts/orb/values.yaml | 1 -
1 file changed, 1 deletion(-)
diff --git a/charts/orb/values.yaml b/charts/orb/values.yaml
index e552317..981bdec 100644
--- a/charts/orb/values.yaml
+++ b/charts/orb/values.yaml
@@ -350,7 +350,6 @@ nginx_internal:
keto:
secret:
- # Set this field with false if you want to use credentials as k8s secret manually created
enabled: false
nameOverride: "orb-keto-dsn"
keto:
From af6a2551149e9de1ec508d43c1f5c3e484a88ca6 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Fri, 19 Jan 2024 17:40:41 -0300
Subject: [PATCH 05/73] Update nginx-internal.yaml
---
charts/orb/templates/nginx-internal.yaml | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/charts/orb/templates/nginx-internal.yaml b/charts/orb/templates/nginx-internal.yaml
index 6dbfd33..0f9d81c 100644
--- a/charts/orb/templates/nginx-internal.yaml
+++ b/charts/orb/templates/nginx-internal.yaml
@@ -430,8 +430,8 @@ spec:
secret:
secretName: {{ .Values.ingress.secret }}
{{- end }}
----
+---
apiVersion: v1
kind: Service
metadata:
@@ -444,6 +444,18 @@ spec:
- port: 8883
protocol: TCP
name: mqtt
+ type: {{ .Values.ingress.serviceType }}
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ .Release.Name }}-nginx-internal-metrics
+spec:
+ selector:
+ app: {{ .Release.Name }}
+ component: nginx-internal
+ ports:
- port: 8080
protocol: TCP
name: metrics
From 4f15cbecc6f88944aba1fdbc7fd1b117002dbd6e Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Fri, 19 Jan 2024 17:44:30 -0300
Subject: [PATCH 06/73] Update README.md
---
charts/orb/README.md | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/charts/orb/README.md b/charts/orb/README.md
index d61a3b2..e082e4a 100644
--- a/charts/orb/README.md
+++ b/charts/orb/README.md
@@ -53,12 +53,21 @@ kubectl create secret generic orb-keto-dsn --from-literal=dsn='postgres://postgr
kubectl create secret generic orb-user-service --from-literal=adminEmail=user@example.com --from-literal=adminPassword=12345678 -n orb
```
+On AWS EKS:
+Once that you can update your ingress controller (AWS LoadBalancer) using helm, a good solution could be you open the MQTT port on the cluster loadbalancer and redirect it to orb-nginx-internal pod as below:
* Deploy [ingres-nginx helm](https://kubernetes.github.io/ingress-nginx/deploy/#using-helm) (to default namespace) with
tcp config map configured from helm for 8883 (MQTTS). Note you need to reference both namespace and helm release name
here!
```
-helm install --set tcp.8883=orb/my-orb-nginx-internal:8883 ingress-nginx ingress-nginx/ingress-nginx
+helm install --set tcp.8883=orb/orb-nginx-internal:8883 ingress-nginx ingress-nginx/ingress-nginx
+```
+
+On On-Premise kubernetes cluster:
+The best approach is use nginx-internal as service type LoadBalancer on your values.yaml to expose your MQTT port externally
+
+```
+helm install --set tcp.8883=orb/orb-nginx-internal:8883 ingress-nginx ingress-nginx/ingress-nginx
```
* Wait for an external IP to be available
From b557f3bc773bffa1dde81ad0942730c5defa4e23 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Fri, 19 Jan 2024 17:44:46 -0300
Subject: [PATCH 07/73] Update values.yaml
---
charts/orb/values.yaml | 1 +
1 file changed, 1 insertion(+)
diff --git a/charts/orb/values.yaml b/charts/orb/values.yaml
index 981bdec..5162c80 100644
--- a/charts/orb/values.yaml
+++ b/charts/orb/values.yaml
@@ -341,6 +341,7 @@ envoy:
annotations: {}
nginx_internal:
+ serviceType: ClusterIP # use LoadBalancer for on-premise solution
image:
pullPolicy: "IfNotPresent"
repository: "nginx"
From b07c3f4b8813363515f8cecc6dcb2fa5296f8b0c Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Fri, 19 Jan 2024 17:48:31 -0300
Subject: [PATCH 08/73] Update values.yaml
---
charts/orb/values.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/charts/orb/values.yaml b/charts/orb/values.yaml
index 5162c80..fa6c890 100644
--- a/charts/orb/values.yaml
+++ b/charts/orb/values.yaml
@@ -341,7 +341,7 @@ envoy:
annotations: {}
nginx_internal:
- serviceType: ClusterIP # use LoadBalancer for on-premise solution
+ serviceType: "ClusterIP" # use LoadBalancer for on-premise solution
image:
pullPolicy: "IfNotPresent"
repository: "nginx"
From 6fc4f150e536131a929c270a22900a537a847e49 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Fri, 19 Jan 2024 17:48:51 -0300
Subject: [PATCH 09/73] Update nginx-internal.yaml
---
charts/orb/templates/nginx-internal.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/charts/orb/templates/nginx-internal.yaml b/charts/orb/templates/nginx-internal.yaml
index 0f9d81c..5f4ea7c 100644
--- a/charts/orb/templates/nginx-internal.yaml
+++ b/charts/orb/templates/nginx-internal.yaml
@@ -444,7 +444,7 @@ spec:
- port: 8883
protocol: TCP
name: mqtt
- type: {{ .Values.ingress.serviceType }}
+ type: {{ .Values.nginx_internal.serviceType }}
---
apiVersion: v1
From 8bd56553d8dbee2c67aef74edadf51553e5e32a6 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Sat, 20 Jan 2024 13:08:27 -0300
Subject: [PATCH 10/73] Update .helmignore
---
charts/orb/.helmignore | 1 +
1 file changed, 1 insertion(+)
diff --git a/charts/orb/.helmignore b/charts/orb/.helmignore
index 50af031..ddc10d2 100644
--- a/charts/orb/.helmignore
+++ b/charts/orb/.helmignore
@@ -4,6 +4,7 @@
.DS_Store
# Common VCS dirs
.git/
+issuers/
.gitignore
.bzr/
.bzrignore
From 1e153cf20fcf6b8f9db1d00c68a610f6d52825a0 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Sun, 21 Jan 2024 13:58:50 -0300
Subject: [PATCH 11/73] Update README.md
---
charts/orb/README.md | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/charts/orb/README.md b/charts/orb/README.md
index e082e4a..b60074f 100644
--- a/charts/orb/README.md
+++ b/charts/orb/README.md
@@ -25,10 +25,11 @@ helm repo update
helm dependency update
```
-* Create `orb` namespace
+* Create `orb` and `otelcollectors` namespace
```
kubectl create namespace orb
+kubectl create namespace otelcollectors
```
* Create JWT signing key secret
@@ -53,6 +54,13 @@ kubectl create secret generic orb-keto-dsn --from-literal=dsn='postgres://postgr
kubectl create secret generic orb-user-service --from-literal=adminEmail=user@example.com --from-literal=adminPassword=12345678 -n orb
```
+* Install orb. Replace `orb` with your helm release name, also set your HOSTNAME as a valid domain to expose service properly, remember that should generate a certificate for that.
+Check the [optional variables](#optional-variables-to-set) for more options.
+
+```
+helm install --set ingress.hostname=HOSTNAME -n orb orb .
+```
+
On AWS EKS:
Once that you can update your ingress controller (AWS LoadBalancer) using helm, a good solution could be you open the MQTT port on the cluster loadbalancer and redirect it to orb-nginx-internal pod as below:
* Deploy [ingres-nginx helm](https://kubernetes.github.io/ingress-nginx/deploy/#using-helm) (to default namespace) with
@@ -89,12 +97,6 @@ helm install cert-manager jetstack/cert-manager --namespace cert-manager --creat
* edit `issuers/production-issuer.yaml` and change `spec.acme.email` to a real email address
* `kubectl create -f issuers/production-issuer.yaml -n orb`
-* Install orb. Replace `my-orb` with your helm release name.
-Check the [optional variables](#optional-variables-to-set) for more options.
-
-```
-helm install --set ingress.hostname=HOSTNAME -n orb my-orb .
-```
### Optional variables to set
- **SMTP**
From 10f8b52622007ca37c3f0aa2ab137d97effe1907 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Sun, 21 Jan 2024 14:26:21 -0300
Subject: [PATCH 12/73] Update values.yaml
---
charts/orb/values.yaml | 26 +++++++++++++++++++-------
1 file changed, 19 insertions(+), 7 deletions(-)
diff --git a/charts/orb/values.yaml b/charts/orb/values.yaml
index fa6c890..2a65a64 100644
--- a/charts/orb/values.yaml
+++ b/charts/orb/values.yaml
@@ -199,12 +199,13 @@ postgresql-users:
cpu: 25m
persistence:
size: 1Gi
+ commonAnnotations:
+ helm.sh/hook: "pre-install, pre-upgrade"
+ helm.sh/hook-weight: "-1"
postgresql-fleet:
enabled: true # dependency install, disable if you want to use external services
name: postgresql-fleet
- image:
- tag: 13
postgresqlUsername: postgres
postgresqlPassword: orb
postgresqlDatabase: fleet
@@ -213,12 +214,13 @@ postgresql-fleet:
cpu: 25m
persistence:
size: 1Gi
+ commonAnnotations:
+ helm.sh/hook: "pre-install, pre-upgrade"
+ helm.sh/hook-weight: "-1"
postgresql-policies:
enabled: true # dependency install, disable if you want to use external services
name: postgresql-policies
- image:
- tag: 13
postgresqlUsername: postgres
postgresqlPassword: orb
postgresqlDatabase: policies
@@ -227,12 +229,13 @@ postgresql-policies:
cpu: 25m
persistence:
size: 1Gi
+ commonAnnotations:
+ helm.sh/hook: "pre-install, pre-upgrade"
+ helm.sh/hook-weight: "-1"
postgresql-sinks:
enabled: true # dependency install, disable if you want to use external services
name: postgresql-sinks
- image:
- tag: 13
postgresqlUsername: postgres
postgresqlPassword: orb
postgresqlDatabase: sinks
@@ -241,6 +244,9 @@ postgresql-sinks:
cpu: 25m
persistence:
size: 1Gi
+ commonAnnotations:
+ helm.sh/hook: "pre-install, pre-upgrade"
+ helm.sh/hook-weight: "-1"
postgresql-things:
enabled: true # dependency install, disable if you want to use external services
@@ -253,6 +259,9 @@ postgresql-things:
cpu: 25m
persistence:
size: 1Gi
+ commonAnnotations:
+ helm.sh/hook: "pre-install, pre-upgrade"
+ helm.sh/hook-weight: "-1"
postgresql-auth:
enabled: true # dependency install, disable if you want to use external services
@@ -265,6 +274,9 @@ postgresql-auth:
cpu: 25m
persistence:
size: 1Gi
+ commonAnnotations:
+ helm.sh/hook: "pre-install, pre-upgrade"
+ helm.sh/hook-weight: "-1"
postgresql-keto:
enabled: true # dependency install, disable if you want to use external services
@@ -329,7 +341,7 @@ jaeger-operator:
jaeger:
create: true
rbac:
- pspEnabled: true
+ pspEnabled: false
clusterRole: true
envoy:
From a4f3ab63678349553fcd774bcdb8871385d2332f Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Sun, 21 Jan 2024 14:52:58 -0300
Subject: [PATCH 13/73] Update values.yaml
---
charts/orb/values.yaml | 24 ------------------------
1 file changed, 24 deletions(-)
diff --git a/charts/orb/values.yaml b/charts/orb/values.yaml
index 2a65a64..c7446fd 100644
--- a/charts/orb/values.yaml
+++ b/charts/orb/values.yaml
@@ -199,9 +199,6 @@ postgresql-users:
cpu: 25m
persistence:
size: 1Gi
- commonAnnotations:
- helm.sh/hook: "pre-install, pre-upgrade"
- helm.sh/hook-weight: "-1"
postgresql-fleet:
enabled: true # dependency install, disable if you want to use external services
@@ -214,9 +211,6 @@ postgresql-fleet:
cpu: 25m
persistence:
size: 1Gi
- commonAnnotations:
- helm.sh/hook: "pre-install, pre-upgrade"
- helm.sh/hook-weight: "-1"
postgresql-policies:
enabled: true # dependency install, disable if you want to use external services
@@ -229,9 +223,6 @@ postgresql-policies:
cpu: 25m
persistence:
size: 1Gi
- commonAnnotations:
- helm.sh/hook: "pre-install, pre-upgrade"
- helm.sh/hook-weight: "-1"
postgresql-sinks:
enabled: true # dependency install, disable if you want to use external services
@@ -244,9 +235,6 @@ postgresql-sinks:
cpu: 25m
persistence:
size: 1Gi
- commonAnnotations:
- helm.sh/hook: "pre-install, pre-upgrade"
- helm.sh/hook-weight: "-1"
postgresql-things:
enabled: true # dependency install, disable if you want to use external services
@@ -259,9 +247,6 @@ postgresql-things:
cpu: 25m
persistence:
size: 1Gi
- commonAnnotations:
- helm.sh/hook: "pre-install, pre-upgrade"
- helm.sh/hook-weight: "-1"
postgresql-auth:
enabled: true # dependency install, disable if you want to use external services
@@ -274,9 +259,6 @@ postgresql-auth:
cpu: 25m
persistence:
size: 1Gi
- commonAnnotations:
- helm.sh/hook: "pre-install, pre-upgrade"
- helm.sh/hook-weight: "-1"
postgresql-keto:
enabled: true # dependency install, disable if you want to use external services
@@ -289,9 +271,6 @@ postgresql-keto:
cpu: 25m
persistence:
size: 1Gi
- commonAnnotations:
- helm.sh/hook: "pre-install, pre-upgrade"
- helm.sh/hook-weight: "-1"
postgresql-maestro:
enabled: true # dependency install, disable if you want to use external services
@@ -304,9 +283,6 @@ postgresql-maestro:
cpu: 25m
persistence:
size: 1Gi
- commonAnnotations:
- helm.sh/hook: "pre-install, pre-upgrade"
- helm.sh/hook-weight: "-1"
redis-streams:
enabled: true # dependency install, disable if you want to use external services
From 03414c1fda72e53d5df2c31944863d7b0f63241b Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Sun, 21 Jan 2024 15:48:36 -0300
Subject: [PATCH 14/73] Update statefulset.yaml
---
charts/orb/charts/postgresql/templates/statefulset.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/charts/orb/charts/postgresql/templates/statefulset.yaml b/charts/orb/charts/postgresql/templates/statefulset.yaml
index e004c21..228c59b 100644
--- a/charts/orb/charts/postgresql/templates/statefulset.yaml
+++ b/charts/orb/charts/postgresql/templates/statefulset.yaml
@@ -234,7 +234,7 @@ spec:
- name: POSTGRES_PASSWORD_FILE
value: "/opt/bitnami/postgresql/secrets/postgresql-password"
{{- else }}
- - name: POSTGRES_PASSWORD
+ - name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "postgresql.secretName" . }}
From 04f17f89c42831b5e19ee7ee4f23f8d070391b52 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Sun, 21 Jan 2024 15:49:49 -0300
Subject: [PATCH 15/73] Update statefulset.yaml
---
charts/orb/charts/postgresql/templates/statefulset.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/charts/orb/charts/postgresql/templates/statefulset.yaml b/charts/orb/charts/postgresql/templates/statefulset.yaml
index 228c59b..2fb951f 100644
--- a/charts/orb/charts/postgresql/templates/statefulset.yaml
+++ b/charts/orb/charts/postgresql/templates/statefulset.yaml
@@ -228,7 +228,7 @@ spec:
key: postgresql-postgres-password
{{- end }}
{{- end }}
- - name: POSTGRES_USER
+ - name: POSTGRESQL_USERNAME
value: {{ include "postgresql.username" . | quote }}
{{- if .Values.usePasswordFile }}
- name: POSTGRES_PASSWORD_FILE
From 5b80d45518ab5fb7ea7de4b56b7e9afcafc1310f Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Sun, 21 Jan 2024 16:08:56 -0300
Subject: [PATCH 16/73] Update statefulset.yaml
---
charts/orb/charts/postgresql/templates/statefulset.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/charts/orb/charts/postgresql/templates/statefulset.yaml b/charts/orb/charts/postgresql/templates/statefulset.yaml
index 2fb951f..bcc59a7 100644
--- a/charts/orb/charts/postgresql/templates/statefulset.yaml
+++ b/charts/orb/charts/postgresql/templates/statefulset.yaml
@@ -228,7 +228,7 @@ spec:
key: postgresql-postgres-password
{{- end }}
{{- end }}
- - name: POSTGRESQL_USERNAME
+ - name: POSTGRES_USER
value: {{ include "postgresql.username" . | quote }}
{{- if .Values.usePasswordFile }}
- name: POSTGRES_PASSWORD_FILE
@@ -241,7 +241,7 @@ spec:
key: postgresql-password
{{- end }}
{{- if (include "postgresql.database" .) }}
- - name: POSTGRES_DB
+ - name: POSTGRESQL_DATABASE
value: {{ (include "postgresql.database" .) | quote }}
{{- end }}
{{- if .Values.extraEnv }}
From c47965b00b04e953aebedefd5ddd1543291a37c7 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Sun, 21 Jan 2024 16:34:55 -0300
Subject: [PATCH 17/73] Update values.yaml
---
charts/orb/charts/postgresql/values.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/charts/orb/charts/postgresql/values.yaml b/charts/orb/charts/postgresql/values.yaml
index ee1b059..5eac321 100644
--- a/charts/orb/charts/postgresql/values.yaml
+++ b/charts/orb/charts/postgresql/values.yaml
@@ -74,7 +74,7 @@ diagnosticMode:
image:
registry: docker.io
repository: bitnami/postgresql
- tag: 14.9.0
+ tag: 14.10.0-debian-11-r24
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
From f7ae37c0e1c7418ac33962408724dc8b49230da1 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Sun, 21 Jan 2024 17:41:32 -0300
Subject: [PATCH 18/73] Update README.md
---
charts/orb/README.md | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/charts/orb/README.md b/charts/orb/README.md
index b60074f..a408ede 100644
--- a/charts/orb/README.md
+++ b/charts/orb/README.md
@@ -97,6 +97,14 @@ helm install cert-manager jetstack/cert-manager --namespace cert-manager --creat
* edit `issuers/production-issuer.yaml` and change `spec.acme.email` to a real email address
* `kubectl create -f issuers/production-issuer.yaml -n orb`
+## Known-bug:
+Sometimes on the first run, postgres can have a problem to seed your password. To fix this, you have to manually remove the persistent volume claim (PVC) which will free up the database storage.
+
+```
+kubectl delete pvc data-my-db-postgresql-0
+```
+(Or whatever the PVC associated with your initial Helm install was named.)
+After remove the pvc, you need to restart the respective pod.
### Optional variables to set
- **SMTP**
From 3f8f4209943e199043b3c144394a1138b9e82675 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Sun, 21 Jan 2024 17:42:56 -0300
Subject: [PATCH 19/73] Update statefulset.yaml
---
charts/orb/charts/postgresql/templates/statefulset.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/charts/orb/charts/postgresql/templates/statefulset.yaml b/charts/orb/charts/postgresql/templates/statefulset.yaml
index bcc59a7..e004c21 100644
--- a/charts/orb/charts/postgresql/templates/statefulset.yaml
+++ b/charts/orb/charts/postgresql/templates/statefulset.yaml
@@ -234,14 +234,14 @@ spec:
- name: POSTGRES_PASSWORD_FILE
value: "/opt/bitnami/postgresql/secrets/postgresql-password"
{{- else }}
- - name: POSTGRESQL_PASSWORD
+ - name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "postgresql.secretName" . }}
key: postgresql-password
{{- end }}
{{- if (include "postgresql.database" .) }}
- - name: POSTGRESQL_DATABASE
+ - name: POSTGRES_DB
value: {{ (include "postgresql.database" .) | quote }}
{{- end }}
{{- if .Values.extraEnv }}
From 2c8c4ab387fe0b34819b0287f18611d6aa388eae Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Sun, 21 Jan 2024 17:48:00 -0300
Subject: [PATCH 20/73] Update values.yaml
---
charts/orb/values.yaml | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/charts/orb/values.yaml b/charts/orb/values.yaml
index c7446fd..6c60aad 100644
--- a/charts/orb/values.yaml
+++ b/charts/orb/values.yaml
@@ -329,7 +329,9 @@ envoy:
annotations: {}
nginx_internal:
- serviceType: "ClusterIP" # use LoadBalancer for on-premise solution
+ service:
+ serviceType: "ClusterIP" # use LoadBalancer for on-premise solution
+ annotations: {} # use for external dns integration
image:
pullPolicy: "IfNotPresent"
repository: "nginx"
From a495c8b69453e030f8b1663b44da6747fe3a52a0 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Sun, 21 Jan 2024 17:52:09 -0300
Subject: [PATCH 21/73] Update nginx-internal.yaml
---
charts/orb/templates/nginx-internal.yaml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/charts/orb/templates/nginx-internal.yaml b/charts/orb/templates/nginx-internal.yaml
index 5f4ea7c..86768e5 100644
--- a/charts/orb/templates/nginx-internal.yaml
+++ b/charts/orb/templates/nginx-internal.yaml
@@ -436,6 +436,10 @@ apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}-nginx-internal
+ annotations:
+ {{- with .Values.nginx_internal.service.annotations }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
spec:
selector:
app: {{ .Release.Name }}
@@ -444,7 +448,7 @@ spec:
- port: 8883
protocol: TCP
name: mqtt
- type: {{ .Values.nginx_internal.serviceType }}
+ type: {{ .Values.nginx_internal.service.serviceType }}
---
apiVersion: v1
From bf283031d9805c5b4623789dc5994176e0434c59 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Sun, 21 Jan 2024 17:54:52 -0300
Subject: [PATCH 22/73] Update values.yaml
---
charts/orb/values.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/charts/orb/values.yaml b/charts/orb/values.yaml
index 6c60aad..674952a 100644
--- a/charts/orb/values.yaml
+++ b/charts/orb/values.yaml
@@ -27,10 +27,10 @@ smtp:
ingress:
ingressClassName: "nginx"
annotationsNginx: {} # set this for certificate
- # cert-manager.io/issuer: "letsencrypt-prod"
+ # cert-manager.io/clusterissuer: "letsencrypt-prod"
annotationsNginxRewrite: # set this for certificate
nginx.ingress.kubernetes.io/rewrite-target: /$1
- # cert-manager.io/issuer: "letsencrypt-prod"
+ # cert-manager.io/clusterissuer: "letsencrypt-prod"
hostname: ""
secret: "orb-tls"
From 2959b24f433db235f4522dc6b1e7c95b00d7269f Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Sun, 21 Jan 2024 18:02:13 -0300
Subject: [PATCH 23/73] Update values.yaml
---
charts/orb/values.yaml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/charts/orb/values.yaml b/charts/orb/values.yaml
index 674952a..ff7d9ad 100644
--- a/charts/orb/values.yaml
+++ b/charts/orb/values.yaml
@@ -271,6 +271,9 @@ postgresql-keto:
cpu: 25m
persistence:
size: 1Gi
+ commonAnnotations:
+ helm.sh/hook: "pre-install, pre-upgrade"
+ helm.sh/hook-weight: "-1"
postgresql-maestro:
enabled: true # dependency install, disable if you want to use external services
From b715a7881c9aa04698eaf3677bf199d2c0e9bc1d Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Sun, 21 Jan 2024 19:12:16 -0300
Subject: [PATCH 24/73] Create certificate.yaml
---
charts/orb/issuers/certificate.yaml | 11 +++++++++++
1 file changed, 11 insertions(+)
create mode 100644 charts/orb/issuers/certificate.yaml
diff --git a/charts/orb/issuers/certificate.yaml b/charts/orb/issuers/certificate.yaml
new file mode 100644
index 0000000..f78a3f0
--- /dev/null
+++ b/charts/orb/issuers/certificate.yaml
@@ -0,0 +1,11 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: orb-tls
+ namespace: orb
+spec:
+ dnsNames:
+ - orb.example.com
+ secretName: orb-tls
+ issuerRef:
+ name: letsencrypt-prod
From e49601eaaa410f28a8b1ab07e45aae6a9db9baf9 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Sun, 21 Jan 2024 19:24:02 -0300
Subject: [PATCH 25/73] Update certificate.yaml
---
charts/orb/issuers/certificate.yaml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/charts/orb/issuers/certificate.yaml b/charts/orb/issuers/certificate.yaml
index f78a3f0..96c2356 100644
--- a/charts/orb/issuers/certificate.yaml
+++ b/charts/orb/issuers/certificate.yaml
@@ -5,7 +5,8 @@ metadata:
namespace: orb
spec:
dnsNames:
- - orb.example.com
+ - orb.dextro.io
secretName: orb-tls
issuerRef:
name: letsencrypt-prod
+ kind: ClusterIssuer
From 6167e101a35f0a980cf9e8721dab46f3a688357a Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Sun, 21 Jan 2024 19:24:15 -0300
Subject: [PATCH 26/73] Update certificate.yaml
---
charts/orb/issuers/certificate.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/charts/orb/issuers/certificate.yaml b/charts/orb/issuers/certificate.yaml
index 96c2356..6c88ce6 100644
--- a/charts/orb/issuers/certificate.yaml
+++ b/charts/orb/issuers/certificate.yaml
@@ -5,7 +5,7 @@ metadata:
namespace: orb
spec:
dnsNames:
- - orb.dextro.io
+ - orb.example.com
secretName: orb-tls
issuerRef:
name: letsencrypt-prod
From 6b3ebc44f7b8fb7f6cc3d06b13918a262149a842 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Sun, 21 Jan 2024 19:57:38 -0300
Subject: [PATCH 27/73] Update README.md
---
charts/orb/README.md | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/charts/orb/README.md b/charts/orb/README.md
index a408ede..66f8fb8 100644
--- a/charts/orb/README.md
+++ b/charts/orb/README.md
@@ -97,6 +97,12 @@ helm install cert-manager jetstack/cert-manager --namespace cert-manager --creat
* edit `issuers/production-issuer.yaml` and change `spec.acme.email` to a real email address
* `kubectl create -f issuers/production-issuer.yaml -n orb`
+To restart entire deployment:
+
+```
+kubectl rollout restart deployment -n orb
+```
+
## Known-bug:
Sometimes on the first run, postgres can have a problem to seed your password. To fix this, you have to manually remove the persistent volume claim (PVC) which will free up the database storage.
From 01fb5fae78342540c1f8a196ac896c3946657b68 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Mon, 22 Jan 2024 09:52:27 -0300
Subject: [PATCH 28/73] Update values.yaml
---
charts/orb/charts/postgresql/values.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/charts/orb/charts/postgresql/values.yaml b/charts/orb/charts/postgresql/values.yaml
index 5eac321..ee1b059 100644
--- a/charts/orb/charts/postgresql/values.yaml
+++ b/charts/orb/charts/postgresql/values.yaml
@@ -74,7 +74,7 @@ diagnosticMode:
image:
registry: docker.io
repository: bitnami/postgresql
- tag: 14.10.0-debian-11-r24
+ tag: 14.9.0
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
From 25caa0fa3d26863baea3055a70e237ad8ced2a18 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Mon, 22 Jan 2024 10:47:12 -0300
Subject: [PATCH 29/73] Update ingress.yaml
---
charts/orb/templates/ingress.yaml | 96 ++++++++++++++++++++++++++++++-
1 file changed, 95 insertions(+), 1 deletion(-)
diff --git a/charts/orb/templates/ingress.yaml b/charts/orb/templates/ingress.yaml
index 7c2bc07..cda09da 100644
--- a/charts/orb/templates/ingress.yaml
+++ b/charts/orb/templates/ingress.yaml
@@ -1,6 +1,6 @@
# Copyright (c) Mainflux
# SPDX-License-Identifier: Apache-2.0
-
+{{- if eq .Values.ingress.ingressClassName "nginx" }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
@@ -33,7 +33,9 @@ spec:
- hosts:
- {{ .Values.ingress.hostname }}
secretName: {{ .Values.ingress.secret }}
+{{- end }}
---
+{{- if eq .Values.ingress.ingressClassName "nginx" }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
@@ -122,3 +124,95 @@ spec:
- hosts:
- {{ .Values.ingress.hostname }}
secretName: {{ .Values.ingress.secret }}
+{{- end }}
+---
+{{- if eq .Values.ingress.ingressClassName "traefik" }}
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+{{- if .Values.ingress.annotationsTraefik }}
+ annotations:
+{{ toYaml .Values.ingress.annotationsTraefik | indent 4 }}
+{{- end }}
+ name: {{ .Release.Name }}-traefik-ingress
+spec:
+ entryPoints:
+ - web
+ - websecure
+ routes:
+ - match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && PathPrefix(`/`)
+ kind: Rule
+ services:
+ - name: {{ .Release.Name }}-ui
+ port: {{ .Values.ui.port }}
+ - match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && PathPrefix(`/version`)
+ kind: Rule
+ services:
+ - name: {{ .Release.Name }}-fleet
+ port: {{ .Values.fleet.httpPort }}
+ tls:
+ - options:
+ name: default
+ namespaces:
+ - default
+ certResolver: default
+ domains:
+ - main: "{{ .Values.ingress.hostname }}"
+ sans: [{{ .Values.ingress.hostname }}]
+ options:
+ name: default
+ namespaces:
+ - default
+ certResolver: default
+{{- end }}
+---
+{{- if eq .Values.ingress.ingressClassName "traefik" }}
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+{{- if .Values.ingress.annotationsTraefikRewrite }}
+ annotations:
+{{ toYaml .Values.ingress.annotationsTraefikRewrite | indent 4 }}
+{{- end }}
+ name: {{ .Release.Name }}-traefik-rewrite-ingress
+spec:
+ entryPoints:
+ - web
+ - websecure
+ routes:
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/users`)
+ kind: Rule
+ services:
+ - name: {{ .Release.Name }}-users
+ port: {{ .Values.users.httpPort }}
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/password`)
+ kind: Rule
+ services:
+ - name: {{ .Release.Name }}-users
+ port: {{ .Values.users.httpPort }}
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/tokens`)
+ kind: Rule
+ services:
+ - name: {{ .Release.Name }}-users
+ port: {{ .Values.users.httpPort }}
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/keys`)
+ kind: Rule
+ services:
+ - name: {{ .Release.Name }}-auth
+ port: {{ default .Values.auth.httpPort }}
+ # Add the remaining path-based routing rules similarly
+ tls:
+ - options:
+ name: default
+ namespaces:
+ - default
+ certResolver: default
+ domains:
+ - main: "{{ .Values.ingress.hostname }}"
+ sans: [{{ .Values.ingress.hostname }}]
+ options:
+ name: default
+ namespaces:
+ - default
+ certResolver: default
+{{- end }}
From 77e5406b8bc7567406618bf3ca30eee2a455a29e Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Mon, 22 Jan 2024 10:55:19 -0300
Subject: [PATCH 30/73] Update ingress.yaml
---
charts/orb/templates/ingress.yaml | 31 ++++++++++++++++++++++++++++++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/charts/orb/templates/ingress.yaml b/charts/orb/templates/ingress.yaml
index cda09da..4174478 100644
--- a/charts/orb/templates/ingress.yaml
+++ b/charts/orb/templates/ingress.yaml
@@ -200,7 +200,36 @@ spec:
services:
- name: {{ .Release.Name }}-auth
port: {{ default .Values.auth.httpPort }}
- # Add the remaining path-based routing rules similarly
+ - match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/agents`)
+ kind: Rule
+ services:
+ - name: {{ .Release.Name }}-fleet
+ port: {{ default .Values.fleet.httpPort }}
+ - match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/agent_groups`)
+ kind: Rule
+ services:
+ - name: {{ .Release.Name }}-fleet
+ port: {{ default .Values.fleet.httpPort }}
+ - match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/sinks`)
+ kind: Rule
+ services:
+ - name: {{ .Release.Name }}-sinks
+ port: {{ default .Values.sinks.httpPort }}
+ - match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/features/sinks`)
+ kind: Rule
+ services:
+ - name: {{ .Release.Name }}-sinks
+ port: {{ default .Values.sinks.httpPort }}
+ - match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/features/authenticationtypes`)
+ kind: Rule
+ services:
+ - name: {{ .Release.Name }}-sinks
+ port: {{ default .Values.sinks.httpPort }}
+ - match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/policies`)
+ kind: Rule
+ services:
+ - name: {{ .Release.Name }}-policies
+ port: {{ default .Values.policies.httpPort }}
tls:
- options:
name: default
From bbb46060d19424dc842883d3aa4e691ab3ea8739 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Mon, 22 Jan 2024 10:58:42 -0300
Subject: [PATCH 31/73] Update ingress.yaml
---
charts/orb/templates/ingress.yaml | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/charts/orb/templates/ingress.yaml b/charts/orb/templates/ingress.yaml
index 4174478..319dcfe 100644
--- a/charts/orb/templates/ingress.yaml
+++ b/charts/orb/templates/ingress.yaml
@@ -200,32 +200,32 @@ spec:
services:
- name: {{ .Release.Name }}-auth
port: {{ default .Values.auth.httpPort }}
- - match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/agents`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/agents`)
kind: Rule
services:
- name: {{ .Release.Name }}-fleet
port: {{ default .Values.fleet.httpPort }}
- - match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/agent_groups`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/agent_groups`)
kind: Rule
services:
- name: {{ .Release.Name }}-fleet
port: {{ default .Values.fleet.httpPort }}
- - match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/sinks`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/sinks`)
kind: Rule
services:
- name: {{ .Release.Name }}-sinks
port: {{ default .Values.sinks.httpPort }}
- - match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/features/sinks`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/features/sinks`)
kind: Rule
services:
- name: {{ .Release.Name }}-sinks
port: {{ default .Values.sinks.httpPort }}
- - match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/features/authenticationtypes`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/features/authenticationtypes`)
kind: Rule
services:
- name: {{ .Release.Name }}-sinks
port: {{ default .Values.sinks.httpPort }}
- - match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/policies`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/policies`)
kind: Rule
services:
- name: {{ .Release.Name }}-policies
From 57dda2efe018a1361d4e0e79c09280ad55bd6892 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Mon, 22 Jan 2024 11:05:01 -0300
Subject: [PATCH 32/73] Update ingress.yaml
---
charts/orb/templates/ingress.yaml | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/charts/orb/templates/ingress.yaml b/charts/orb/templates/ingress.yaml
index 319dcfe..68da61b 100644
--- a/charts/orb/templates/ingress.yaml
+++ b/charts/orb/templates/ingress.yaml
@@ -33,8 +33,8 @@ spec:
- hosts:
- {{ .Values.ingress.hostname }}
secretName: {{ .Values.ingress.secret }}
-{{- end }}
---
+{{- end }}
{{- if eq .Values.ingress.ingressClassName "nginx" }}
apiVersion: networking.k8s.io/v1
kind: Ingress
@@ -124,8 +124,8 @@ spec:
- hosts:
- {{ .Values.ingress.hostname }}
secretName: {{ .Values.ingress.secret }}
-{{- end }}
---
+{{- end }}
{{- if eq .Values.ingress.ingressClassName "traefik" }}
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
@@ -164,8 +164,8 @@ spec:
namespaces:
- default
certResolver: default
-{{- end }}
---
+{{- end }}
{{- if eq .Values.ingress.ingressClassName "traefik" }}
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
@@ -244,4 +244,5 @@ spec:
namespaces:
- default
certResolver: default
+---
{{- end }}
From f17075701fb13b616ede568cee52a76201fbd66f Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Mon, 22 Jan 2024 11:17:07 -0300
Subject: [PATCH 33/73] Update ingress.yaml
---
charts/orb/templates/ingress.yaml | 43 +++++++++++++++----------------
1 file changed, 21 insertions(+), 22 deletions(-)
diff --git a/charts/orb/templates/ingress.yaml b/charts/orb/templates/ingress.yaml
index 68da61b..3be4b76 100644
--- a/charts/orb/templates/ingress.yaml
+++ b/charts/orb/templates/ingress.yaml
@@ -124,16 +124,16 @@ spec:
- hosts:
- {{ .Values.ingress.hostname }}
secretName: {{ .Values.ingress.secret }}
----
{{- end }}
{{- if eq .Values.ingress.ingressClassName "traefik" }}
+---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
-{{- if .Values.ingress.annotationsTraefik }}
+ {{- if .Values.ingress.annotationsTraefik }}
annotations:
-{{ toYaml .Values.ingress.annotationsTraefik | indent 4 }}
-{{- end }}
+ {{ toYaml .Values.ingress.annotationsTraefik | indent 4 }}
+ {{- end }}
name: {{ .Release.Name }}-traefik-ingress
spec:
entryPoints:
@@ -151,29 +151,29 @@ spec:
- name: {{ .Release.Name }}-fleet
port: {{ .Values.fleet.httpPort }}
tls:
- - options:
+ - options:
name: default
- namespaces:
- - default
+ namespaces:
+ - default
certResolver: default
domains:
- main: "{{ .Values.ingress.hostname }}"
sans: [{{ .Values.ingress.hostname }}]
- options:
+ options:
name: default
- namespaces:
- - default
+ namespaces:
+ - default
certResolver: default
----
{{- end }}
{{- if eq .Values.ingress.ingressClassName "traefik" }}
+---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
-{{- if .Values.ingress.annotationsTraefikRewrite }}
+ {{- if .Values.ingress.annotationsTraefikRewrite }}
annotations:
-{{ toYaml .Values.ingress.annotationsTraefikRewrite | indent 4 }}
-{{- end }}
+ {{ toYaml .Values.ingress.annotationsTraefikRewrite | indent 4 }}
+ {{- end }}
name: {{ .Release.Name }}-traefik-rewrite-ingress
spec:
entryPoints:
@@ -229,20 +229,19 @@ spec:
kind: Rule
services:
- name: {{ .Release.Name }}-policies
- port: {{ default .Values.policies.httpPort }}
+ port: {{ default .Values.policies.httpPort }}
tls:
- - options:
+ - options:
name: default
- namespaces:
- - default
+ namespaces:
+ - default
certResolver: default
domains:
- main: "{{ .Values.ingress.hostname }}"
sans: [{{ .Values.ingress.hostname }}]
- options:
+ options:
name: default
- namespaces:
- - default
+ namespaces:
+ - default
certResolver: default
----
{{- end }}
From 66a1c495216bec2611b6caf9f118696cc372e5f5 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Mon, 22 Jan 2024 11:26:56 -0300
Subject: [PATCH 34/73] Update ingress.yaml
---
charts/orb/templates/ingress.yaml | 28 ++--------------------------
1 file changed, 2 insertions(+), 26 deletions(-)
diff --git a/charts/orb/templates/ingress.yaml b/charts/orb/templates/ingress.yaml
index 3be4b76..f171dc1 100644
--- a/charts/orb/templates/ingress.yaml
+++ b/charts/orb/templates/ingress.yaml
@@ -151,19 +151,7 @@ spec:
- name: {{ .Release.Name }}-fleet
port: {{ .Values.fleet.httpPort }}
tls:
- - options:
- name: default
- namespaces:
- - default
- certResolver: default
- domains:
- - main: "{{ .Values.ingress.hostname }}"
- sans: [{{ .Values.ingress.hostname }}]
- options:
- name: default
- namespaces:
- - default
- certResolver: default
+ secretName: {{ .Values.ingress.secret }}
{{- end }}
{{- if eq .Values.ingress.ingressClassName "traefik" }}
---
@@ -231,17 +219,5 @@ spec:
- name: {{ .Release.Name }}-policies
port: {{ default .Values.policies.httpPort }}
tls:
- - options:
- name: default
- namespaces:
- - default
- certResolver: default
- domains:
- - main: "{{ .Values.ingress.hostname }}"
- sans: [{{ .Values.ingress.hostname }}]
- options:
- name: default
- namespaces:
- - default
- certResolver: default
+ secretName: {{ .Values.ingress.secret }}
{{- end }}
From 8885341c00e25b13b6be1b7dfc308a85fe8a4fd2 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Mon, 22 Jan 2024 11:36:32 -0300
Subject: [PATCH 35/73] Update ingress.yaml
---
charts/orb/templates/ingress.yaml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/charts/orb/templates/ingress.yaml b/charts/orb/templates/ingress.yaml
index f171dc1..3a1a325 100644
--- a/charts/orb/templates/ingress.yaml
+++ b/charts/orb/templates/ingress.yaml
@@ -135,6 +135,7 @@ metadata:
{{ toYaml .Values.ingress.annotationsTraefik | indent 4 }}
{{- end }}
name: {{ .Release.Name }}-traefik-ingress
+ namespace: {{ .Release.Namespace }}
spec:
entryPoints:
- web
@@ -163,6 +164,7 @@ metadata:
{{ toYaml .Values.ingress.annotationsTraefikRewrite | indent 4 }}
{{- end }}
name: {{ .Release.Name }}-traefik-rewrite-ingress
+ namespace: {{ .Release.Namespace }}
spec:
entryPoints:
- web
From 9f17cc9f6d5db341fe5d50ba066350220f714f7c Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Mon, 22 Jan 2024 11:59:29 -0300
Subject: [PATCH 36/73] Update ingress.yaml
---
charts/orb/templates/ingress.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/charts/orb/templates/ingress.yaml b/charts/orb/templates/ingress.yaml
index 3a1a325..04dcfba 100644
--- a/charts/orb/templates/ingress.yaml
+++ b/charts/orb/templates/ingress.yaml
@@ -127,7 +127,7 @@ spec:
{{- end }}
{{- if eq .Values.ingress.ingressClassName "traefik" }}
---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
{{- if .Values.ingress.annotationsTraefik }}
@@ -156,7 +156,7 @@ spec:
{{- end }}
{{- if eq .Values.ingress.ingressClassName "traefik" }}
---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
{{- if .Values.ingress.annotationsTraefikRewrite }}
From 1e82e46fdd5693ec2ee06d2678ddd797557168b7 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Mon, 22 Jan 2024 13:01:26 -0300
Subject: [PATCH 37/73] Create production-issuer-traefik.yaml
---
.../issuers/production-issuer-traefik.yaml | 24 +++++++++++++++++++
1 file changed, 24 insertions(+)
create mode 100644 charts/orb/issuers/production-issuer-traefik.yaml
diff --git a/charts/orb/issuers/production-issuer-traefik.yaml b/charts/orb/issuers/production-issuer-traefik.yaml
new file mode 100644
index 0000000..d7ce2a1
--- /dev/null
+++ b/charts/orb/issuers/production-issuer-traefik.yaml
@@ -0,0 +1,24 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: letsencrypt-prod
+spec:
+ acme:
+ # The ACME server URL
+ server: https://acme-v02.api.letsencrypt.org/directory
+ # Email address used for ACME registration
+ email: user@example.com
+ # Name of a secret used to store the ACME account private key
+ privateKeySecretRef:
+ name: letsencrypt-prod
+ # Enable the HTTP-01 challenge provider
+ solvers:
+ - http01:
+ ingress:
+ class: traefik
+ ingressTemplate:
+ metadata:
+ annotations:
+ traefik.ingress.kubernetes.io/router.entrypoints: "web"
+ traefik.ingress.kubernetes.io/router.tls: "false"
+ traefik.ingress.kubernetes.io/router.priority: "42"
From ee7476923faeeda064a3d72aa9802c72be773c94 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Mon, 22 Jan 2024 13:01:56 -0300
Subject: [PATCH 38/73] Rename production-issuer-tpt.yaml to
production-issuer-nginx.yaml
---
.../{production-issuer-tpt.yaml => production-issuer-nginx.yaml} | 0
1 file changed, 0 insertions(+), 0 deletions(-)
rename charts/orb/issuers/{production-issuer-tpt.yaml => production-issuer-nginx.yaml} (100%)
diff --git a/charts/orb/issuers/production-issuer-tpt.yaml b/charts/orb/issuers/production-issuer-nginx.yaml
similarity index 100%
rename from charts/orb/issuers/production-issuer-tpt.yaml
rename to charts/orb/issuers/production-issuer-nginx.yaml
From 6b0c91761bceac4c39d9fd6011f05abf525b8e89 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Wed, 31 Jan 2024 21:03:01 -0300
Subject: [PATCH 39/73] update traefik ingress
---
charts/orb/templates/ingress.yaml | 41 +++++++++----------------------
1 file changed, 11 insertions(+), 30 deletions(-)
diff --git a/charts/orb/templates/ingress.yaml b/charts/orb/templates/ingress.yaml
index 04dcfba..bcbea7f 100644
--- a/charts/orb/templates/ingress.yaml
+++ b/charts/orb/templates/ingress.yaml
@@ -136,35 +136,6 @@ metadata:
{{- end }}
name: {{ .Release.Name }}-traefik-ingress
namespace: {{ .Release.Namespace }}
-spec:
- entryPoints:
- - web
- - websecure
- routes:
- - match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && PathPrefix(`/`)
- kind: Rule
- services:
- - name: {{ .Release.Name }}-ui
- port: {{ .Values.ui.port }}
- - match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && PathPrefix(`/version`)
- kind: Rule
- services:
- - name: {{ .Release.Name }}-fleet
- port: {{ .Values.fleet.httpPort }}
- tls:
- secretName: {{ .Values.ingress.secret }}
-{{- end }}
-{{- if eq .Values.ingress.ingressClassName "traefik" }}
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
- {{- if .Values.ingress.annotationsTraefikRewrite }}
- annotations:
- {{ toYaml .Values.ingress.annotationsTraefikRewrite | indent 4 }}
- {{- end }}
- name: {{ .Release.Name }}-traefik-rewrite-ingress
- namespace: {{ .Release.Namespace }}
spec:
entryPoints:
- web
@@ -219,7 +190,17 @@ spec:
kind: Rule
services:
- name: {{ .Release.Name }}-policies
- port: {{ default .Values.policies.httpPort }}
+ port: {{ default .Values.policies.httpPort }}
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/version`)
+ kind: Rule
+ services:
+ - name: {{ .Release.Name }}-fleet
+ port: {{ .Values.fleet.httpPort }}
+ - match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && PathPrefix(`/`)
+ kind: Rule
+ services:
+ - name: {{ .Release.Name }}-ui
+ port: {{ .Values.ui.port }}
tls:
secretName: {{ .Values.ingress.secret }}
{{- end }}
From 0326901b04189c9823b333a22cdc595d94d48403 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Thu, 1 Feb 2024 02:10:19 -0300
Subject: [PATCH 40/73] Update ingress.yaml
---
charts/orb/templates/ingress.yaml | 30 ++++++++++++++++++++----------
1 file changed, 20 insertions(+), 10 deletions(-)
diff --git a/charts/orb/templates/ingress.yaml b/charts/orb/templates/ingress.yaml
index bcbea7f..dc2d4a8 100644
--- a/charts/orb/templates/ingress.yaml
+++ b/charts/orb/templates/ingress.yaml
@@ -128,6 +128,16 @@ spec:
{{- if eq .Values.ingress.ingressClassName "traefik" }}
---
apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+ name: orb-stripprefix
+ namespace: {{ .Release.Namespace }}
+spec:
+ stripPrefix:
+ prefixes:
+ - /api/v1
+---
+apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
{{- if .Values.ingress.annotationsTraefik }}
@@ -141,52 +151,52 @@ spec:
- web
- websecure
routes:
- - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/users`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/users`)
kind: Rule
services:
- name: {{ .Release.Name }}-users
port: {{ .Values.users.httpPort }}
- - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/password`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/password`)
kind: Rule
services:
- name: {{ .Release.Name }}-users
port: {{ .Values.users.httpPort }}
- - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/tokens`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/tokens`)
kind: Rule
services:
- name: {{ .Release.Name }}-users
port: {{ .Values.users.httpPort }}
- - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/keys`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/keys`)
kind: Rule
services:
- name: {{ .Release.Name }}-auth
port: {{ default .Values.auth.httpPort }}
- - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/agents`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/agents`)
kind: Rule
services:
- name: {{ .Release.Name }}-fleet
port: {{ default .Values.fleet.httpPort }}
- - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/agent_groups`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/agent_groups`)
kind: Rule
services:
- name: {{ .Release.Name }}-fleet
port: {{ default .Values.fleet.httpPort }}
- - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/sinks`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/sinks`)
kind: Rule
services:
- name: {{ .Release.Name }}-sinks
port: {{ default .Values.sinks.httpPort }}
- - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/features/sinks`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/features/sinks`)
kind: Rule
services:
- name: {{ .Release.Name }}-sinks
port: {{ default .Values.sinks.httpPort }}
- - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/features/authenticationtypes`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/features/authenticationtypes`)
kind: Rule
services:
- name: {{ .Release.Name }}-sinks
port: {{ default .Values.sinks.httpPort }}
- - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/policies`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/policies`)
kind: Rule
services:
- name: {{ .Release.Name }}-policies
From c0acb190ed99d040d45374d2c80bce63b385be9e Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Thu, 1 Feb 2024 02:18:39 -0300
Subject: [PATCH 41/73] Update ingress.yaml
---
charts/orb/templates/ingress.yaml | 59 +++++++++++++++++++++++++------
1 file changed, 48 insertions(+), 11 deletions(-)
diff --git a/charts/orb/templates/ingress.yaml b/charts/orb/templates/ingress.yaml
index dc2d4a8..5a3a5f5 100644
--- a/charts/orb/templates/ingress.yaml
+++ b/charts/orb/templates/ingress.yaml
@@ -136,15 +136,17 @@ spec:
stripPrefix:
prefixes:
- /api/v1
+ - /api/v1/features
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
{{- if .Values.ingress.annotationsTraefik }}
annotations:
+ traefik.ingress.kubernetes.io/router.middlewares: orb-stripprefix@kubernetescrd
{{ toYaml .Values.ingress.annotationsTraefik | indent 4 }}
{{- end }}
- name: {{ .Release.Name }}-traefik-ingress
+ name: {{ .Release.Name }}-traefik-api-ingress
namespace: {{ .Release.Namespace }}
spec:
entryPoints:
@@ -186,21 +188,28 @@ spec:
services:
- name: {{ .Release.Name }}-sinks
port: {{ default .Values.sinks.httpPort }}
- - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/features/sinks`)
- kind: Rule
- services:
- - name: {{ .Release.Name }}-sinks
- port: {{ default .Values.sinks.httpPort }}
- - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/features/authenticationtypes`)
- kind: Rule
- services:
- - name: {{ .Release.Name }}-sinks
- port: {{ default .Values.sinks.httpPort }}
- match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/policies`)
kind: Rule
services:
- name: {{ .Release.Name }}-policies
port: {{ default .Values.policies.httpPort }}
+ tls:
+ secretName: {{ .Values.ingress.secret }}
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+ {{- if .Values.ingress.annotationsTraefik }}
+ annotations:
+ {{ toYaml .Values.ingress.annotationsTraefik | indent 4 }}
+ {{- end }}
+ name: {{ .Release.Name }}-traefik-ingress
+ namespace: {{ .Release.Namespace }}
+spec:
+ entryPoints:
+ - web
+ - websecure
+ routes:
- match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/version`)
kind: Rule
services:
@@ -213,4 +222,32 @@ spec:
port: {{ .Values.ui.port }}
tls:
secretName: {{ .Values.ingress.secret }}
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+ {{- if .Values.ingress.annotationsTraefik }}
+ annotations:
+ traefik.ingress.kubernetes.io/router.middlewares: orb-stripprefix@kubernetescrd
+ {{ toYaml .Values.ingress.annotationsTraefik | indent 4 }}
+ {{- end }}
+ name: {{ .Release.Name }}-traefik-feature-ingress
+ namespace: {{ .Release.Namespace }}
+spec:
+ entryPoints:
+ - web
+ - websecure
+ routes:
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/sinks`)
+ kind: Rule
+ services:
+ - name: {{ .Release.Name }}-sinks
+ port: {{ default .Values.sinks.httpPort }}
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/authenticationtypes`)
+ kind: Rule
+ services:
+ - name: {{ .Release.Name }}-sinks
+ port: {{ default .Values.sinks.httpPort }}
+ tls:
+ secretName: {{ .Values.ingress.secret }}
{{- end }}
From 940fd73c0b1bc22efff4fd3982a8cbc6b46329b0 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Thu, 1 Feb 2024 02:30:08 -0300
Subject: [PATCH 42/73] Update ingress.yaml
---
charts/orb/templates/ingress.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/charts/orb/templates/ingress.yaml b/charts/orb/templates/ingress.yaml
index 5a3a5f5..70568a4 100644
--- a/charts/orb/templates/ingress.yaml
+++ b/charts/orb/templates/ingress.yaml
@@ -141,9 +141,9 @@ spec:
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
- {{- if .Values.ingress.annotationsTraefik }}
annotations:
traefik.ingress.kubernetes.io/router.middlewares: orb-stripprefix@kubernetescrd
+ {{- if .Values.ingress.annotationsTraefik }}
{{ toYaml .Values.ingress.annotationsTraefik | indent 4 }}
{{- end }}
name: {{ .Release.Name }}-traefik-api-ingress
@@ -226,9 +226,9 @@ spec:
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
- {{- if .Values.ingress.annotationsTraefik }}
annotations:
traefik.ingress.kubernetes.io/router.middlewares: orb-stripprefix@kubernetescrd
+ {{- if .Values.ingress.annotationsTraefik }}
{{ toYaml .Values.ingress.annotationsTraefik | indent 4 }}
{{- end }}
name: {{ .Release.Name }}-traefik-feature-ingress
From c77a07641a69ed6c849e525ca65d74c1986d3162 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Thu, 1 Feb 2024 12:10:52 -0300
Subject: [PATCH 43/73] Update ingress.yaml
---
charts/orb/templates/ingress.yaml | 34 +++++++++++++++++++++++++++----
1 file changed, 30 insertions(+), 4 deletions(-)
diff --git a/charts/orb/templates/ingress.yaml b/charts/orb/templates/ingress.yaml
index 70568a4..2682fcf 100644
--- a/charts/orb/templates/ingress.yaml
+++ b/charts/orb/templates/ingress.yaml
@@ -136,13 +136,20 @@ spec:
stripPrefix:
prefixes:
- /api/v1
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+ name: orb-sinks-stripprefix
+ namespace: {{ .Release.Namespace }}
+spec:
+ stripPrefix:
+ prefixes:
- /api/v1/features
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
annotations:
- traefik.ingress.kubernetes.io/router.middlewares: orb-stripprefix@kubernetescrd
{{- if .Values.ingress.annotationsTraefik }}
{{ toYaml .Values.ingress.annotationsTraefik | indent 4 }}
{{- end }}
@@ -158,41 +165,57 @@ spec:
services:
- name: {{ .Release.Name }}-users
port: {{ .Values.users.httpPort }}
+ middlewares:
+ - name: orb-stripprefix
- match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/password`)
kind: Rule
services:
- name: {{ .Release.Name }}-users
port: {{ .Values.users.httpPort }}
+ middlewares:
+ - name: orb-stripprefix
- match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/tokens`)
kind: Rule
services:
- name: {{ .Release.Name }}-users
port: {{ .Values.users.httpPort }}
+ middlewares:
+ - name: orb-stripprefix
- match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/keys`)
kind: Rule
services:
- name: {{ .Release.Name }}-auth
port: {{ default .Values.auth.httpPort }}
+ middlewares:
+ - name: orb-stripprefix
- match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/agents`)
kind: Rule
services:
- name: {{ .Release.Name }}-fleet
port: {{ default .Values.fleet.httpPort }}
+ middlewares:
+ - name: orb-stripprefix
- match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/agent_groups`)
kind: Rule
services:
- name: {{ .Release.Name }}-fleet
port: {{ default .Values.fleet.httpPort }}
+ middlewares:
+ - name: orb-stripprefix
- match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/sinks`)
kind: Rule
services:
- name: {{ .Release.Name }}-sinks
port: {{ default .Values.sinks.httpPort }}
+ middlewares:
+ - name: orb-stripprefix
- match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/policies`)
kind: Rule
services:
- name: {{ .Release.Name }}-policies
port: {{ default .Values.policies.httpPort }}
+ middlewares:
+ - name: orb-stripprefix
tls:
secretName: {{ .Values.ingress.secret }}
---
@@ -210,12 +233,12 @@ spec:
- web
- websecure
routes:
- - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/version`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && Path(`/version`)
kind: Rule
services:
- name: {{ .Release.Name }}-fleet
port: {{ .Values.fleet.httpPort }}
- - match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && PathPrefix(`/`)
+ - match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && Path(`/`)
kind: Rule
services:
- name: {{ .Release.Name }}-ui
@@ -227,7 +250,6 @@ apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
annotations:
- traefik.ingress.kubernetes.io/router.middlewares: orb-stripprefix@kubernetescrd
{{- if .Values.ingress.annotationsTraefik }}
{{ toYaml .Values.ingress.annotationsTraefik | indent 4 }}
{{- end }}
@@ -243,11 +265,15 @@ spec:
services:
- name: {{ .Release.Name }}-sinks
port: {{ default .Values.sinks.httpPort }}
+ middlewares:
+ - name: orb-sinks-stripprefix
- match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/authenticationtypes`)
kind: Rule
services:
- name: {{ .Release.Name }}-sinks
port: {{ default .Values.sinks.httpPort }}
+ middlewares:
+ - name: orb-sinks-stripprefix
tls:
secretName: {{ .Values.ingress.secret }}
{{- end }}
From 32b3271aa9d8f2c8d386d55cd40a4d2dae1cfe52 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Thu, 1 Feb 2024 12:19:42 -0300
Subject: [PATCH 44/73] Update ingress.yaml
---
charts/orb/templates/ingress.yaml | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/charts/orb/templates/ingress.yaml b/charts/orb/templates/ingress.yaml
index 2682fcf..4bf3d3f 100644
--- a/charts/orb/templates/ingress.yaml
+++ b/charts/orb/templates/ingress.yaml
@@ -160,56 +160,56 @@ spec:
- web
- websecure
routes:
- - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/users`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/users`)
kind: Rule
services:
- name: {{ .Release.Name }}-users
port: {{ .Values.users.httpPort }}
middlewares:
- name: orb-stripprefix
- - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/password`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/password`)
kind: Rule
services:
- name: {{ .Release.Name }}-users
port: {{ .Values.users.httpPort }}
middlewares:
- name: orb-stripprefix
- - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/tokens`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/tokens`)
kind: Rule
services:
- name: {{ .Release.Name }}-users
port: {{ .Values.users.httpPort }}
middlewares:
- name: orb-stripprefix
- - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/keys`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/keys`)
kind: Rule
services:
- name: {{ .Release.Name }}-auth
port: {{ default .Values.auth.httpPort }}
middlewares:
- name: orb-stripprefix
- - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/agents`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/agents`)
kind: Rule
services:
- name: {{ .Release.Name }}-fleet
port: {{ default .Values.fleet.httpPort }}
middlewares:
- name: orb-stripprefix
- - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/agent_groups`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/agent_groups`)
kind: Rule
services:
- name: {{ .Release.Name }}-fleet
port: {{ default .Values.fleet.httpPort }}
middlewares:
- name: orb-stripprefix
- - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/sinks`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/sinks`)
kind: Rule
services:
- name: {{ .Release.Name }}-sinks
port: {{ default .Values.sinks.httpPort }}
middlewares:
- name: orb-stripprefix
- - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/policies`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/policies`)
kind: Rule
services:
- name: {{ .Release.Name }}-policies
@@ -233,12 +233,12 @@ spec:
- web
- websecure
routes:
- - match: Host(`{{ .Values.ingress.hostname }}`) && Path(`/version`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/version`)
kind: Rule
services:
- name: {{ .Release.Name }}-fleet
port: {{ .Values.fleet.httpPort }}
- - match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && Path(`/`)
+ - match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && PathPrefix(`/`)
kind: Rule
services:
- name: {{ .Release.Name }}-ui
@@ -260,14 +260,14 @@ spec:
- web
- websecure
routes:
- - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/sinks`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/features/sinks`)
kind: Rule
services:
- name: {{ .Release.Name }}-sinks
port: {{ default .Values.sinks.httpPort }}
middlewares:
- name: orb-sinks-stripprefix
- - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/authenticationtypes`)
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/features/authenticationtypes`)
kind: Rule
services:
- name: {{ .Release.Name }}-sinks
From 6d425d49ddac22b71c16b1b3673413c6c53801bb Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Thu, 1 Feb 2024 12:40:03 -0300
Subject: [PATCH 45/73] Update ingress.yaml
---
charts/orb/templates/ingress.yaml | 1 +
1 file changed, 1 insertion(+)
diff --git a/charts/orb/templates/ingress.yaml b/charts/orb/templates/ingress.yaml
index 4bf3d3f..7697095 100644
--- a/charts/orb/templates/ingress.yaml
+++ b/charts/orb/templates/ingress.yaml
@@ -136,6 +136,7 @@ spec:
stripPrefix:
prefixes:
- /api/v1
+---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
From 4f178537f7b4d02a67c1b80b84f33d99062092ce Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Thu, 1 Feb 2024 12:41:48 -0300
Subject: [PATCH 46/73] Update ingress.yaml
---
charts/orb/templates/ingress.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/charts/orb/templates/ingress.yaml b/charts/orb/templates/ingress.yaml
index 7697095..ab480f8 100644
--- a/charts/orb/templates/ingress.yaml
+++ b/charts/orb/templates/ingress.yaml
@@ -267,14 +267,14 @@ spec:
- name: {{ .Release.Name }}-sinks
port: {{ default .Values.sinks.httpPort }}
middlewares:
- - name: orb-sinks-stripprefix
+ - name: orb-stripprefix
- match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/features/authenticationtypes`)
kind: Rule
services:
- name: {{ .Release.Name }}-sinks
port: {{ default .Values.sinks.httpPort }}
middlewares:
- - name: orb-sinks-stripprefix
+ - name: orb-stripprefix
tls:
secretName: {{ .Values.ingress.secret }}
{{- end }}
From c9b850342ee853a46a690afbb8bd5a5658f39235 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Thu, 1 Feb 2024 12:42:12 -0300
Subject: [PATCH 47/73] Update ingress.yaml
---
charts/orb/templates/ingress.yaml | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/charts/orb/templates/ingress.yaml b/charts/orb/templates/ingress.yaml
index ab480f8..5f6fb5a 100644
--- a/charts/orb/templates/ingress.yaml
+++ b/charts/orb/templates/ingress.yaml
@@ -138,16 +138,6 @@ spec:
- /api/v1
---
apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: orb-sinks-stripprefix
- namespace: {{ .Release.Namespace }}
-spec:
- stripPrefix:
- prefixes:
- - /api/v1/features
----
-apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
annotations:
From add6e448d9b2dfa1fb09e24d4591d381899f5e57 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Thu, 1 Feb 2024 12:50:21 -0300
Subject: [PATCH 48/73] Update ingress.yaml
---
charts/orb/templates/ingress.yaml | 56 ++++++-------------------------
1 file changed, 11 insertions(+), 45 deletions(-)
diff --git a/charts/orb/templates/ingress.yaml b/charts/orb/templates/ingress.yaml
index 5f6fb5a..cedefd0 100644
--- a/charts/orb/templates/ingress.yaml
+++ b/charts/orb/templates/ingress.yaml
@@ -144,7 +144,7 @@ metadata:
{{- if .Values.ingress.annotationsTraefik }}
{{ toYaml .Values.ingress.annotationsTraefik | indent 4 }}
{{- end }}
- name: {{ .Release.Name }}-traefik-api-ingress
+ name: {{ .Release.Name }}-traefik-ingress
namespace: {{ .Release.Namespace }}
spec:
entryPoints:
@@ -207,50 +207,6 @@ spec:
port: {{ default .Values.policies.httpPort }}
middlewares:
- name: orb-stripprefix
- tls:
- secretName: {{ .Values.ingress.secret }}
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
- {{- if .Values.ingress.annotationsTraefik }}
- annotations:
- {{ toYaml .Values.ingress.annotationsTraefik | indent 4 }}
- {{- end }}
- name: {{ .Release.Name }}-traefik-ingress
- namespace: {{ .Release.Namespace }}
-spec:
- entryPoints:
- - web
- - websecure
- routes:
- - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/version`)
- kind: Rule
- services:
- - name: {{ .Release.Name }}-fleet
- port: {{ .Values.fleet.httpPort }}
- - match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && PathPrefix(`/`)
- kind: Rule
- services:
- - name: {{ .Release.Name }}-ui
- port: {{ .Values.ui.port }}
- tls:
- secretName: {{ .Values.ingress.secret }}
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
- annotations:
- {{- if .Values.ingress.annotationsTraefik }}
- {{ toYaml .Values.ingress.annotationsTraefik | indent 4 }}
- {{- end }}
- name: {{ .Release.Name }}-traefik-feature-ingress
- namespace: {{ .Release.Namespace }}
-spec:
- entryPoints:
- - web
- - websecure
- routes:
- match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/features/sinks`)
kind: Rule
services:
@@ -265,6 +221,16 @@ spec:
port: {{ default .Values.sinks.httpPort }}
middlewares:
- name: orb-stripprefix
+ - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/version`)
+ kind: Rule
+ services:
+ - name: {{ .Release.Name }}-fleet
+ port: {{ .Values.fleet.httpPort }}
+ - match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && PathPrefix(`/`)
+ kind: Rule
+ services:
+ - name: {{ .Release.Name }}-ui
+ port: {{ .Values.ui.port }}
tls:
secretName: {{ .Values.ingress.secret }}
{{- end }}
From 0a1bbff1a3a61b013e3f46d3915323dab377d0c9 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Thu, 1 Feb 2024 13:26:28 -0300
Subject: [PATCH 49/73] Update values.yaml
---
charts/orb/values.yaml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/charts/orb/values.yaml b/charts/orb/values.yaml
index ff7d9ad..741fed2 100644
--- a/charts/orb/values.yaml
+++ b/charts/orb/values.yaml
@@ -286,6 +286,9 @@ postgresql-maestro:
cpu: 25m
persistence:
size: 1Gi
+ commonAnnotations:
+ helm.sh/hook: "pre-install, pre-upgrade"
+ helm.sh/hook-weight: "-1"
redis-streams:
enabled: true # dependency install, disable if you want to use external services
From 5171b5e0434dd24f035695fdd35715b9bf12b515 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Thu, 1 Feb 2024 17:31:03 -0300
Subject: [PATCH 50/73] Update values.yaml
---
charts/orb/charts/postgresql/values.yaml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/charts/orb/charts/postgresql/values.yaml b/charts/orb/charts/postgresql/values.yaml
index ee1b059..db10659 100644
--- a/charts/orb/charts/postgresql/values.yaml
+++ b/charts/orb/charts/postgresql/values.yaml
@@ -745,7 +745,7 @@ networkPolicy:
##
startupProbe:
enabled: false
- initialDelaySeconds: 30
+ initialDelaySeconds: 200
periodSeconds: 15
timeoutSeconds: 5
failureThreshold: 10
@@ -761,7 +761,7 @@ startupProbe:
##
livenessProbe:
enabled: true
- initialDelaySeconds: 30
+ initialDelaySeconds: 200
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
@@ -777,7 +777,7 @@ livenessProbe:
##
readinessProbe:
enabled: true
- initialDelaySeconds: 5
+ initialDelaySeconds: 200
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
From 6b30f4671b4db8337f892f09926bd96972aafa8e Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Thu, 1 Feb 2024 17:32:46 -0300
Subject: [PATCH 51/73] Update values.yaml
---
charts/orb/charts/postgresql/values.yaml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/charts/orb/charts/postgresql/values.yaml b/charts/orb/charts/postgresql/values.yaml
index db10659..ee1b059 100644
--- a/charts/orb/charts/postgresql/values.yaml
+++ b/charts/orb/charts/postgresql/values.yaml
@@ -745,7 +745,7 @@ networkPolicy:
##
startupProbe:
enabled: false
- initialDelaySeconds: 200
+ initialDelaySeconds: 30
periodSeconds: 15
timeoutSeconds: 5
failureThreshold: 10
@@ -761,7 +761,7 @@ startupProbe:
##
livenessProbe:
enabled: true
- initialDelaySeconds: 200
+ initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
@@ -777,7 +777,7 @@ livenessProbe:
##
readinessProbe:
enabled: true
- initialDelaySeconds: 200
+ initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
From 11eeeba9314a5e202c1465bd73558bc784b4dcef Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Thu, 1 Feb 2024 17:34:49 -0300
Subject: [PATCH 52/73] Update values.yaml
---
charts/orb/values.yaml | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/charts/orb/values.yaml b/charts/orb/values.yaml
index 741fed2..400da87 100644
--- a/charts/orb/values.yaml
+++ b/charts/orb/values.yaml
@@ -194,6 +194,10 @@ postgresql-users:
postgresqlUsername: postgres
postgresqlPassword: mainflux
postgresqlDatabase: users
+ livenessProbe:
+ initialDelaySeconds: 200
+ readinessProbe:
+ initialDelaySeconds: 200
resources:
requests:
cpu: 25m
@@ -206,6 +210,10 @@ postgresql-fleet:
postgresqlUsername: postgres
postgresqlPassword: orb
postgresqlDatabase: fleet
+ livenessProbe:
+ initialDelaySeconds: 200
+ readinessProbe:
+ initialDelaySeconds: 200
resources:
requests:
cpu: 25m
@@ -218,6 +226,10 @@ postgresql-policies:
postgresqlUsername: postgres
postgresqlPassword: orb
postgresqlDatabase: policies
+ livenessProbe:
+ initialDelaySeconds: 200
+ readinessProbe:
+ initialDelaySeconds: 200
resources:
requests:
cpu: 25m
@@ -230,6 +242,10 @@ postgresql-sinks:
postgresqlUsername: postgres
postgresqlPassword: orb
postgresqlDatabase: sinks
+ livenessProbe:
+ initialDelaySeconds: 200
+ readinessProbe:
+ initialDelaySeconds: 200
resources:
requests:
cpu: 25m
@@ -242,6 +258,10 @@ postgresql-things:
postgresqlUsername: postgres
postgresqlPassword: mainflux
postgresqlDatabase: things
+ livenessProbe:
+ initialDelaySeconds: 200
+ readinessProbe:
+ initialDelaySeconds: 200
resources:
requests:
cpu: 25m
@@ -254,6 +274,10 @@ postgresql-auth:
postgresqlUsername: postgres
postgresqlPassword: mainflux
postgresqlDatabase: auth
+ livenessProbe:
+ initialDelaySeconds: 200
+ readinessProbe:
+ initialDelaySeconds: 200
resources:
requests:
cpu: 25m
@@ -266,6 +290,10 @@ postgresql-keto:
postgresqlUsername: postgres
postgresqlPassword: orb
postgresqlDatabase: keto
+ livenessProbe:
+ initialDelaySeconds: 200
+ readinessProbe:
+ initialDelaySeconds: 200
resources:
requests:
cpu: 25m
@@ -281,6 +309,10 @@ postgresql-maestro:
postgresqlUsername: postgres
postgresqlPassword: orb
postgresqlDatabase: maestro
+ livenessProbe:
+ initialDelaySeconds: 200
+ readinessProbe:
+ initialDelaySeconds: 200
resources:
requests:
cpu: 25m
From 959906b5d6191868c1dad84276ff96558085693c Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Thu, 1 Feb 2024 18:44:08 -0300
Subject: [PATCH 53/73] Update values.yaml
---
charts/orb/values.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/charts/orb/values.yaml b/charts/orb/values.yaml
index 400da87..8dbc1ae 100644
--- a/charts/orb/values.yaml
+++ b/charts/orb/values.yaml
@@ -186,7 +186,7 @@ nats:
clusterAuth:
enabled: false
maxPayload: 67108864
- replicaCount: 3
+ replicaCount: 1
postgresql-users:
enabled: true # dependency install, disable if you want to use external services
From 462fc426168be80f7c6c401573e5d8587622dc02 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Thu, 1 Feb 2024 19:36:43 -0300
Subject: [PATCH 54/73] Update README.md
---
charts/orb/README.md | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/charts/orb/README.md b/charts/orb/README.md
index 66f8fb8..6d94e6b 100644
--- a/charts/orb/README.md
+++ b/charts/orb/README.md
@@ -93,9 +93,23 @@ helm install cert-manager jetstack/cert-manager --namespace cert-manager --creat
```
* Create Issuer CRDs (in the `orb` namespace!)
- * `cp issuers/production-issuer-tpt.yaml issuers/production-issuer.yaml`
- * edit `issuers/production-issuer.yaml` and change `spec.acme.email` to a real email address
- * `kubectl create -f issuers/production-issuer.yaml -n orb`
+
+If you are using nginx as ingress controller:
+```
+cp issuers/production-issuer-nginx.yaml issuers/production-issuer.yaml
+```
+If you are using traefik as ingress controller:
+```
+cp issuers/production-issuer-traefik.yaml issuers/production-issuer.yaml
+```
+* edit `issuers/production-issuer.yaml` and change `spec.acme.email` to a real email address
+```
+kubectl apply -f issuers/production-issuer.yaml -n orb
+```
+* Create Certificate (in the `orb` namespace!)
+```
+kubectl apply -f issuers/production-issuer.yaml -n orb
+```
To restart entire deployment:
From 0d2833bd1bba669a209e966836678b14b90020f9 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Thu, 1 Feb 2024 20:34:29 -0300
Subject: [PATCH 55/73] Update values.yaml
---
charts/orb/values.yaml | 1 +
1 file changed, 1 insertion(+)
diff --git a/charts/orb/values.yaml b/charts/orb/values.yaml
index 8dbc1ae..4e22dc4 100644
--- a/charts/orb/values.yaml
+++ b/charts/orb/values.yaml
@@ -437,6 +437,7 @@ maestro:
ClusterRole: "admin"
serviceAccountName: "k8s-maestro-role"
serviceAccountNamespace: "otelcollectors"
+ automountServiceAccountToken: false # requires true for kubernetes > 1.27
image:
name: "orb-maestro"
metadata:
From 9b6dbccf068f0e223c3bab4b5c3c12a1765d2604 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Thu, 1 Feb 2024 20:36:24 -0300
Subject: [PATCH 56/73] Update maestro-service-account.yaml
---
charts/orb/templates/maestro-service-account.yaml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/charts/orb/templates/maestro-service-account.yaml b/charts/orb/templates/maestro-service-account.yaml
index d679de9..350b294 100644
--- a/charts/orb/templates/maestro-service-account.yaml
+++ b/charts/orb/templates/maestro-service-account.yaml
@@ -3,6 +3,9 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.maestro.rbac.serviceAccountName }}
+{{- if .Values.maestro.rbac.automountServiceAccountToken }}
+automountServiceAccountToken: true
+{{ end }}
---
{{- if .Values.maestro.rbac.ClusterRoleBindingCreate }}
apiVersion: rbac.authorization.k8s.io/v1
From df2e6f166f8c9c22f395c473a30ecd91f4539684 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Thu, 1 Feb 2024 20:37:01 -0300
Subject: [PATCH 57/73] Update values.yaml
---
charts/orb/values.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/charts/orb/values.yaml b/charts/orb/values.yaml
index 4e22dc4..3a9aa01 100644
--- a/charts/orb/values.yaml
+++ b/charts/orb/values.yaml
@@ -437,7 +437,7 @@ maestro:
ClusterRole: "admin"
serviceAccountName: "k8s-maestro-role"
serviceAccountNamespace: "otelcollectors"
- automountServiceAccountToken: false # requires true for kubernetes > 1.27
+ automountServiceAccountToken: false # required true for kubernetes > 1.27
image:
name: "orb-maestro"
metadata:
From abd594a84a75e40be355007d3a1189942e5f1029 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Thu, 1 Feb 2024 21:42:03 -0300
Subject: [PATCH 58/73] Update maestro-service-account.yaml
---
charts/orb/templates/maestro-service-account.yaml | 3 ---
1 file changed, 3 deletions(-)
diff --git a/charts/orb/templates/maestro-service-account.yaml b/charts/orb/templates/maestro-service-account.yaml
index 350b294..d679de9 100644
--- a/charts/orb/templates/maestro-service-account.yaml
+++ b/charts/orb/templates/maestro-service-account.yaml
@@ -3,9 +3,6 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.maestro.rbac.serviceAccountName }}
-{{- if .Values.maestro.rbac.automountServiceAccountToken }}
-automountServiceAccountToken: true
-{{ end }}
---
{{- if .Values.maestro.rbac.ClusterRoleBindingCreate }}
apiVersion: rbac.authorization.k8s.io/v1
From f547a893f043c3a9852dbe380674e5b3e5410f35 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Thu, 1 Feb 2024 21:42:11 -0300
Subject: [PATCH 59/73] Update maestro-deployment.yaml
---
charts/orb/templates/maestro-deployment.yaml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/charts/orb/templates/maestro-deployment.yaml b/charts/orb/templates/maestro-deployment.yaml
index 191a820..290c98d 100644
--- a/charts/orb/templates/maestro-deployment.yaml
+++ b/charts/orb/templates/maestro-deployment.yaml
@@ -19,6 +19,9 @@ spec:
component: maestro
spec:
serviceAccountName: k8s-maestro-role
+ {{- if .Values.maestro.rbac.disableAutomountServiceAccountToken }}
+ automountServiceAccountToken: false
+ {{ end }}
containers:
- env:
- name: ORB_SINKS_SECRET_KEY
From 40ce2e50889990007acbe217daf3873f221c23f2 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Thu, 1 Feb 2024 21:43:23 -0300
Subject: [PATCH 60/73] Update values.yaml
---
charts/orb/values.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/charts/orb/values.yaml b/charts/orb/values.yaml
index 3a9aa01..c1be163 100644
--- a/charts/orb/values.yaml
+++ b/charts/orb/values.yaml
@@ -437,7 +437,7 @@ maestro:
ClusterRole: "admin"
serviceAccountName: "k8s-maestro-role"
serviceAccountNamespace: "otelcollectors"
- automountServiceAccountToken: false # required true for kubernetes > 1.27
+ disableAutomountServiceAccountToken: false # required true for kubernetes > 1.27
image:
name: "orb-maestro"
metadata:
From 3b907c76ed981ddaeb10bf5786cb4c7ae63a8594 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Thu, 1 Feb 2024 22:19:23 -0300
Subject: [PATCH 61/73] Update maestro-deployment.yaml
---
charts/orb/templates/maestro-deployment.yaml | 3 ---
1 file changed, 3 deletions(-)
diff --git a/charts/orb/templates/maestro-deployment.yaml b/charts/orb/templates/maestro-deployment.yaml
index 290c98d..191a820 100644
--- a/charts/orb/templates/maestro-deployment.yaml
+++ b/charts/orb/templates/maestro-deployment.yaml
@@ -19,9 +19,6 @@ spec:
component: maestro
spec:
serviceAccountName: k8s-maestro-role
- {{- if .Values.maestro.rbac.disableAutomountServiceAccountToken }}
- automountServiceAccountToken: false
- {{ end }}
containers:
- env:
- name: ORB_SINKS_SECRET_KEY
From 550a019b4e319132dfa54b15987ce84e623f11f4 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Thu, 1 Feb 2024 22:31:21 -0300
Subject: [PATCH 62/73] Update maestro-service-account.yaml
---
charts/orb/templates/maestro-service-account.yaml | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/charts/orb/templates/maestro-service-account.yaml b/charts/orb/templates/maestro-service-account.yaml
index d679de9..86e62f8 100644
--- a/charts/orb/templates/maestro-service-account.yaml
+++ b/charts/orb/templates/maestro-service-account.yaml
@@ -3,8 +3,22 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.maestro.rbac.serviceAccountName }}
+{{- if .Values.maestro.rbac.createServiceAccountTokenSecret }}
+secrets:
+ - name: {{ .Release.Name }}-maestro-k8s-secret
+{{ end }}
+{{- if .Values.maestro.rbac.createServiceAccountTokenSecret }}
---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ .Release.Name }}-maestro-k8s-secret
+ annotations:
+ kubernetes.io/service-account.name: {{ .Values.maestro.rbac.serviceAccountName }}
+type: kubernetes.io/service-account-token
+{{ end }}
{{- if .Values.maestro.rbac.ClusterRoleBindingCreate }}
+---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
@@ -18,6 +32,7 @@ roleRef:
name: {{ .Values.maestro.rbac.ClusterRole }}
apiGroup: rbac.authorization.k8s.io
{{ else }}
+---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
From 323b82bff2ba9c0d14d71ddcfe9b5a73f2c01a1f Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Thu, 1 Feb 2024 22:32:07 -0300
Subject: [PATCH 63/73] Update values.yaml
---
charts/orb/values.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/charts/orb/values.yaml b/charts/orb/values.yaml
index c1be163..67cc199 100644
--- a/charts/orb/values.yaml
+++ b/charts/orb/values.yaml
@@ -437,7 +437,7 @@ maestro:
ClusterRole: "admin"
serviceAccountName: "k8s-maestro-role"
serviceAccountNamespace: "otelcollectors"
- disableAutomountServiceAccountToken: false # required true for kubernetes > 1.27
+ createServiceAccountTokenSecret: false # required true for kubernetes > 1.27
image:
name: "orb-maestro"
metadata:
From 4f76be07bb721a7daedb3940b73bbf99b3035514 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Fri, 2 Feb 2024 00:33:19 -0300
Subject: [PATCH 64/73] Update maestro-deployment.yaml
---
charts/orb/templates/maestro-deployment.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/charts/orb/templates/maestro-deployment.yaml b/charts/orb/templates/maestro-deployment.yaml
index 191a820..2e3616b 100644
--- a/charts/orb/templates/maestro-deployment.yaml
+++ b/charts/orb/templates/maestro-deployment.yaml
@@ -18,7 +18,7 @@ spec:
app: {{ .Release.Name }}
component: maestro
spec:
- serviceAccountName: k8s-maestro-role
+ serviceAccountName: {{ .Values.maestro.rbac.serviceAccountName }}
containers:
- env:
- name: ORB_SINKS_SECRET_KEY
From 8935fc1b1c9722fcd92bd8a2319bfb595df2abab Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Fri, 2 Feb 2024 10:43:13 -0300
Subject: [PATCH 65/73] Update maestro-service-account.yaml
---
charts/orb/templates/maestro-service-account.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/charts/orb/templates/maestro-service-account.yaml b/charts/orb/templates/maestro-service-account.yaml
index 86e62f8..fdbdbd1 100644
--- a/charts/orb/templates/maestro-service-account.yaml
+++ b/charts/orb/templates/maestro-service-account.yaml
@@ -42,7 +42,7 @@ subjects:
- kind: ServiceAccount
name: {{ .Values.maestro.rbac.serviceAccountName }}
roleRef:
- kind: ClusterRole
+ kind: Role
name: {{ .Values.maestro.rbac.ClusterRole }}
apiGroup: rbac.authorization.k8s.io
{{ end }}
From d673778e29f7c1323bf50fac43b1c912c0f5fe9d Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Fri, 2 Feb 2024 11:11:38 -0300
Subject: [PATCH 66/73] Update maestro-service-account.yaml
---
.../templates/maestro-service-account.yaml | 33 +++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/charts/orb/templates/maestro-service-account.yaml b/charts/orb/templates/maestro-service-account.yaml
index fdbdbd1..8c6b2e3 100644
--- a/charts/orb/templates/maestro-service-account.yaml
+++ b/charts/orb/templates/maestro-service-account.yaml
@@ -20,6 +20,22 @@ type: kubernetes.io/service-account-token
{{- if .Values.maestro.rbac.ClusterRoleBindingCreate }}
---
apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: maestro-cluster-role
+rules:
+ - apiGroups:
+ - ''
+ resources:
+ - 'pods'
+ verbs:
+ - 'create'
+ - 'delete'
+ - 'get'
+ - 'list'
+ - 'patch'
+---
+apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Values.maestro.rbac.serviceAccountName }}
@@ -34,6 +50,23 @@ roleRef:
{{ else }}
---
apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: maestro-role
+ namespace: {{ .Values.maestro.rbac.serviceAccountNamespace }}
+rules:
+ - apiGroups:
+ - ''
+ resources:
+ - 'pods'
+ verbs:
+ - 'create'
+ - 'delete'
+ - 'get'
+ - 'list'
+ - 'patch'
+---
+apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .Values.maestro.rbac.serviceAccountName }}
From 8b2443adf3be0b55c90833de23aa6126891457b2 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Fri, 2 Feb 2024 11:12:56 -0300
Subject: [PATCH 67/73] Update values.yaml
---
charts/orb/values.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/charts/orb/values.yaml b/charts/orb/values.yaml
index 67cc199..a20b51e 100644
--- a/charts/orb/values.yaml
+++ b/charts/orb/values.yaml
@@ -434,7 +434,7 @@ maestro:
port: 9092
rbac:
ClusterRoleBindingCreate: false # set this true to create ClusterRoleBinding instead RoleBinding
- ClusterRole: "admin"
+ ClusterRole: "admin" # set it to maestro-cluster-role (ClusterRole) or maestro-role (Role)
serviceAccountName: "k8s-maestro-role"
serviceAccountNamespace: "otelcollectors"
createServiceAccountTokenSecret: false # required true for kubernetes > 1.27
From ea5b40b9e965c6e3dd92b5d314673f784917ea0e Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Fri, 2 Feb 2024 11:31:22 -0300
Subject: [PATCH 68/73] Update maestro-service-account.yaml
---
.../templates/maestro-service-account.yaml | 20 +++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/charts/orb/templates/maestro-service-account.yaml b/charts/orb/templates/maestro-service-account.yaml
index 8c6b2e3..6beaf66 100644
--- a/charts/orb/templates/maestro-service-account.yaml
+++ b/charts/orb/templates/maestro-service-account.yaml
@@ -55,16 +55,16 @@ metadata:
name: maestro-role
namespace: {{ .Values.maestro.rbac.serviceAccountNamespace }}
rules:
- - apiGroups:
- - ''
- resources:
- - 'pods'
- verbs:
- - 'create'
- - 'delete'
- - 'get'
- - 'list'
- - 'patch'
+ - apiGroups:
+ - ''
+ resources:
+ - 'pods'
+ verbs:
+ - 'create'
+ - 'delete'
+ - 'get'
+ - 'list'
+ - 'patch'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
From 07b1026a014c7b8a79078ed1000689ba67fed64b Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Fri, 2 Feb 2024 11:47:28 -0300
Subject: [PATCH 69/73] fix rbac
---
.../templates/maestro-service-account.yaml | 27 +++++--------------
1 file changed, 7 insertions(+), 20 deletions(-)
diff --git a/charts/orb/templates/maestro-service-account.yaml b/charts/orb/templates/maestro-service-account.yaml
index 6beaf66..317b0ac 100644
--- a/charts/orb/templates/maestro-service-account.yaml
+++ b/charts/orb/templates/maestro-service-account.yaml
@@ -23,17 +23,11 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: maestro-cluster-role
+ # "namespace" omitted since ClusterRoles are not namespaced
rules:
- - apiGroups:
- - ''
- resources:
- - 'pods'
- verbs:
- - 'create'
- - 'delete'
- - 'get'
- - 'list'
- - 'patch'
+ - apiGroups: ["*"]
+ resources: ["*"]
+ verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
@@ -55,16 +49,9 @@ metadata:
name: maestro-role
namespace: {{ .Values.maestro.rbac.serviceAccountNamespace }}
rules:
- - apiGroups:
- - ''
- resources:
- - 'pods'
- verbs:
- - 'create'
- - 'delete'
- - 'get'
- - 'list'
- - 'patch'
+ - apiGroups: ["*"]
+ resources: ["*"]
+ verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
From d88dbcc88ab80e9062d2dbb95cabdfb71eacbea5 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Fri, 2 Feb 2024 12:41:43 -0300
Subject: [PATCH 70/73] Update maestro-service-account.yaml
---
charts/orb/templates/maestro-service-account.yaml | 1 +
1 file changed, 1 insertion(+)
diff --git a/charts/orb/templates/maestro-service-account.yaml b/charts/orb/templates/maestro-service-account.yaml
index 317b0ac..3bfb343 100644
--- a/charts/orb/templates/maestro-service-account.yaml
+++ b/charts/orb/templates/maestro-service-account.yaml
@@ -37,6 +37,7 @@ subjects:
- kind: ServiceAccount
name: {{ .Values.maestro.rbac.serviceAccountName }}
namespace: {{ .Values.maestro.rbac.serviceAccountNamespace }}
+ apiGroup: ""
roleRef:
kind: ClusterRole
name: {{ .Values.maestro.rbac.ClusterRole }}
From 30902a3eb0a1d7c0f92b123b239af7ac532aa538 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Tue, 26 Mar 2024 19:57:54 -0300
Subject: [PATCH 71/73] Update maestro-service-account.yaml
---
.../orb/templates/maestro-service-account.yaml | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/charts/orb/templates/maestro-service-account.yaml b/charts/orb/templates/maestro-service-account.yaml
index 3bfb343..6eef855 100644
--- a/charts/orb/templates/maestro-service-account.yaml
+++ b/charts/orb/templates/maestro-service-account.yaml
@@ -25,7 +25,10 @@ metadata:
name: maestro-cluster-role
# "namespace" omitted since ClusterRoles are not namespaced
rules:
- - apiGroups: ["*"]
+ - apiGroups: [""]
+ resources: ["*"]
+ verbs: ["*"]
+ - apiGroups: ["extensions"]
resources: ["*"]
verbs: ["*"]
---
@@ -37,10 +40,9 @@ subjects:
- kind: ServiceAccount
name: {{ .Values.maestro.rbac.serviceAccountName }}
namespace: {{ .Values.maestro.rbac.serviceAccountNamespace }}
- apiGroup: ""
roleRef:
kind: ClusterRole
- name: {{ .Values.maestro.rbac.ClusterRole }}
+ name: maestro-cluster-role
apiGroup: rbac.authorization.k8s.io
{{ else }}
---
@@ -50,7 +52,10 @@ metadata:
name: maestro-role
namespace: {{ .Values.maestro.rbac.serviceAccountNamespace }}
rules:
- - apiGroups: ["*"]
+ - apiGroups: [""]
+ resources: ["*"]
+ verbs: ["*"]
+ - apiGroups: ["extensions"]
resources: ["*"]
verbs: ["*"]
---
@@ -62,8 +67,9 @@ metadata:
subjects:
- kind: ServiceAccount
name: {{ .Values.maestro.rbac.serviceAccountName }}
+ namespace: {{ .Values.maestro.rbac.serviceAccountNamespace }}
roleRef:
kind: Role
- name: {{ .Values.maestro.rbac.ClusterRole }}
+ name: maestro-role
apiGroup: rbac.authorization.k8s.io
{{ end }}
From 1304cca6edf1f3f5cce7ac997e5cc8cd6830ba07 Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Wed, 27 Mar 2024 10:46:27 -0300
Subject: [PATCH 72/73] Update values.yaml
---
charts/orb/values.yaml | 2 --
1 file changed, 2 deletions(-)
diff --git a/charts/orb/values.yaml b/charts/orb/values.yaml
index a20b51e..538e5a4 100644
--- a/charts/orb/values.yaml
+++ b/charts/orb/values.yaml
@@ -434,8 +434,6 @@ maestro:
port: 9092
rbac:
ClusterRoleBindingCreate: false # set this true to create ClusterRoleBinding instead RoleBinding
- ClusterRole: "admin" # set it to maestro-cluster-role (ClusterRole) or maestro-role (Role)
- serviceAccountName: "k8s-maestro-role"
serviceAccountNamespace: "otelcollectors"
createServiceAccountTokenSecret: false # required true for kubernetes > 1.27
image:
From e035a8a7161d4bf9d28674602b00775f3e0a683d Mon Sep 17 00:00:00 2001
From: "Everton H. Taques" <97463920+etaques@users.noreply.github.com>
Date: Wed, 27 Mar 2024 10:50:20 -0300
Subject: [PATCH 73/73] Update maestro-service-account.yaml
---
charts/orb/templates/maestro-service-account.yaml | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/charts/orb/templates/maestro-service-account.yaml b/charts/orb/templates/maestro-service-account.yaml
index 6eef855..6c43ffb 100644
--- a/charts/orb/templates/maestro-service-account.yaml
+++ b/charts/orb/templates/maestro-service-account.yaml
@@ -2,7 +2,7 @@
apiVersion: v1
kind: ServiceAccount
metadata:
- name: {{ .Values.maestro.rbac.serviceAccountName }}
+ name: k8s-maestro-sa
{{- if .Values.maestro.rbac.createServiceAccountTokenSecret }}
secrets:
- name: {{ .Release.Name }}-maestro-k8s-secret
@@ -14,7 +14,7 @@ kind: Secret
metadata:
name: {{ .Release.Name }}-maestro-k8s-secret
annotations:
- kubernetes.io/service-account.name: {{ .Values.maestro.rbac.serviceAccountName }}
+ kubernetes.io/service-account.name: k8s-maestro-sa
type: kubernetes.io/service-account-token
{{ end }}
{{- if .Values.maestro.rbac.ClusterRoleBindingCreate }}
@@ -35,10 +35,10 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
- name: {{ .Values.maestro.rbac.serviceAccountName }}
+ name: k8s-maestro-rb
subjects:
- kind: ServiceAccount
- name: {{ .Values.maestro.rbac.serviceAccountName }}
+ name: k8s-maestro-sa
namespace: {{ .Values.maestro.rbac.serviceAccountNamespace }}
roleRef:
kind: ClusterRole
@@ -62,11 +62,11 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
- name: {{ .Values.maestro.rbac.serviceAccountName }}
+ name: k8s-maestro-rb
namespace: {{ .Values.maestro.rbac.serviceAccountNamespace }}
subjects:
- kind: ServiceAccount
- name: {{ .Values.maestro.rbac.serviceAccountName }}
+ name: k8s-maestro-sa
namespace: {{ .Values.maestro.rbac.serviceAccountNamespace }}
roleRef:
kind: Role