From 15c0151eb2f67d5b88d70d7377e532878affa785 Mon Sep 17 00:00:00 2001 From: drornir-velocity Date: Sat, 20 Jul 2024 20:31:09 +0000 Subject: [PATCH] Release operator 0.1.0-rc1 Workflow Link: https://github.com/techvelocity/starlink/actions/runs/10022921106 --- charts/operator/.helmignore | 21 + charts/operator/Chart.lock | 6 + charts/operator/Chart.yaml | 24 + charts/operator/README.md | 225 +++++++ charts/operator/templates/NOTES.txt | 25 + charts/operator/templates/_certificate.tpl | 46 ++ charts/operator/templates/_helpers.tpl | 83 +++ .../operator/templates/admissionwebhook.yaml | 32 + .../templates/clusterrolebinding.yaml | 17 + charts/operator/templates/deployment.yaml | 162 +++++ charts/operator/templates/extra-list.yaml | 6 + .../templates/leader_election_role.yaml | 61 ++ charts/operator/templates/role.yaml | 18 + .../operator/templates/service-account.yaml | 14 + charts/operator/templates/service.yaml | 51 ++ charts/operator/templates/servicemonitor.yaml | 44 ++ charts/operator/templates/webhook-cert.yaml | 14 + charts/operator/values.yaml | 565 ++++++++++++++++++ 18 files changed, 1414 insertions(+) create mode 100644 charts/operator/.helmignore create mode 100644 charts/operator/Chart.lock create mode 100644 charts/operator/Chart.yaml create mode 100644 charts/operator/README.md create mode 100644 charts/operator/templates/NOTES.txt create mode 100644 charts/operator/templates/_certificate.tpl create mode 100644 charts/operator/templates/_helpers.tpl create mode 100644 charts/operator/templates/admissionwebhook.yaml create mode 100644 charts/operator/templates/clusterrolebinding.yaml create mode 100644 charts/operator/templates/deployment.yaml create mode 100644 charts/operator/templates/extra-list.yaml create mode 100644 charts/operator/templates/leader_election_role.yaml create mode 100644 charts/operator/templates/role.yaml create mode 100644 charts/operator/templates/service-account.yaml create mode 100644 charts/operator/templates/service.yaml create mode 100644 charts/operator/templates/servicemonitor.yaml create mode 100644 charts/operator/templates/webhook-cert.yaml create mode 100644 charts/operator/values.yaml diff --git a/charts/operator/.helmignore b/charts/operator/.helmignore new file mode 100644 index 0000000..f0c1319 --- /dev/null +++ b/charts/operator/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/operator/Chart.lock b/charts/operator/Chart.lock new file mode 100644 index 0000000..4dc4952 --- /dev/null +++ b/charts/operator/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: common + repository: oci://registry-1.docker.io/bitnamicharts + version: 2.20.3 +digest: sha256:d3d347084d75100c8af877fb25639d5542e6bb5d7d98476661714fcc94da3bd6 +generated: "2024-07-06T14:12:44.731865+03:00" diff --git a/charts/operator/Chart.yaml b/charts/operator/Chart.yaml new file mode 100644 index 0000000..169ff2a --- /dev/null +++ b/charts/operator/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +type: application +version: 0.1.0-dev +# used as the default value for .Values.operator.image.tag +appVersion: 0.1.0-dev +name: operator +description: | + TODO description +home: https://velocity.tech +# icon: '' +keywords: [] +maintainers: + - name: Velocity + url: https://velocity.tech +dependencies: + - name: common + repository: oci://registry-1.docker.io/bitnamicharts + tags: + - bitnami-common + version: 2.20.3 +sources: + - https://github.com/techvelocity/helm-charts/tree/main/charts/operator + - https://github.com/techvelocity/starlink/tree/main/operator + - https://github.com/bitnami/charts/tree/main/bitnami/common diff --git a/charts/operator/README.md b/charts/operator/README.md new file mode 100644 index 0000000..32869aa --- /dev/null +++ b/charts/operator/README.md @@ -0,0 +1,225 @@ +# TODO(dror): edit this readme + + + +# velocity-operator + +%%DESCRIPTION%% (check existing examples) + +## TL;DR + +```console +helm install my-release oci://registry-1.docker.io/bitnamicharts/velocity-operator +``` + +Looking to use velocity-operator in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. + +## Introduction + +%%INTRODUCTION%% (check existing examples) + +## Prerequisites + +- Kubernetes 1.23+ +- Helm 3.8.0+ +- PV provisioner support in the underlying infrastructure +- ReadWriteMany volumes for deployment scaling + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/velocity-operator +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +The command deploys velocity-operator on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Configuration and installation details + +### [Rolling VS Immutable tags](https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/tutorials/GUID-understand-rolling-tags-containers-index.html) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### External database support + +%%IF NEEDED%% + +You may want to have velocity-operator connect to an external database rather than installing one inside your cluster. Typical reasons for this are to use a managed database service, or to share a common database server for all your applications. To achieve this, the chart allows you to specify credentials for an external database with the [`externalDatabase` parameter](#parameters). You should also disable the MariaDB installation with the `mariadb.enabled` option. Here is an example: + +```console +mariadb.enabled=false +externalDatabase.host=myexternalhost +externalDatabase.user=myuser +externalDatabase.password=mypassword +externalDatabase.database=mydatabase +externalDatabase.port=3306 +``` + +### Ingress + +%%IF NEEDED%% + +This chart provides support for Ingress resources. If you have an ingress controller installed on your cluster, such as [nginx-ingress-controller](https://github.com/bitnami/charts/tree/main/bitnami/nginx-ingress-controller) or [contour](https://github.com/bitnami/charts/tree/main/bitnami/contour) you can utilize the ingress controller to serve your application.To enable Ingress integration, set `ingress.enabled` to `true`. + +The most common scenario is to have one host name mapped to the deployment. In this case, the `ingress.hostname` property can be used to set the host name. The `ingress.tls` parameter can be used to add the TLS configuration for this host. + +However, it is also possible to have more than one host. To facilitate this, the `ingress.extraHosts` parameter (if available) can be set with the host names specified as an array. The `ingress.extraTLS` parameter (if available) can also be used to add the TLS configuration for extra hosts. + +> NOTE: For each host specified in the `ingress.extraHosts` parameter, it is necessary to set a name, path, and any annotations that the Ingress controller should know about. Not all annotations are supported by all Ingress controllers, but [this annotation reference document](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md) lists the annotations supported by many popular Ingress controllers. + +Adding the TLS parameter (where available) will cause the chart to generate HTTPS URLs, and the application will be available on port 443. The actual TLS secrets do not have to be generated by this chart. However, if TLS is enabled, the Ingress record will not work until the TLS secret exists. + +[Learn more about Ingress controllers](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/). + +### TLS secrets + +TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the cluster: + +- `tls.enabled`: Enable TLS support. Defaults to `false` +- `tls.existingSecret`: Name of the secret that contains the certificates. No defaults. +- `tls.certFilename`: Certificate filename. No defaults. +- `tls.certKeyFilename`: Certificate key filename. No defaults. +- `tls.certCAFilename`: CA Certificate filename. No defaults. + +For example: + +First, create the secret with the certificates files: + +```console +kubectl create secret generic certificates-tls-secret --from-file=./cert.pem --from-file=./cert.key --from-file=./ca.pem +``` + +Then, use the following parameters: + +```console +tls.enabled="true" +tls.existingSecret="certificates-tls-secret" +tls.certFilename="cert.pem" +tls.certKeyFilename="cert.key" +tls.certCAFilename="ca.pem" +``` + +### %%OTHER_SECTIONS%% + +### Additional environment variables + +In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the `extraEnvVars` property. + +```yaml +velocity-operator: + extraEnvVars: + - name: LOG_LEVEL + value: error +``` + +Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `extraEnvVarsCM` or the `extraEnvVarsSecret` values. + +### Sidecars + +If additional containers are needed in the same pod as velocity-operator (such as additional metrics or logging exporters), they can be defined using the `sidecars` parameter. + +```yaml +sidecars: +- name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below: + +```yaml +service: + extraPorts: + - name: extraPort + port: 11311 + targetPort: 11311 +``` + +> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. + +If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example: + +```yaml +initContainers: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). + +### Pod affinity + +This chart allows you to set your custom affinity using the `affinity` parameter. Find more information about Pod affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, use one of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. + +## Persistence + +The [Bitnami velocity-operator](https://github.com/bitnami/containers/tree/main/bitnami/velocity-operator) image stores the velocity-operator data and configurations at the `/bitnami` path of the container. Persistent Volume Claims are used to keep the data across deployments. + +If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). + +## Parameters + +See to create the table + +The above parameters map to the env variables defined in [bitnami/velocity-operator](https://github.com/bitnami/containers/tree/main/bitnami/velocity-operator). For more information please refer to the [bitnami/velocity-operator](https://github.com/bitnami/containers/tree/main/bitnami/velocity-operator) image documentation. + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +helm install my-release \ + --set velocity-operatorUsername=admin \ + --set velocity-operatorPassword=password \ + --set mariadb.auth.rootPassword=secretpassword \ + oci://REGISTRY_NAME/REPOSITORY_NAME/velocity-operator +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +The above command sets the velocity-operator administrator account username and password to `admin` and `password` respectively. Additionally, it sets the MariaDB `root` user password to `secretpassword`. + +> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. + +Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, + +```console +helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/velocity-operator +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/blob/main/template/CHART_NAME/values.yaml) + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). + +## License + +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/charts/operator/templates/NOTES.txt b/charts/operator/templates/NOTES.txt new file mode 100644 index 0000000..e24f15e --- /dev/null +++ b/charts/operator/templates/NOTES.txt @@ -0,0 +1,25 @@ +CHART NAME: {{ .Chart.Name }} +CHART VERSION: {{ .Chart.Version }} +APP VERSION: {{ .Chart.AppVersion }} + +{{- if .Values.diagnosticMode.enabled }} +The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with: + + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }} + +Get the list of pods by executing: + + kubectl get pods --namespace {{ include "common.names.namespace" . | quote }} -l app.kubernetes.io/instance={{ .Release.Name }} + +Access the pod you want to debug by executing + + kubectl exec --namespace {{ include "common.names.namespace" . | quote }} -ti -- bash + +In order to replicate the container startup scripts execute this command: + + "/manager" + +{{- end }} + +{{- include "operator.validateValues" . }} diff --git a/charts/operator/templates/_certificate.tpl b/charts/operator/templates/_certificate.tpl new file mode 100644 index 0000000..6ede3c0 --- /dev/null +++ b/charts/operator/templates/_certificate.tpl @@ -0,0 +1,46 @@ +{{/* +Generate a self-signed certificate to be used for admission webhook TLS +*/}} +{{- define "operator.webhook.certificate.self-signed.generate" -}} +{{- $altNames := list (printf "%s.%s" (include "common.names.fullname" .) (include "common.names.namespace" .)) (printf "%s.%s.svc" (include "common.names.fullname" .) (include "common.names.namespace" .)) -}} +{{- $ca := genCA (include "common.names.fullname" .) 365 -}} +{{- $cert := genSignedCert (include "common.names.fullname" .) nil $altNames 365 $ca -}} +{{- $_ := set $ "certificate" (dict "ca" $ca "cert" $cert) -}} +{{- end -}} + +{{- define "operator.webhook.certificate.self-signed.generated-cert" -}} +{{- if not (hasKey $ "certificate") -}} +{{- include "operator.webhook.certificate.self-signed.generate" . -}} +{{- end -}} +{{- $c := $.certificate.cert -}} +tls.crt: {{ $c.Cert | b64enc }} +tls.key: {{ $c.Key | b64enc }} +{{- end -}} + +{{- define "operator.webhook.certificate.self-signed.generated-ca" -}} +{{- if not (hasKey $ "certificate") -}} +{{- include "operator.webhook.certificate.self-signed.generate" . -}} +{{- end -}} +{{- $c := $.certificate.ca -}} +{{- $c.Cert | b64enc -}} +{{- end -}} + + +{{- define "operator.webhook.certificate.secret-name" -}} +{{- if .Values.operator.admissionWebhook.autoSelfSignedCertificate -}} +{{ template "common.names.fullname" . }}-cert +{{- end -}} +{{- if .Values.operator.admissionWebhook.existingCertificateSecretName -}} +{{- .Values.operator.admissionWebhook.existingCertificateSecretName -}} +{{- end -}} +{{- end -}} + + +{{- define "operator.webhook.certificate.ca-bundle" -}} +{{- if .Values.operator.admissionWebhook.autoSelfSignedCertificate -}} +{{ include "operator.webhook.certificate.self-signed.generated-ca" . }} +{{- end -}} +{{- if .Values.operator.admissionWebhook.existingCABundle -}} +{{- .Values.operator.admissionWebhook.existingCABundle -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/operator/templates/_helpers.tpl b/charts/operator/templates/_helpers.tpl new file mode 100644 index 0000000..5eb6d96 --- /dev/null +++ b/charts/operator/templates/_helpers.tpl @@ -0,0 +1,83 @@ +{{/* +Return the proper operator image name +*/}} +{{- define "operator.image" -}} +{{- $image := .Values.operator.image -}} + +{{- if not $image.tag -}} +{{- $_ := set $image "tag" .Chart.AppVersion -}} +{{- end -}} + +{{- if not $image.registry -}} +{{- $_ := set $image "registry" "ghcr.io" -}} +{{- end -}} + +{{- if not $image.repository -}} +{{- $_ := set $image "repository" "techvelocity/operator" -}} +{{- end -}} + +{{ include "common.images.image" (dict "imageRoot" $image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "operator.volumePermissions.image" -}} +{{- include "common.images.image" ( dict "imageRoot" .Values.volumePermissions.image "global" .Values.global ) -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "operator.imagePullSecrets" -}} +{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.operator.image) "context" $) -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "operator.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Return true if cert-manager required annotations for TLS signed certificates are set in the Ingress annotations +Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations +*/}} +{{- define "operator.ingress.certManagerRequest" -}} +{{ if or (hasKey . "cert-manager.io/cluster-issuer") (hasKey . "cert-manager.io/issuer") }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message. +*/}} +{{- define "operator.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "operator.validateValues.replicasCount" .) -}} +{{- $messages := append $messages (include "operator.validateValues.certificate" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message -}} +{{- end -}} +{{- end -}} + +{{- define "operator.validateValues.replicasCount" -}} +{{- if and (ne "1" (toString .Values.operator.replicaCount)) (ne "3" (toString .Values.operator.replicaCount)) -}} +{{- fail (cat "currently only one or three replicaCount is supported" (toString .Values.operator.replicaCount)) -}} +{{- end -}} +{{- end -}} + + +{{- define "operator.validateValues.certificate" -}} +{{- if and .Values.operator.admissionWebhook.autoSelfSignedCertificate (not (empty .Values.operator.admissionWebhook.existingCertificateSecretName)) -}} +{{- fail "admissionWebhook.autoSelfSignedCertificate is enabled, but so does admissionWebhook.existingCertificateSecretName. Only one of them is allowed at a time" -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/operator/templates/admissionwebhook.yaml b/charts/operator/templates/admissionwebhook.yaml new file mode 100644 index 0000000..ea086dd --- /dev/null +++ b/charts/operator/templates/admissionwebhook.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: operator + {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.commonAnnotations) "context" .) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} +webhooks: + - name: mutate-pod.velocity.tech + admissionReviewVersions: + - v1 + clientConfig: + caBundle: {{ include "operator.webhook.certificate.ca-bundle" . }} + service: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + path: /mutate-v1-pod + port: 9443 + failurePolicy: Ignore + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None diff --git a/charts/operator/templates/clusterrolebinding.yaml b/charts/operator/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..e56085b --- /dev/null +++ b/charts/operator/templates/clusterrolebinding.yaml @@ -0,0 +1,17 @@ +kind: ClusterRoleBinding +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: operator + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "common.names.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "operator.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} diff --git a/charts/operator/templates/deployment.yaml b/charts/operator/templates/deployment.yaml new file mode 100644 index 0000000..daecafb --- /dev/null +++ b/charts/operator/templates/deployment.yaml @@ -0,0 +1,162 @@ +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: operator + {{- if or .Values.operator.deploymentAnnotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.operator.deploymentAnnotations .Values.commonAnnotations) "context" .) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.operator.updateStrategy }} + strategy: {{- toYaml .Values.operator.updateStrategy | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.operator.podLabels .Values.commonLabels) "context" .) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: operator + template: + metadata: + annotations: {{- if not (empty .Values.operator.podAnnotations) }}{{- include "common.tplvalues.render" (dict "value" .Values.operator.podAnnotations "context" $) | nindent 8 }}{{ end }} + kubectl.kubernetes.io/default-container: operator + {{- if .Values.operator.admissionWebhook.autoSelfSignedCertificate }} + checksum/auto-generated-cert-secret: {{ include (print $.Template.BasePath "/webhook-cert.yaml") . | sha256sum }} + {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: operator + spec: + {{- include "operator.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ template "operator.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.operator.automountServiceAccountToken }} + {{- if .Values.operator.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.operator.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.operator.affinity }} + affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.operator.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.operator.podAffinityPreset "component" "operator" "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.operator.podAntiAffinityPreset "component" "operator" "customLabels" $podLabels "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.operator.nodeAffinityPreset.type "key" .Values.operator.nodeAffinityPreset.key "values" .Values.operator.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.operator.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.operator.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.operator.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.operator.tolerations "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.operator.priorityClassName }} + priorityClassName: {{ .Values.operator.priorityClassName | quote }} + {{- end }} + {{- if .Values.operator.schedulerName }} + schedulerName: {{ .Values.operator.schedulerName | quote }} + {{- end }} + {{- if .Values.operator.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.operator.topologySpreadConstraints "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.operator.podSecurityContext.enabled }} + securityContext: {{- omit .Values.operator.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.operator.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.operator.terminationGracePeriodSeconds }} + {{- end }} + initContainers: + {{- if .Values.operator.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.operator.initContainers "context" $) | nindent 8 }} + {{- end }} + containers: + - name: operator + image: {{ template "operator.image" . }} + imagePullPolicy: {{ .Values.operator.image.pullPolicy }} + {{- if .Values.operator.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.operator.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.operator.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.operator.command "context" $) | nindent 12 }} + {{- else }} + command: + - "/manager" + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.operator.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.operator.args "context" $) | nindent 12 }} + {{- else }} + args: + {{- if .Values.operator.leaderElection.enabled }} + - --leader-elect + {{- end }} + - --health-probe-bind-address=:8081 + {{- if .Values.metrics.enabled }} + - --metrics-bind-address=:8080 + {{- end }} + {{- end }} + env: + - name: VELOCITY_DEBUG + value: {{ ternary "true" "false" (or .Values.operator.image.debug .Values.diagnosticMode.enabled) | quote }} + {{- if .Values.operator.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.operator.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + envFrom: + {{- if .Values.operator.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.operator.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.operator.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.operator.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- if .Values.operator.resources }} + resources: {{- toYaml .Values.operator.resources | nindent 12 }} + {{- else if ne .Values.operator.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.operator.resourcesPreset) | nindent 12 }} + {{- end }} + ports: + - name: webhooks + containerPort: {{ .Values.operator.containerPorts.webhooks }} + {{- if .Values.operator.extraContainerPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.operator.extraContainerPorts "context" $) | nindent 12 }} + {{- end }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.operator.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.operator.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.operator.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.operator.livenessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: /healthz + port: 8081 + {{- end }} + {{- if .Values.operator.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.operator.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.operator.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.operator.readinessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: /readyz + port: 8081 + {{- end }} + {{- end }} + {{- if .Values.operator.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.operator.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + {{- if .Values.operator.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.operator.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.operator.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.operator.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: {{ include "operator.webhook.certificate.secret-name" . }} + {{- if .Values.operator.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.operator.extraVolumes "context" $) | nindent 8 }} + {{- end }} diff --git a/charts/operator/templates/extra-list.yaml b/charts/operator/templates/extra-list.yaml new file mode 100644 index 0000000..d0a093d --- /dev/null +++ b/charts/operator/templates/extra-list.yaml @@ -0,0 +1,6 @@ + + +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/charts/operator/templates/leader_election_role.yaml b/charts/operator/templates/leader_election_role.yaml new file mode 100644 index 0000000..d53059d --- /dev/null +++ b/charts/operator/templates/leader_election_role.yaml @@ -0,0 +1,61 @@ +{{- if .Values.operator.leaderElection.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: leader-election-{{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: leader-election-{{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-{{ template "common.names.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} +{{- end -}} diff --git a/charts/operator/templates/role.yaml b/charts/operator/templates/role.yaml new file mode 100644 index 0000000..f75a0c7 --- /dev/null +++ b/charts/operator/templates/role.yaml @@ -0,0 +1,18 @@ + + +{{ if .Values.rbac.create }} +kind: Role +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: operator + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: [] + {{- if .Values.rbac.rules }} + {{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }} + {{- end }} +{{- end }} diff --git a/charts/operator/templates/service-account.yaml b/charts/operator/templates/service-account.yaml new file mode 100644 index 0000000..724b638 --- /dev/null +++ b/charts/operator/templates/service-account.yaml @@ -0,0 +1,14 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "operator.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: operator + {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.serviceAccount.annotations .Values.commonAnnotations) "context" .) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} diff --git a/charts/operator/templates/service.yaml b/charts/operator/templates/service.yaml new file mode 100644 index 0000000..3bfa4b2 --- /dev/null +++ b/charts/operator/templates/service.yaml @@ -0,0 +1,51 @@ + + +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: operator + {{- if or .Values.service.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.service.annotations .Values.commonAnnotations) "context" .) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.type }} + {{- if and .Values.service.clusterIP (eq .Values.service.type "ClusterIP") }} + clusterIP: {{ .Values.service.clusterIP }} + {{- end }} + {{- if .Values.service.sessionAffinity }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- end }} + {{- if .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + {{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ .Values.service.loadBalancerSourceRanges }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + ports: + - name: webhooks + port: {{ .Values.service.ports.webhooks }} + {{- if not (eq .Values.service.ports.webhooks .Values.operator.containerPorts.webhooks) }} + targetPort: {{ .Values.operator.containerPorts.webhooks }} + {{- end }} + protocol: TCP + {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.http)) }} + nodePort: {{ .Values.service.nodePorts.webhooks }} + {{- else if eq .Values.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.operator.podLabels .Values.commonLabels) "context" .) | fromYaml }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: operator diff --git a/charts/operator/templates/servicemonitor.yaml b/charts/operator/templates/servicemonitor.yaml new file mode 100644 index 0000000..f7e2d3e --- /dev/null +++ b/charts/operator/templates/servicemonitor.yaml @@ -0,0 +1,44 @@ + + +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ default (include "common.names.namespace" .) .Values.metrics.serviceMonitor.namespace | quote }} + {{- $labels := include "common.tplvalues.merge" (dict "values" (list .Values.metrics.serviceMonitor.labels .Values.commonLabels) "context" .) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: operator + {{- if or .Values.metrics.serviceMonitor.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.metrics.serviceMonitor.annotations .Values.commonAnnotations) "context" .) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel | quote }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} + {{- if .Values.metrics.serviceMonitor.selector }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }} + {{- end }} + endpoints: + - port: tcp-metrics + path: "/metrics" + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.honorLabels }} + honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ include "common.names.namespace" . | quote }} +{{- end }} diff --git a/charts/operator/templates/webhook-cert.yaml b/charts/operator/templates/webhook-cert.yaml new file mode 100644 index 0000000..c8c89e9 --- /dev/null +++ b/charts/operator/templates/webhook-cert.yaml @@ -0,0 +1,14 @@ +{{- if .Values.operator.admissionWebhook.autoSelfSignedCertificate -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "common.names.fullname" . }}-cert + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: operator + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: {{- include "operator.webhook.certificate.self-signed.generated-cert" . | nindent 2 -}} +{{- end -}} \ No newline at end of file diff --git a/charts/operator/values.yaml b/charts/operator/values.yaml new file mode 100644 index 0000000..895db99 --- /dev/null +++ b/charts/operator/values.yaml @@ -0,0 +1,565 @@ +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +## + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.storageClass Global StorageClass for Persistent Volume(s) +## +global: + imageRegistry: "" + ## e.g: + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: "" + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: auto + +## @section Common parameters +## + +## @param kubeVersion Override Kubernetes version +## +kubeVersion: "" +## @param nameOverride String to partially override common.names.name +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname +## +fullnameOverride: "" +# TODO(dror): Set namespace inside the chart +## @param namespaceOverride String to fully override common.names.namespace +## +namespaceOverride: "" +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} +## @param clusterDomain Kubernetes cluster domain name +## +clusterDomain: cluster.local +## @param extraDeploy Array of extra objects to deploy with the release +## +extraDeploy: [] +## Diagnostic mode +## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) +## @param diagnosticMode.command Command to override all containers in the chart release +## @param diagnosticMode.args Args to override all containers in the chart release +## +diagnosticMode: + enabled: false + command: + - sleep + args: + - infinity + +## @section operator Parameters +## +operator: + ## operator image + ## @param operator.image.registry [default: ghcr.io] operator image registry + ## @param operator.image.repository [default: techvelocity/operator] operator image repository + ## @skip operator.image.tag operator image tag [default: .Chart.AppVersion] (immutable tags are recommended) + ## @param operator.image.digest operator image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended) + ## @param operator.image.pullPolicy operator image pull policy + ## @param operator.image.pullSecrets operator image pull secrets + ## @param operator.image.debug Enable operator image debug mode + ## + image: + registry: "" + repository: "" + tag: "" + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + debug: false + ## @param operator.replicaCount Number of operator replicas to deploy + ## + replicaCount: 1 + ## @param operator.leaderElection Settings for leader election + leaderElection: + enabled: true + ## @param operator.admissionWebhook Configuration for the webhook handler + admissionWebhook: + ## @param operator.admissionWebhook.autoSelfSignedCertificate Will generate a self-signed certificate using helm + autoSelfSignedCertificate: true + ## @param operator.admissionWebhook.existingCertificateSecretName Use your own certificate for webhooks + existingCertificateSecretName: "" + ## @param operator.admissionWebhook.existingCABundle Use your own base64 CA Bundle + existingCABundle: "" + + ## @param operator.containerPorts.http operator HTTP container port + ## @param operator.containerPorts.https operator HTTPS container port + ## + containerPorts: + webhooks: 9443 + ## @param operator.extraContainerPorts Optionally specify extra list of additional ports for operator containers + ## e.g: + ## extraContainerPorts: + ## - name: myservice + ## containerPort: 9090 + ## + extraContainerPorts: [] + ## Configure extra options for operator containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param operator.livenessProbe.enabled Enable livenessProbe on operator containers + ## @param operator.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param operator.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param operator.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param operator.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param operator.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 3 + periodSeconds: 3 + timeoutSeconds: 1 + failureThreshold: 10 + successThreshold: 1 + ## @param operator.readinessProbe.enabled Enable readinessProbe on operator containers + ## @param operator.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param operator.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param operator.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param operator.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param operator.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 30 + timeoutSeconds: 1 + failureThreshold: 1 + successThreshold: 1 + ## @param operator.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param operator.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param operator.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## operator resource requests and limits + ## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param operator.resourcesPreset Set operator container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if operator.resources is set (operator.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param operator.resources Set operator container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param operator.podSecurityContext.enabled Enable operator pods' Security Context + ## @param operator.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy for operator pods + ## @param operator.podSecurityContext.sysctls Set kernel settings using the sysctl interface for operator pods + ## @param operator.podSecurityContext.supplementalGroups Set filesystem extra groups for operator pods + ## @param operator.podSecurityContext.fsGroup Set fsGroup in operator pods' Security Context + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param operator.containerSecurityContext.enabled Enabled operator container' Security Context + ## @param operator.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in operator container + ## @param operator.containerSecurityContext.runAsUser Set runAsUser in operator container' Security Context + ## @param operator.containerSecurityContext.runAsNonRoot Set runAsNonRoot in operator container' Security Context + ## @param operator.containerSecurityContext.readOnlyRootFilesystem Set readOnlyRootFilesystem in operator container' Security Context + ## @param operator.containerSecurityContext.privileged Set privileged in operator container' Security Context + ## @param operator.containerSecurityContext.allowPrivilegeEscalation Set allowPrivilegeEscalation in operator container' Security Context + ## @param operator.containerSecurityContext.capabilities.drop List of capabilities to be dropped in operator container + ## @param operator.containerSecurityContext.seccompProfile.type Set seccomp profile in operator container + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + readOnlyRootFilesystem: true + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + + ## @param operator.existingConfigmap The name of an existing ConfigMap with your custom configuration for operator + ## + existingConfigmap: + ## @param operator.command Override default operator container command (useful when using custom images) + ## + command: [] + ## @param operator.args Override default operator container args (useful when using custom images) + ## + args: [] + ## @param operator.automountServiceAccountToken Mount Service Account token in operator pods + ## + automountServiceAccountToken: true + ## @param operator.hostAliases operator pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param operator.deploymentAnnotations Annotations for operator deployment + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + deploymentAnnotations: {} + ## @param operator.statefulsetAnnotations Annotations for operator statefulset + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podLabels: {} + ## @param operator.podAnnotations Annotations for operator pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param operator.podAffinityPreset Pod affinity preset. Ignored if `operator.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param operator.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `operator.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node operator.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param operator.nodeAffinityPreset.type Node affinity preset type. Ignored if `operator.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param operator.nodeAffinityPreset.key Node label key to match. Ignored if `operator.affinity` is set + ## + key: "" + ## @param operator.nodeAffinityPreset.values Node label values to match. Ignored if `operator.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param operator.affinity Affinity for operator pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `operator.podAffinityPreset`, `operator.podAntiAffinityPreset`, and `operator.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param operator.nodeSelector Node labels for operator pods assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param operator.tolerations Tolerations for operator pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param operator.updateStrategy.type operator deployment strategy type + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + updateStrategy: + ## Can be set to RollingUpdate or Recreate + type: RollingUpdate + + ## @param operator.priorityClassName operator pods' priorityClassName + ## + priorityClassName: "" + ## @param operator.topologySpreadConstraints Topology Spread Constraints for operator pod assignment spread across your cluster among failure-domains + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param operator.schedulerName Name of the k8s scheduler (other than default) for operator pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param operator.terminationGracePeriodSeconds Seconds operator pods need to terminate gracefully + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods + ## + terminationGracePeriodSeconds: 5 + ## @param operator.lifecycleHooks for operator containers to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param operator.extraEnvVars Array with extra environment variables to add to operator containers + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param operator.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for operator containers + ## + extraEnvVarsCM: "" + ## @param operator.extraEnvVarsSecret Name of existing Secret containing extra env vars for operator containers + ## + extraEnvVarsSecret: "" + ## @param operator.extraVolumes Optionally specify extra list of additional volumes for the operator pods + ## + extraVolumes: [] + ## @param operator.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the operator containers + ## + extraVolumeMounts: [] + ## @param operator.sidecars Add additional sidecar containers to the operator pods + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param operator.initContainers Add additional init containers to the operator pods + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] +## @section Traffic Exposure Parameters +## + +## operator service parameters +## +service: + ## @param service.type operator service type + ## + type: LoadBalancer + ## @param service.ports.http operator service HTTP port + ## @param service.ports.https operator service HTTPS port + ## + ports: + webhooks: 9443 + ## Node ports to expose + ## @param service.nodePorts.http Node port for HTTP + ## @param service.nodePorts.https Node port for HTTPS + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + webhooks: "" + ## @param service.clusterIP operator service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.loadBalancerIP operator service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param service.loadBalancerSourceRanges operator service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param service.externalTrafficPolicy operator service external traffic policy + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param service.annotations Additional custom annotations for operator service + ## + annotations: {} + ## @param service.extraPorts Extra ports to expose in operator service (normally used with the `sidecars` value) + ## + extraPorts: [] + ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} +## Network Policies +## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true. + ## + addExternalClientAccess: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true. + ## e.g: + ## ingressPodMatchLabels: + ## my-client: "true" + # + ingressPodMatchLabels: {} + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + +## @section Other Parameters +## + +## RBAC configuration +## +rbac: + ## @param rbac.create Specifies whether RBAC resources should be created + ## + create: false + ## @param rbac.rules Custom RBAC rules to set + ## e.g: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] + +## ServiceAccount configuration +## +serviceAccount: + ## @param serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: true + ## @param serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param serviceAccount.annotations Additional Service Account annotations (evaluated as a template) + ## + annotations: {} + ## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account + ## + automountServiceAccountToken: true + +## Prometheus metrics +## +metrics: + ## @param metrics.enabled Enable the export of Prometheus metrics + ## + enabled: false + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running + ## + namespace: "" + ## @param metrics.serviceMonitor.annotations Additional custom annotations for the ServiceMonitor + ## + annotations: {} + ## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor + ## + labels: {} + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus + ## + jobLabel: "" + ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels + ## + honorLabels: false + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## e.g: + ## interval: 10s + ## + interval: "" + ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## e.g: + ## scrapeTimeout: 10s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.metricRelabelings Specify additional relabeling of metrics + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.relabelings Specify general relabeling + ## + relabelings: [] + ## @param metrics.serviceMonitor.selector Prometheus instance selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## selector: + ## prometheus: my-prometheus + ## + selector: {}