From 1315c54d6e3b63feb1176286104b8b6b701af551 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Sun, 11 Feb 2024 19:58:59 -0800 Subject: [PATCH] Add kube-bind charts Signed-off-by: Tamal Saha --- Makefile | 13 - .../v1alpha1/ace_catalog_manager_types.go | 88 ++ .../v1alpha1/ace_service_backend_types.go | 105 +++ .../v1alpha1/ace_service_provider_types.go | 119 +++ apis/installer/v1alpha1/register.go | 6 + .../v1alpha1/zz_generated.deepcopy.go | 451 ++++++++++ charts/catalog-manager/.helmignore | 23 + charts/catalog-manager/Chart.yaml | 13 + charts/catalog-manager/README.md | 88 ++ charts/catalog-manager/doc.yaml | 18 + charts/catalog-manager/templates/NOTES.txt | 3 + charts/catalog-manager/templates/_helpers.tpl | 107 +++ .../templates/cluster-role-binding.yaml | 14 + .../templates/cluster-role.yaml | 69 ++ .../catalog-manager/templates/deployment.yaml | 66 ++ charts/catalog-manager/templates/service.yaml | 22 + .../templates/serviceaccount.yaml | 13 + .../templates/servicemonitor.yaml | 30 + .../values.openapiv3_schema.yaml | 673 ++++++++++++++ charts/catalog-manager/values.yaml | 81 ++ charts/service-backend/.helmignore | 23 + charts/service-backend/Chart.yaml | 13 + charts/service-backend/README.md | 93 ++ charts/service-backend/doc.yaml | 18 + charts/service-backend/templates/NOTES.txt | 3 + charts/service-backend/templates/_helpers.tpl | 107 +++ .../templates/cluster-role-binding.yaml | 14 + .../templates/cluster-role.yaml | 19 + .../service-backend/templates/deployment.yaml | 64 ++ charts/service-backend/templates/service.yaml | 25 + .../templates/serviceaccount.yaml | 13 + .../templates/servicemonitor.yaml | 30 + .../values.openapiv3_schema.yaml | 695 ++++++++++++++ charts/service-backend/values.yaml | 95 ++ charts/service-provider/.helmignore | 23 + charts/service-provider/Chart.yaml | 12 + charts/service-provider/OWNERS | 5 + charts/service-provider/README.md | 111 +++ charts/service-provider/ci/ci-values.yaml | 9 + .../crds/kubeware.dev_apiservicebindings.yaml | 172 ++++ ...kubeware.dev_apiserviceexportrequests.yaml | 160 ++++ .../crds/kubeware.dev_apiserviceexports.yaml | 416 +++++++++ .../kubeware.dev_apiservicenamespaces.yaml | 61 ++ .../crds/kubeware.dev_clusterbindings.yaml | 164 ++++ charts/service-provider/doc.yaml | 18 + charts/service-provider/templates/NOTES.txt | 3 + .../service-provider/templates/_helpers.tpl | 98 ++ .../templates/provider/deployment.yaml | 81 ++ .../templates/rbac/auth_proxy.yaml | 35 + .../templates/rbac/cluster_role.yaml | 76 ++ .../templates/rbac/cluster_role_binding.yaml | 14 + .../templates/rbac/serviceaccount.yaml | 13 + .../templates/rbac/user_roles.yaml | 32 + .../templates/webhook-server/cert.yaml | 31 + .../templates/webhook-server/deployment.yaml | 124 +++ .../webhook-server/monitoring/service.yaml | 27 + .../monitoring/servicemonitor.yaml | 37 + .../webhook-server/mutating_webhook.yaml | 30 + .../webhook-server/validating_webhook.yaml | 30 + .../webhook-server/webhook_service.yaml | 17 + .../values.openapiv3_schema.yaml | 846 ++++++++++++++++++ charts/service-provider/values.yaml | 152 ++++ hack/license/dockerfile.txt | 13 - hack/license/makefile.txt | 13 - hack/scripts/ct.sh | 3 + 65 files changed, 6001 insertions(+), 39 deletions(-) create mode 100644 apis/installer/v1alpha1/ace_catalog_manager_types.go create mode 100644 apis/installer/v1alpha1/ace_service_backend_types.go create mode 100644 apis/installer/v1alpha1/ace_service_provider_types.go create mode 100644 charts/catalog-manager/.helmignore create mode 100644 charts/catalog-manager/Chart.yaml create mode 100644 charts/catalog-manager/README.md create mode 100644 charts/catalog-manager/doc.yaml create mode 100644 charts/catalog-manager/templates/NOTES.txt create mode 100644 charts/catalog-manager/templates/_helpers.tpl create mode 100644 charts/catalog-manager/templates/cluster-role-binding.yaml create mode 100644 charts/catalog-manager/templates/cluster-role.yaml create mode 100644 charts/catalog-manager/templates/deployment.yaml create mode 100644 charts/catalog-manager/templates/service.yaml create mode 100644 charts/catalog-manager/templates/serviceaccount.yaml create mode 100644 charts/catalog-manager/templates/servicemonitor.yaml create mode 100644 charts/catalog-manager/values.openapiv3_schema.yaml create mode 100644 charts/catalog-manager/values.yaml create mode 100644 charts/service-backend/.helmignore create mode 100644 charts/service-backend/Chart.yaml create mode 100644 charts/service-backend/README.md create mode 100644 charts/service-backend/doc.yaml create mode 100644 charts/service-backend/templates/NOTES.txt create mode 100644 charts/service-backend/templates/_helpers.tpl create mode 100644 charts/service-backend/templates/cluster-role-binding.yaml create mode 100644 charts/service-backend/templates/cluster-role.yaml create mode 100644 charts/service-backend/templates/deployment.yaml create mode 100644 charts/service-backend/templates/service.yaml create mode 100644 charts/service-backend/templates/serviceaccount.yaml create mode 100644 charts/service-backend/templates/servicemonitor.yaml create mode 100644 charts/service-backend/values.openapiv3_schema.yaml create mode 100644 charts/service-backend/values.yaml create mode 100644 charts/service-provider/.helmignore create mode 100755 charts/service-provider/Chart.yaml create mode 100644 charts/service-provider/OWNERS create mode 100644 charts/service-provider/README.md create mode 100644 charts/service-provider/ci/ci-values.yaml create mode 100644 charts/service-provider/crds/kubeware.dev_apiservicebindings.yaml create mode 100644 charts/service-provider/crds/kubeware.dev_apiserviceexportrequests.yaml create mode 100644 charts/service-provider/crds/kubeware.dev_apiserviceexports.yaml create mode 100644 charts/service-provider/crds/kubeware.dev_apiservicenamespaces.yaml create mode 100644 charts/service-provider/crds/kubeware.dev_clusterbindings.yaml create mode 100644 charts/service-provider/doc.yaml create mode 100644 charts/service-provider/templates/NOTES.txt create mode 100644 charts/service-provider/templates/_helpers.tpl create mode 100644 charts/service-provider/templates/provider/deployment.yaml create mode 100644 charts/service-provider/templates/rbac/auth_proxy.yaml create mode 100644 charts/service-provider/templates/rbac/cluster_role.yaml create mode 100644 charts/service-provider/templates/rbac/cluster_role_binding.yaml create mode 100644 charts/service-provider/templates/rbac/serviceaccount.yaml create mode 100644 charts/service-provider/templates/rbac/user_roles.yaml create mode 100644 charts/service-provider/templates/webhook-server/cert.yaml create mode 100644 charts/service-provider/templates/webhook-server/deployment.yaml create mode 100644 charts/service-provider/templates/webhook-server/monitoring/service.yaml create mode 100644 charts/service-provider/templates/webhook-server/monitoring/servicemonitor.yaml create mode 100644 charts/service-provider/templates/webhook-server/mutating_webhook.yaml create mode 100644 charts/service-provider/templates/webhook-server/validating_webhook.yaml create mode 100644 charts/service-provider/templates/webhook-server/webhook_service.yaml create mode 100644 charts/service-provider/values.openapiv3_schema.yaml create mode 100644 charts/service-provider/values.yaml diff --git a/Makefile b/Makefile index 9f5ace317..364bc6ebb 100644 --- a/Makefile +++ b/Makefile @@ -1,16 +1,3 @@ -# Copyright AppsCode Inc. and Contributors -# -# Licensed under the AppsCode Community License 1.0.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://github.com/appscode/licenses/raw/1.0.0/AppsCode-Community-1.0.0.md -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. SHELL=/bin/bash -o pipefail diff --git a/apis/installer/v1alpha1/ace_catalog_manager_types.go b/apis/installer/v1alpha1/ace_catalog_manager_types.go new file mode 100644 index 000000000..2e89c9da8 --- /dev/null +++ b/apis/installer/v1alpha1/ace_catalog_manager_types.go @@ -0,0 +1,88 @@ +/* +Copyright AppsCode Inc. and Contributors + +Licensed under the AppsCode Community License 1.0.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + https://github.com/appscode/licenses/raw/1.0.0/AppsCode-Community-1.0.0.md + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + core "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +const ( + ResourceKindCatalogManager = "CatalogManager" + ResourceCatalogManager = "catalogmanager" + ResourceCatalogManagers = "catalogmanagers" +) + +// CatalogManager defines the schama for CatalogManager operator installer. + +// +genclient +// +genclient:skipVerbs=updateStatus +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// +kubebuilder:object:root=true +// +kubebuilder:resource:path=catalogmanagers,singular=catalogmanager,categories={kubeops,appscode} +type CatalogManager struct { + metav1.TypeMeta `json:",inline,omitempty"` + metav1.ObjectMeta `json:"metadata,omitempty"` + Spec CatalogManagerSpec `json:"spec,omitempty"` +} + +// CatalogManagerSpec is the schema for Identity Server values file +type CatalogManagerSpec struct { + //+optional + NameOverride string `json:"nameOverride"` + //+optional + FullnameOverride string `json:"fullnameOverride"` + ReplicaCount int `json:"replicaCount"` + RegistryFQDN string `json:"registryFQDN"` + Image Container `json:"image"` + //+optional + ImagePullSecrets []string `json:"imagePullSecrets"` + ImagePullPolicy string `json:"imagePullPolicy"` + ServiceAccount ServiceAccountSpec `json:"serviceAccount"` + //+optional + PodAnnotations map[string]string `json:"podAnnotations"` + // PodSecurityContext holds pod-level security attributes and common container settings. + // Optional: Defaults to empty. See type description for default values of each field. + // +optional + PodSecurityContext *core.PodSecurityContext `json:"podSecurityContext"` + //+optional + NodeSelector map[string]string `json:"nodeSelector"` + // If specified, the pod's tolerations. + // +optional + Tolerations []core.Toleration `json:"tolerations"` + // If specified, the pod's scheduling constraints + // +optional + Affinity *core.Affinity `json:"affinity"` + Monitoring Monitoring `json:"monitoring"` + + // +optional + VaultServer ObjectReference `json:"vaultServer"` + // +optional + SecretReaderServiceAccount ObjectReference `json:"secretReaderServiceAccount"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// CatalogManagerList is a list of CatalogManagers +type CatalogManagerList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + // Items is a list of CatalogManager CRD objects + Items []CatalogManager `json:"items,omitempty"` +} diff --git a/apis/installer/v1alpha1/ace_service_backend_types.go b/apis/installer/v1alpha1/ace_service_backend_types.go new file mode 100644 index 000000000..ed80972e6 --- /dev/null +++ b/apis/installer/v1alpha1/ace_service_backend_types.go @@ -0,0 +1,105 @@ +/* +Copyright AppsCode Inc. and Contributors + +Licensed under the AppsCode Community License 1.0.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + https://github.com/appscode/licenses/raw/1.0.0/AppsCode-Community-1.0.0.md + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + core "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +const ( + ResourceKindServiceBackend = "ServiceBackend" + ResourceServiceBackend = "servicebackend" + ResourceServiceBackends = "servicebackends" +) + +// ServiceBackend defines the schama for ServiceBackend operator installer. + +// +genclient +// +genclient:skipVerbs=updateStatus +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// +kubebuilder:object:root=true +// +kubebuilder:resource:path=servicebackends,singular=servicebackend,categories={kubeops,appscode} +type ServiceBackend struct { + metav1.TypeMeta `json:",inline,omitempty"` + metav1.ObjectMeta `json:"metadata,omitempty"` + Spec ServiceBackendSpec `json:"spec,omitempty"` +} + +// ServiceBackendSpec is the schema for Identity Server values file +type ServiceBackendSpec struct { + //+optional + NameOverride string `json:"nameOverride"` + //+optional + FullnameOverride string `json:"fullnameOverride"` + ReplicaCount int `json:"replicaCount"` + RegistryFQDN string `json:"registryFQDN"` + Image Container `json:"image"` + //+optional + ImagePullSecrets []string `json:"imagePullSecrets"` + ImagePullPolicy string `json:"imagePullPolicy"` + ServiceAccount ServiceAccountSpec `json:"serviceAccount"` + //+optional + PodAnnotations map[string]string `json:"podAnnotations"` + // PodSecurityContext holds pod-level security attributes and common container settings. + // Optional: Defaults to empty. See type description for default values of each field. + // +optional + PodSecurityContext *core.PodSecurityContext `json:"podSecurityContext"` + //+optional + NodeSelector map[string]string `json:"nodeSelector"` + // If specified, the pod's tolerations. + // +optional + Tolerations []core.Toleration `json:"tolerations"` + // If specified, the pod's scheduling constraints + // +optional + Affinity *core.Affinity `json:"affinity"` + Monitoring Monitoring `json:"monitoring"` + Server ServerConfig `json:"server"` +} + +type ServerConfig struct { + OIDC OIDC `json:"oidc"` + NamespacePrefix string `json:"namespacePrefix"` + ProviderPrettyName string `json:"providerPrettyName"` + ConsumerScope string `json:"consumerScope"` + // External External `json:"external"` + Cookie Cookie `json:"cookie"` +} + +type OIDC struct { + ClientID string `json:"clientID"` + ClientSecret string `json:"clientSecret"` + IssuerURL string `json:"issuerURL"` + CallbackURL string `json:"callbackURL"` +} + +type Cookie struct { + SigningKey string `json:"signingKey"` + EncryptionKey string `json:"encryptionKey"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// ServiceBackendList is a list of ServiceBackends +type ServiceBackendList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + // Items is a list of ServiceBackend CRD objects + Items []ServiceBackend `json:"items,omitempty"` +} diff --git a/apis/installer/v1alpha1/ace_service_provider_types.go b/apis/installer/v1alpha1/ace_service_provider_types.go new file mode 100644 index 000000000..3784d0ee9 --- /dev/null +++ b/apis/installer/v1alpha1/ace_service_provider_types.go @@ -0,0 +1,119 @@ +/* +Copyright AppsCode Inc. and Contributors + +Licensed under the AppsCode Community License 1.0.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + https://github.com/appscode/licenses/raw/1.0.0/AppsCode-Community-1.0.0.md + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + core "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +const ( + ResourceKindServiceProvider = "ServiceProvider" + ResourceServiceProvider = "serviceprovider" + ResourceServiceProviders = "serviceproviders" +) + +// ServiceProvider defines the schama for ServiceProvider operator installer. + +// +genclient +// +genclient:skipVerbs=updateStatus +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// +kubebuilder:object:root=true +type ServiceProvider struct { + metav1.TypeMeta `json:",inline,omitempty"` + metav1.ObjectMeta `json:"metadata,omitempty"` + Spec ServiceProviderSpec `json:"spec,omitempty"` +} + +// ServiceProviderSpec is the schema for Operator Operator values file +type ServiceProviderSpec struct { + //+optional + NameOverride string `json:"nameOverride"` + //+optional + FullnameOverride string `json:"fullnameOverride"` + RegistryFQDN string `json:"registryFQDN"` + ReplicaCount int32 `json:"replicaCount"` + Operator Container `json:"operator"` + RbacProxy Container `json:"rbacproxy"` + ImagePullPolicy string `json:"imagePullPolicy"` + //+optional + ImagePullSecrets []string `json:"imagePullSecrets"` + //+optional + CriticalAddon bool `json:"criticalAddon"` + //+optional + LogLevel int32 `json:"logLevel"` + //+optional + Annotations map[string]string `json:"annotations"` + //+optional + PodAnnotations map[string]string `json:"podAnnotations"` + //+optional + PodLabels map[string]string `json:"podLabels"` + //+optional + NodeSelector map[string]string `json:"nodeSelector"` + // If specified, the pod's tolerations. + // +optional + Tolerations []core.Toleration `json:"tolerations"` + // If specified, the pod's scheduling constraints + // +optional + Affinity *core.Affinity `json:"affinity"` + // PodSecurityContext holds pod-level security attributes and common container settings. + // Optional: Defaults to empty. See type description for default values of each field. + // +optional + PodSecurityContext *core.PodSecurityContext `json:"podSecurityContext"` + ServiceAccount ServiceAccountSpec `json:"serviceAccount"` + // +optional + Apiserver ServiceProviderApiserver `json:"apiserver"` + Monitoring Monitoring `json:"monitoring"` + Provider ProviderConfig `json:"provider"` +} + +type ProviderConfig struct { + NamespacePrefix string `json:"namespacePrefix"` + ProviderPrettyName string `json:"providerPrettyName"` + ConsumerScope string `json:"consumerScope"` + External External `json:"external"` +} + +type External struct { + Address string `json:"address"` + ServerName string `json:"serverName"` + CAFile string `json:"CAFile"` +} + +type ServiceProviderApiserver struct { + GroupPriorityMinimum int `json:"groupPriorityMinimum"` + VersionPriority int `json:"versionPriority"` + EnableMutatingWebhook bool `json:"enableMutatingWebhook"` + EnableValidatingWebhook bool `json:"enableValidatingWebhook"` + Ca string `json:"ca"` + BypassValidatingWebhookXray bool `json:"bypassValidatingWebhookXray"` + UseKubeapiserverFqdnForAks bool `json:"useKubeapiserverFqdnForAks"` + Healthcheck HealthcheckSpec `json:"healthcheck"` + ServingCerts ServingCerts `json:"servingCerts"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// ServiceProviderList is a list of ServiceProviders +type ServiceProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + // Items is a list of ServiceProvider CRD objects + Items []ServiceProvider `json:"items,omitempty"` +} diff --git a/apis/installer/v1alpha1/register.go b/apis/installer/v1alpha1/register.go index ba5602cf4..86bbc74f0 100644 --- a/apis/installer/v1alpha1/register.go +++ b/apis/installer/v1alpha1/register.go @@ -68,6 +68,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &BillingUiList{}, &CapiClusterPresets{}, &CapiClusterPresetsList{}, + &CatalogManager{}, + &CatalogManagerList{}, &CertManagerWebhookAce{}, &CertManagerWebhookAceList{}, &ClusterImporter{}, @@ -108,6 +110,10 @@ func addKnownTypes(scheme *runtime.Scheme) error { &NatsList{}, &Reloader{}, &ReloaderList{}, + &ServiceProvider{}, + &ServiceProviderList{}, + &ServiceBackend{}, + &ServiceBackendList{}, ) scheme.AddKnownTypes(SchemeGroupVersion, diff --git a/apis/installer/v1alpha1/zz_generated.deepcopy.go b/apis/installer/v1alpha1/zz_generated.deepcopy.go index bb8a20d79..8e17b6d67 100644 --- a/apis/installer/v1alpha1/zz_generated.deepcopy.go +++ b/apis/installer/v1alpha1/zz_generated.deepcopy.go @@ -1901,6 +1901,120 @@ func (in *CapiPresetsSpec) DeepCopy() *CapiPresetsSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CatalogManager) DeepCopyInto(out *CatalogManager) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CatalogManager. +func (in *CatalogManager) DeepCopy() *CatalogManager { + if in == nil { + return nil + } + out := new(CatalogManager) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *CatalogManager) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CatalogManagerList) DeepCopyInto(out *CatalogManagerList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]CatalogManager, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CatalogManagerList. +func (in *CatalogManagerList) DeepCopy() *CatalogManagerList { + if in == nil { + return nil + } + out := new(CatalogManagerList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *CatalogManagerList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CatalogManagerSpec) DeepCopyInto(out *CatalogManagerSpec) { + *out = *in + in.Image.DeepCopyInto(&out.Image) + if in.ImagePullSecrets != nil { + in, out := &in.ImagePullSecrets, &out.ImagePullSecrets + *out = make([]string, len(*in)) + copy(*out, *in) + } + in.ServiceAccount.DeepCopyInto(&out.ServiceAccount) + if in.PodAnnotations != nil { + in, out := &in.PodAnnotations, &out.PodAnnotations + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.PodSecurityContext != nil { + in, out := &in.PodSecurityContext, &out.PodSecurityContext + *out = new(v1.PodSecurityContext) + (*in).DeepCopyInto(*out) + } + if in.NodeSelector != nil { + in, out := &in.NodeSelector, &out.NodeSelector + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.Tolerations != nil { + in, out := &in.Tolerations, &out.Tolerations + *out = make([]v1.Toleration, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Affinity != nil { + in, out := &in.Affinity, &out.Affinity + *out = new(v1.Affinity) + (*in).DeepCopyInto(*out) + } + in.Monitoring.DeepCopyInto(&out.Monitoring) + out.VaultServer = in.VaultServer + out.SecretReaderServiceAccount = in.SecretReaderServiceAccount +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CatalogManagerSpec. +func (in *CatalogManagerSpec) DeepCopy() *CatalogManagerSpec { + if in == nil { + return nil + } + out := new(CatalogManagerSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CertManager) DeepCopyInto(out *CertManager) { *out = *in @@ -2390,6 +2504,21 @@ func (in *ContractStorage) DeepCopy() *ContractStorage { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Cookie) DeepCopyInto(out *Cookie) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Cookie. +func (in *Cookie) DeepCopy() *Cookie { + if in == nil { + return nil + } + out := new(Cookie) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CustomMonitoring) DeepCopyInto(out *CustomMonitoring) { *out = *in @@ -2746,6 +2875,21 @@ func (in *EnvVar) DeepCopy() *EnvVar { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *External) DeepCopyInto(out *External) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new External. +func (in *External) DeepCopy() *External { + if in == nil { + return nil + } + out := new(External) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *FirebaseSettings) DeepCopyInto(out *FirebaseSettings) { *out = *in @@ -5503,6 +5647,21 @@ func (in *NatsboxSpec) DeepCopy() *NatsboxSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDC) DeepCopyInto(out *OIDC) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDC. +func (in *OIDC) DeepCopy() *OIDC { + if in == nil { + return nil + } + out := new(OIDC) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ObjectReference) DeepCopyInto(out *ObjectReference) { *out = *in @@ -6175,6 +6334,22 @@ func (in *PromotionValues) DeepCopy() *PromotionValues { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProviderConfig) DeepCopyInto(out *ProviderConfig) { + *out = *in + out.External = in.External +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderConfig. +func (in *ProviderConfig) DeepCopy() *ProviderConfig { + if in == nil { + return nil + } + out := new(ProviderConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ProviderMount) DeepCopyInto(out *ProviderMount) { *out = *in @@ -6916,6 +7091,23 @@ func (in *SecuritySettings) DeepCopy() *SecuritySettings { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServerConfig) DeepCopyInto(out *ServerConfig) { + *out = *in + out.OIDC = in.OIDC + out.Cookie = in.Cookie +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerConfig. +func (in *ServerConfig) DeepCopy() *ServerConfig { + if in == nil { + return nil + } + out := new(ServerConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ServiceAccountSpec) DeepCopyInto(out *ServiceAccountSpec) { *out = *in @@ -6943,6 +7135,119 @@ func (in *ServiceAccountSpec) DeepCopy() *ServiceAccountSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServiceBackend) DeepCopyInto(out *ServiceBackend) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceBackend. +func (in *ServiceBackend) DeepCopy() *ServiceBackend { + if in == nil { + return nil + } + out := new(ServiceBackend) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ServiceBackend) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServiceBackendList) DeepCopyInto(out *ServiceBackendList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ServiceBackend, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceBackendList. +func (in *ServiceBackendList) DeepCopy() *ServiceBackendList { + if in == nil { + return nil + } + out := new(ServiceBackendList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ServiceBackendList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServiceBackendSpec) DeepCopyInto(out *ServiceBackendSpec) { + *out = *in + in.Image.DeepCopyInto(&out.Image) + if in.ImagePullSecrets != nil { + in, out := &in.ImagePullSecrets, &out.ImagePullSecrets + *out = make([]string, len(*in)) + copy(*out, *in) + } + in.ServiceAccount.DeepCopyInto(&out.ServiceAccount) + if in.PodAnnotations != nil { + in, out := &in.PodAnnotations, &out.PodAnnotations + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.PodSecurityContext != nil { + in, out := &in.PodSecurityContext, &out.PodSecurityContext + *out = new(v1.PodSecurityContext) + (*in).DeepCopyInto(*out) + } + if in.NodeSelector != nil { + in, out := &in.NodeSelector, &out.NodeSelector + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.Tolerations != nil { + in, out := &in.Tolerations, &out.Tolerations + *out = make([]v1.Toleration, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Affinity != nil { + in, out := &in.Affinity, &out.Affinity + *out = new(v1.Affinity) + (*in).DeepCopyInto(*out) + } + in.Monitoring.DeepCopyInto(&out.Monitoring) + out.Server = in.Server +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceBackendSpec. +func (in *ServiceBackendSpec) DeepCopy() *ServiceBackendSpec { + if in == nil { + return nil + } + out := new(ServiceBackendSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ServiceMonitorLabels) DeepCopyInto(out *ServiceMonitorLabels) { *out = *in @@ -6965,6 +7270,152 @@ func (in *ServiceMonitorLabels) DeepCopy() *ServiceMonitorLabels { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServiceProvider) DeepCopyInto(out *ServiceProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceProvider. +func (in *ServiceProvider) DeepCopy() *ServiceProvider { + if in == nil { + return nil + } + out := new(ServiceProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ServiceProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServiceProviderApiserver) DeepCopyInto(out *ServiceProviderApiserver) { + *out = *in + out.Healthcheck = in.Healthcheck + out.ServingCerts = in.ServingCerts +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceProviderApiserver. +func (in *ServiceProviderApiserver) DeepCopy() *ServiceProviderApiserver { + if in == nil { + return nil + } + out := new(ServiceProviderApiserver) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServiceProviderList) DeepCopyInto(out *ServiceProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ServiceProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceProviderList. +func (in *ServiceProviderList) DeepCopy() *ServiceProviderList { + if in == nil { + return nil + } + out := new(ServiceProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ServiceProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServiceProviderSpec) DeepCopyInto(out *ServiceProviderSpec) { + *out = *in + in.Operator.DeepCopyInto(&out.Operator) + in.RbacProxy.DeepCopyInto(&out.RbacProxy) + if in.ImagePullSecrets != nil { + in, out := &in.ImagePullSecrets, &out.ImagePullSecrets + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Annotations != nil { + in, out := &in.Annotations, &out.Annotations + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.PodAnnotations != nil { + in, out := &in.PodAnnotations, &out.PodAnnotations + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.PodLabels != nil { + in, out := &in.PodLabels, &out.PodLabels + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.NodeSelector != nil { + in, out := &in.NodeSelector, &out.NodeSelector + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.Tolerations != nil { + in, out := &in.Tolerations, &out.Tolerations + *out = make([]v1.Toleration, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Affinity != nil { + in, out := &in.Affinity, &out.Affinity + *out = new(v1.Affinity) + (*in).DeepCopyInto(*out) + } + if in.PodSecurityContext != nil { + in, out := &in.PodSecurityContext, &out.PodSecurityContext + *out = new(v1.PodSecurityContext) + (*in).DeepCopyInto(*out) + } + in.ServiceAccount.DeepCopyInto(&out.ServiceAccount) + out.Apiserver = in.Apiserver + in.Monitoring.DeepCopyInto(&out.Monitoring) + out.Provider = in.Provider +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceProviderSpec. +func (in *ServiceProviderSpec) DeepCopy() *ServiceProviderSpec { + if in == nil { + return nil + } + out := new(ServiceProviderSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ServingCerts) DeepCopyInto(out *ServingCerts) { *out = *in diff --git a/charts/catalog-manager/.helmignore b/charts/catalog-manager/.helmignore new file mode 100644 index 000000000..e03134ce3 --- /dev/null +++ b/charts/catalog-manager/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.terraform +*.tfstate* diff --git a/charts/catalog-manager/Chart.yaml b/charts/catalog-manager/Chart.yaml new file mode 100644 index 000000000..9b72a6c8f --- /dev/null +++ b/charts/catalog-manager/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v2 +name: catalog-manager +description: A Helm chart for Appcatalog Operator by AppsCode +type: application +version: v2024.2.11 +appVersion: v0.0.1 +home: https://github.com/kubeware/catalog-manager +icon: https://cdn.appscode.com/images/products/searchlight/icons/android-icon-192x192.png +sources: +- https://github.com/kubeware/catalog-manager +maintainers: +- name: appscode + email: support@appscode.com diff --git a/charts/catalog-manager/README.md b/charts/catalog-manager/README.md new file mode 100644 index 000000000..47f982945 --- /dev/null +++ b/charts/catalog-manager/README.md @@ -0,0 +1,88 @@ +# Appcatalog + +[Appcatalog by AppsCode](https://github.com/kubeware/catalog-manager) - Appcatalog for Kubernetes + +## TL;DR; + +```bash +$ helm repo add appscode https://charts.appscode.com/stable/ +$ helm repo update +$ helm search repo appscode/catalog-manager --version=v2024.2.11 +$ helm upgrade -i catalog-manager appscode/catalog-manager -n kubeops --create-namespace --version=v2024.2.11 +``` + +## Introduction + +This chart deploys an Appcatalog on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + +- Kubernetes 1.21+ + +## Installing the Chart + +To install/upgrade the chart with the release name `catalog-manager`: + +```bash +$ helm upgrade -i catalog-manager appscode/catalog-manager -n kubeops --create-namespace --version=v2024.2.11 +``` + +The command deploys an Appcatalog on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall the `catalog-manager`: + +```bash +$ helm uninstall catalog-manager -n kubeops +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +The following table lists the configurable parameters of the `catalog-manager` chart and their default values. + +| Parameter | Description | Default | +|--------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| nameOverride | Overrides name template | "" | +| fullnameOverride | Overrides fullname template | "" | +| replicaCount | | 1 | +| registryFQDN | Docker registry fqdn used to pull docker images Set this to use docker registry hosted at ${registryFQDN}/${registry}/${image} | ghcr.io | +| image.registry | Docker registry used to pull operator image | appscode | +| image.repository | Name of operator container image | catalog-manager | +| image.tag | Overrides the image tag whose default is the chart appVersion. | "" | +| image.resources | Compute Resources required by the operator container | {} | +| image.securityContext | Security options this container should run with | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}} | +| imagePullSecrets | Specify an array of imagePullSecrets. Secrets must be manually created in the namespace.
Example:
`helm template charts/stash \`
`--set imagePullSecrets[0].name=sec0 \`
`--set imagePullSecrets[1].name=sec1` | [] | +| imagePullPolicy | Container image pull policy | Always | +| serviceAccount.create | Specifies whether a service account should be created | true | +| serviceAccount.annotations | Annotations to add to the service account | {} | +| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" | +| podAnnotations | | {} | +| podSecurityContext | | {} | +| nodeSelector | | {} | +| tolerations | | [] | +| affinity | | {} | +| monitoring.agent | Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin") | "" | +| monitoring.serviceMonitor.labels | Specify the labels for ServiceMonitor. Prometheus crd will select ServiceMonitor using these labels. Only usable when monitoring agent is `prometheus.io/operator`. | {} | +| vaultServer.name | | "" | +| vaultServer.namespace | | "" | +| secretReaderServiceAccount.name | | "" | +| secretReaderServiceAccount.namespace | | "" | + + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example: + +```bash +$ helm upgrade -i catalog-manager appscode/catalog-manager -n kubeops --create-namespace --version=v2024.2.11 --set replicaCount=1 +``` + +Alternatively, a YAML file that specifies the values for the parameters can be provided while +installing the chart. For example: + +```bash +$ helm upgrade -i catalog-manager appscode/catalog-manager -n kubeops --create-namespace --version=v2024.2.11 --values values.yaml +``` diff --git a/charts/catalog-manager/doc.yaml b/charts/catalog-manager/doc.yaml new file mode 100644 index 000000000..5f5112d97 --- /dev/null +++ b/charts/catalog-manager/doc.yaml @@ -0,0 +1,18 @@ +project: + name: Appcatalog by AppsCode + shortName: Appcatalog + url: https://github.com/kubeware/catalog-manager + description: Appcatalog for Kubernetes + app: an Appcatalog +repository: + url: https://charts.appscode.com/stable/ + name: appscode +chart: + name: catalog-manager + values: -- generate from values file -- + valuesExample: -- generate from values file -- +prerequisites: +- Kubernetes 1.21+ +release: + name: catalog-manager + namespace: kubeops diff --git a/charts/catalog-manager/templates/NOTES.txt b/charts/catalog-manager/templates/NOTES.txt new file mode 100644 index 000000000..4c1cf76d7 --- /dev/null +++ b/charts/catalog-manager/templates/NOTES.txt @@ -0,0 +1,3 @@ +To verify that Supervisor has started, run: + + kubectl get deployment --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "catalog-manager.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" diff --git a/charts/catalog-manager/templates/_helpers.tpl b/charts/catalog-manager/templates/_helpers.tpl new file mode 100644 index 000000000..f07ac4fb4 --- /dev/null +++ b/charts/catalog-manager/templates/_helpers.tpl @@ -0,0 +1,107 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "catalog-manager.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "catalog-manager.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "catalog-manager.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "catalog-manager.labels" -}} +helm.sh/chart: {{ include "catalog-manager.chart" . }} +{{ include "catalog-manager.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "catalog-manager.selectorLabels" -}} +app.kubernetes.io/name: {{ include "catalog-manager.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "catalog-manager.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "catalog-manager.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Returns the appscode license +*/}} +{{- define "appscode.license" -}} +{{- .Values.license }} +{{- end }} + +{{/* +Returns the registry used for operator docker image +*/}} +{{- define "image.registry" -}} +{{- list .Values.registryFQDN .Values.image.registry | compact | join "/" }} +{{- end }} + +{{- define "appscode.imagePullSecrets" -}} +{{- with .Values.imagePullSecrets -}} +imagePullSecrets: +{{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} + +{{/* +Returns the enabled monitoring agent name +*/}} +{{- define "monitoring.agent" -}} +{{- .Values.monitoring.agent }} +{{- end }} + +{{/* +Returns whether the ServiceMonitor will be labeled with custom label +*/}} +{{- define "monitoring.apply-servicemonitor-label" -}} +{{- ternary "false" "true" ( empty .Values.monitoring.serviceMonitor.labels ) -}} +{{- end }} + +{{/* +Returns the ServiceMonitor labels +*/}} +{{- define "monitoring.servicemonitor-label" -}} +{{- range $key, $val := .Values.monitoring.serviceMonitor.labels }} +{{ $key }}: {{ $val }} +{{- end }} +{{- end }} diff --git a/charts/catalog-manager/templates/cluster-role-binding.yaml b/charts/catalog-manager/templates/cluster-role-binding.yaml new file mode 100644 index 000000000..ba467be66 --- /dev/null +++ b/charts/catalog-manager/templates/cluster-role-binding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "catalog-manager.fullname" . }} + labels: + {{- include "catalog-manager.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "catalog-manager.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "catalog-manager.fullname" . }} + namespace: {{ .Release.Namespace }} diff --git a/charts/catalog-manager/templates/cluster-role.yaml b/charts/catalog-manager/templates/cluster-role.yaml new file mode 100644 index 000000000..e5b68a368 --- /dev/null +++ b/charts/catalog-manager/templates/cluster-role.yaml @@ -0,0 +1,69 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "catalog-manager.fullname" . }} + labels: + {{- include "catalog-manager.labels" . | nindent 4 }} +rules: +- apiGroups: + - catalog.kubeware.dev + resources: ["*"] + verbs: ["get", "list", "watch", "patch"] +- apiGroups: + - kubedb.com + resources: + - elasticsearches + - kafkas + - mariadbs + - memcacheds + - mongodbs + - mysqls + - perconaxtradbs + - pgbouncers + - postgreses + - proxysqls + - redises + verbs: ["get", "list", "watch"] +- apiGroups: + - kubevault.com + resources: + - vaultservers + verbs: ["get", "list", "watch"] +- apiGroups: + - engine.kubevault.com + resources: + - elasticsearchroles + - mariadbroles + - mongodbroles + - mysqlroles + - postgresroles + - redisroles + - secretaccessrequests + - secretengines + verbs: ["get", "list", "watch", "create", "patch", "delete"] +- apiGroups: + - engine.kubevault.com + resources: + - secretaccessrequests/status + verbs: ["get", "list", "patch"] +- apiGroups: [""] + resources: ["serviceaccounts", "secrets"] + verbs: ["get", "list", "watch"] +- apiGroups: + - catalog.kubedb.com + resources: + - elasticsearchversions + verbs: ["get", "list", "watch"] +- apiGroups: ["gateway.networking.k8s.io"] + resources: + - gateways + - httproutes + - referencegrants + - tcproutes + verbs: ["get","list","watch","create","patch","delete"] +- apiGroups: ["gateway.voyagermesh.com"] + resources: + - mysqlroutes + - mongodbroutes + - redisroutes + verbs: ["get","list","watch","create","patch","delete"] diff --git a/charts/catalog-manager/templates/deployment.yaml b/charts/catalog-manager/templates/deployment.yaml new file mode 100644 index 000000000..ef1609318 --- /dev/null +++ b/charts/catalog-manager/templates/deployment.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "catalog-manager.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "catalog-manager.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "catalog-manager.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "catalog-manager.selectorLabels" . | nindent 8 }} + spec: + {{- include "appscode.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ include "catalog-manager.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.image.securityContext | nindent 12 }} + image: {{ include "image.registry" . }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - run + - --vault-server-name={{ .Values.vaultServer.name }} + - --vault-server-namespace={{ .Values.vaultServer.namespace }} + - --secret-reader-service-account-name={{ .Values.secretReaderServiceAccount.name }} + - --secret-reader-service-account-namespace={{ .Values.secretReaderServiceAccount.namespace }} + ports: + - name: metrics + containerPort: 8080 + protocol: TCP + - name: http + containerPort: 8081 + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: http + readinessProbe: + httpGet: + path: /readyz + port: http + resources: + {{- toYaml .Values.image.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/catalog-manager/templates/service.yaml b/charts/catalog-manager/templates/service.yaml new file mode 100644 index 000000000..3bc0d3814 --- /dev/null +++ b/charts/catalog-manager/templates/service.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "catalog-manager.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "catalog-manager.labels" . | nindent 4 }} +{{- if eq "prometheus.io/builtin" ( include "monitoring.agent" . ) }} + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "8443" + prometheus.io/scheme: "https" +{{- end }} +spec: + ports: + # Port used to expose admission webhook apiserver + - name: api + port: 443 + targetPort: 8443 + selector: + {{- include "catalog-manager.selectorLabels" . | nindent 4 }} diff --git a/charts/catalog-manager/templates/serviceaccount.yaml b/charts/catalog-manager/templates/serviceaccount.yaml new file mode 100644 index 000000000..bf3cd5314 --- /dev/null +++ b/charts/catalog-manager/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "catalog-manager.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "catalog-manager.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/catalog-manager/templates/servicemonitor.yaml b/charts/catalog-manager/templates/servicemonitor.yaml new file mode 100644 index 000000000..b319e3ff7 --- /dev/null +++ b/charts/catalog-manager/templates/servicemonitor.yaml @@ -0,0 +1,30 @@ +{{- if eq "prometheus.io/operator" ( include "monitoring.agent" . ) }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "catalog-manager.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- if eq "true" ( include "monitoring.apply-servicemonitor-label" . ) }} + {{- include "monitoring.servicemonitor-label" . | nindent 4 }} + {{- else }} + {{- include "catalog-manager.selectorLabels" . | nindent 4 }} + {{- end }} +spec: + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + {{- include "catalog-manager.selectorLabels" . | nindent 6 }} + endpoints: + - port: api + bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + scheme: https + tlsConfig: + ca: + secret: + name: {{ include "catalog-manager.fullname" . }}-apiserver-cert + key: tls.crt + serverName: "{{ include "catalog-manager.fullname" . }}.{{ .Release.Namespace }}.svc" +{{- end }} diff --git a/charts/catalog-manager/values.openapiv3_schema.yaml b/charts/catalog-manager/values.openapiv3_schema.yaml new file mode 100644 index 000000000..9a10ad03a --- /dev/null +++ b/charts/catalog-manager/values.openapiv3_schema.yaml @@ -0,0 +1,673 @@ +properties: + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + fullnameOverride: + type: string + image: + properties: + registry: + type: string + repository: + type: string + resources: + properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + tag: + type: string + required: + - registry + - repository + - tag + type: object + imagePullPolicy: + type: string + imagePullSecrets: + items: + type: string + type: array + monitoring: + properties: + agent: + enum: + - prometheus.io + - prometheus.io/operator + - prometheus.io/builtin + type: string + serviceMonitor: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + required: + - agent + - serviceMonitor + type: object + nameOverride: + type: string + nodeSelector: + additionalProperties: + type: string + type: object + podAnnotations: + additionalProperties: + type: string + type: object + podSecurityContext: + properties: + fsGroup: + format: int64 + type: integer + fsGroupChangePolicy: + type: string + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + registryFQDN: + type: string + replicaCount: + type: integer + secretReaderServiceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + serviceAccount: + properties: + annotations: + additionalProperties: + type: string + type: object + create: + type: boolean + name: + type: string + required: + - create + type: object + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + vaultServer: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object +required: +- image +- imagePullPolicy +- monitoring +- registryFQDN +- replicaCount +- serviceAccount +type: object diff --git a/charts/catalog-manager/values.yaml b/charts/catalog-manager/values.yaml new file mode 100644 index 000000000..441f4b43e --- /dev/null +++ b/charts/catalog-manager/values.yaml @@ -0,0 +1,81 @@ +# Default values for catalog-manager. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# Overrides name template +nameOverride: "" +# Overrides fullname template +fullnameOverride: "" + +replicaCount: 1 + +# Docker registry fqdn used to pull docker images +# Set this to use docker registry hosted at ${registryFQDN}/${registry}/${image} +registryFQDN: ghcr.io +image: + # Docker registry used to pull operator image + registry: appscode + # Name of operator container image + repository: catalog-manager + # Overrides the image tag whose default is the chart appVersion. + tag: "" + # Compute Resources required by the operator container + resources: {} + # Security options this container should run with + securityContext: # +doc-gen:break + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + +# Specify an array of imagePullSecrets. +# Secrets must be manually created in the namespace. +# +# Example: +# helm template charts/stash \ +# --set imagePullSecrets[0].name=sec0 \ +# --set imagePullSecrets[1].name=sec1 +imagePullSecrets: [] +# Container image pull policy +imagePullPolicy: Always + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +monitoring: + # Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin") + agent: "" + serviceMonitor: + # Specify the labels for ServiceMonitor. + # Prometheus crd will select ServiceMonitor using these labels. + # Only usable when monitoring agent is `prometheus.io/operator`. + labels: {} + +vaultServer: + name: "" + namespace: "" + +secretReaderServiceAccount: + name: "" + namespace: "" diff --git a/charts/service-backend/.helmignore b/charts/service-backend/.helmignore new file mode 100644 index 000000000..e03134ce3 --- /dev/null +++ b/charts/service-backend/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.terraform +*.tfstate* diff --git a/charts/service-backend/Chart.yaml b/charts/service-backend/Chart.yaml new file mode 100644 index 000000000..c6932307b --- /dev/null +++ b/charts/service-backend/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v2 +name: service-backend +description: A Helm chart for Kubeware Backend Server by AppsCode +type: application +version: v2024.2.11 +appVersion: v0.0.1 +home: https://github.com/kubeware +icon: https://cdn.appscode.com/images/products/searchlight/icons/android-icon-192x192.png +sources: +- https://github.com/kubeware +maintainers: +- name: appscode + email: support@appscode.com diff --git a/charts/service-backend/README.md b/charts/service-backend/README.md new file mode 100644 index 000000000..cbeab3547 --- /dev/null +++ b/charts/service-backend/README.md @@ -0,0 +1,93 @@ +# Kubeware Backend Server + +[Kubeware Backend Server by AppsCode](https://github.com/kubeware/service-backend) - Kubeware Backend Server for Kubernetes + +## TL;DR; + +```bash +$ helm repo add appscode https://charts.appscode.com/stable/ +$ helm repo update +$ helm search repo appscode/service-backend --version=v2024.2.11 +$ helm upgrade -i service-backend appscode/service-backend -n kubeops --create-namespace --version=v2024.2.11 +``` + +## Introduction + +This chart deploys a Kubeware Backend Server on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + +- Kubernetes 1.21+ + +## Installing the Chart + +To install/upgrade the chart with the release name `service-backend`: + +```bash +$ helm upgrade -i service-backend appscode/service-backend -n kubeops --create-namespace --version=v2024.2.11 +``` + +The command deploys a Kubeware Backend Server on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall the `service-backend`: + +```bash +$ helm uninstall service-backend -n kubeops +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +The following table lists the configurable parameters of the `service-backend` chart and their default values. + +| Parameter | Description | Default | +|----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| nameOverride | Overrides name template | "" | +| fullnameOverride | Overrides fullname template | "" | +| replicaCount | | 1 | +| registryFQDN | Docker registry fqdn used to pull docker images Set this to use docker registry hosted at ${registryFQDN}/${registry}/${image} | ghcr.io | +| image.registry | Docker registry used to pull operator image | appscode | +| image.repository | Name of operator container image | service-provider | +| image.tag | Overrides the image tag whose default is the chart appVersion. | "" | +| image.resources | Compute Resources required by the operator container | {} | +| image.securityContext | Security options this container should run with | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}} | +| imagePullSecrets | Specify an array of imagePullSecrets. Secrets must be manually created in the namespace.
Example:
`helm template charts/stash \`
`--set imagePullSecrets[0].name=sec0 \`
`--set imagePullSecrets[1].name=sec1` | [] | +| imagePullPolicy | Container image pull policy | Always | +| serviceAccount.create | Specifies whether a service account should be created | true | +| serviceAccount.annotations | Annotations to add to the service account | {} | +| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" | +| podAnnotations | | {} | +| podSecurityContext | | {} | +| nodeSelector | | {} | +| tolerations | | [] | +| affinity | | {} | +| monitoring.agent | Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin") | "" | +| monitoring.serviceMonitor.labels | Specify the labels for ServiceMonitor. Prometheus crd will select ServiceMonitor using these labels. Only usable when monitoring agent is `prometheus.io/operator`. | {} | +| server.oidc.clientID | issuer client ID | "" | +| server.oidc.clientSecret | issuer client Secret | "" | +| server.oidc.issuerURL | | "https://accounts.appscode.com/" | +| server.oidc.callbackURL | | "https://bind.appscode.com/callback" | +| server.providerPrettyName | | "" | +| server.namespacePrefix | the sync namespace created in the provider side will be named like bb- | "kubeware-" | +| server.consumerScope | How consumers access the service provider cluster. In Kubernetes, "namespaced" allows namespace isolation. In kcp, "cluster" allows workspace isolation, and with that allows cluster-scoped resources to bind, and it is generally more performant. | "Namespaced" | +| server.cookie.signingKey | The key which is used to sign cookies, base64 encoded. Valid lengths are 32 or 64 bytes. | "" | +| server.cookie.encryptionKey | The key which is used to encrypt cookies, base64 encoded, optional. Valid lengths are 16, 24, or 32 bytes selecting AES-128, AES-192, or AES-256. | "" | + + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example: + +```bash +$ helm upgrade -i service-backend appscode/service-backend -n kubeops --create-namespace --version=v2024.2.11 --set replicaCount=1 +``` + +Alternatively, a YAML file that specifies the values for the parameters can be provided while +installing the chart. For example: + +```bash +$ helm upgrade -i service-backend appscode/service-backend -n kubeops --create-namespace --version=v2024.2.11 --values values.yaml +``` diff --git a/charts/service-backend/doc.yaml b/charts/service-backend/doc.yaml new file mode 100644 index 000000000..c8af4f9f6 --- /dev/null +++ b/charts/service-backend/doc.yaml @@ -0,0 +1,18 @@ +project: + name: Kubeware Backend Server by AppsCode + shortName: Kubeware Backend Server + url: https://github.com/kubeware/service-backend + description: Kubeware Backend Server for Kubernetes + app: a Kubeware Backend Server +repository: + url: https://charts.appscode.com/stable/ + name: appscode +chart: + name: service-backend + values: -- generate from values file -- + valuesExample: -- generate from values file -- +prerequisites: +- Kubernetes 1.21+ +release: + name: service-backend + namespace: kubeops diff --git a/charts/service-backend/templates/NOTES.txt b/charts/service-backend/templates/NOTES.txt new file mode 100644 index 000000000..d249f3f48 --- /dev/null +++ b/charts/service-backend/templates/NOTES.txt @@ -0,0 +1,3 @@ +To verify that Supervisor has started, run: + + kubectl get deployment --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "service-backend.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" diff --git a/charts/service-backend/templates/_helpers.tpl b/charts/service-backend/templates/_helpers.tpl new file mode 100644 index 000000000..8f177b13c --- /dev/null +++ b/charts/service-backend/templates/_helpers.tpl @@ -0,0 +1,107 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "service-backend.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "service-backend.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "service-backend.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "service-backend.labels" -}} +helm.sh/chart: {{ include "service-backend.chart" . }} +{{ include "service-backend.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "service-backend.selectorLabels" -}} +app.kubernetes.io/name: {{ include "service-backend.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "service-backend.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "service-backend.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Returns the appscode license +*/}} +{{- define "appscode.license" -}} +{{- .Values.license }} +{{- end }} + +{{/* +Returns the registry used for operator docker image +*/}} +{{- define "image.registry" -}} +{{- list .Values.registryFQDN .Values.image.registry | compact | join "/" }} +{{- end }} + +{{- define "appscode.imagePullSecrets" -}} +{{- with .Values.imagePullSecrets -}} +imagePullSecrets: +{{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} + +{{/* +Returns the enabled monitoring agent name +*/}} +{{- define "monitoring.agent" -}} +{{- .Values.monitoring.agent }} +{{- end }} + +{{/* +Returns whether the ServiceMonitor will be labeled with custom label +*/}} +{{- define "monitoring.apply-servicemonitor-label" -}} +{{- ternary "false" "true" ( empty .Values.monitoring.serviceMonitor.labels ) -}} +{{- end }} + +{{/* +Returns the ServiceMonitor labels +*/}} +{{- define "monitoring.servicemonitor-label" -}} +{{- range $key, $val := .Values.monitoring.serviceMonitor.labels }} +{{ $key }}: {{ $val }} +{{- end }} +{{- end }} diff --git a/charts/service-backend/templates/cluster-role-binding.yaml b/charts/service-backend/templates/cluster-role-binding.yaml new file mode 100644 index 000000000..9c8e33ef5 --- /dev/null +++ b/charts/service-backend/templates/cluster-role-binding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "service-backend.fullname" . }} + labels: + {{- include "service-backend.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "service-backend.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "service-backend.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/charts/service-backend/templates/cluster-role.yaml b/charts/service-backend/templates/cluster-role.yaml new file mode 100644 index 000000000..e144a8ed4 --- /dev/null +++ b/charts/service-backend/templates/cluster-role.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "service-backend.fullname" . }} + labels: + {{- include "service-backend.labels" . | nindent 4 }} +rules: +- apiGroups: + - service-backend.appscode.com + resources: ["*"] + verbs: ["*"] +- apiGroups: + - kubedb.com + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: + - kubevault.com + resources: ["*"] + verbs: ["get", "list", "watch"] diff --git a/charts/service-backend/templates/deployment.yaml b/charts/service-backend/templates/deployment.yaml new file mode 100644 index 000000000..b84786166 --- /dev/null +++ b/charts/service-backend/templates/deployment.yaml @@ -0,0 +1,64 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "service-backend.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "service-backend.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "service-backend.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "service-backend.selectorLabels" . | nindent 8 }} + spec: + {{- include "appscode.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ include "service-backend.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.image.securityContext | nindent 12 }} +{{/* image: {{ include "image.registry" . }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}*/}} + image: superm4n/service-backend:config_linux_amd64 + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - server + - --oidc-issuer-url={{ .Values.server.oidc.issuerURL }} + - --oidc-callback-url={{ .Values.server.oidc.callbackURL }} + - --namespace-prefix={{ .Values.server.namespacePrefix }} + - --oidc-issuer-client-id={{ .Values.server.oidc.clientID }} + - --oidc-issuer-client-secret={{ .Values.server.oidc.clientSecret }} + - --cookie-signing-key={{ .Values.server.cookie.signingKey }} + - --cookie-encryption-key={{ .Values.server.cookie.encryptionKey }} + - --consumer-scope={{ .Values.server.consumerScope }} + env: + - name: BIND_BACKEND_IMAGE + value: arnobkumarsaha/service-backend:config_linux_amd64 +{{/* value: {{ include "image.registry" . }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}*/}} + ports: + - containerPort: 3003 + name: http + protocol: TCP + resources: + {{- toYaml .Values.image.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/service-backend/templates/service.yaml b/charts/service-backend/templates/service.yaml new file mode 100644 index 000000000..26deaad60 --- /dev/null +++ b/charts/service-backend/templates/service.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "service-backend.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "service-backend.labels" . | nindent 4 }} +{{- if eq "prometheus.io/builtin" ( include "monitoring.agent" . ) }} + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "8443" + prometheus.io/scheme: "https" +{{- end }} +spec: + ports: + # Port used to expose admission webhook apiserver + - name: http + nodePort: 32375 + port: 80 + protocol: TCP + targetPort: 3003 + selector: + {{- include "service-backend.selectorLabels" . | nindent 4 }} + type: NodePort diff --git a/charts/service-backend/templates/serviceaccount.yaml b/charts/service-backend/templates/serviceaccount.yaml new file mode 100644 index 000000000..af5c0700b --- /dev/null +++ b/charts/service-backend/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "service-backend.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "service-backend.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/service-backend/templates/servicemonitor.yaml b/charts/service-backend/templates/servicemonitor.yaml new file mode 100644 index 000000000..d2617c6b9 --- /dev/null +++ b/charts/service-backend/templates/servicemonitor.yaml @@ -0,0 +1,30 @@ +{{- if eq "prometheus.io/operator" ( include "monitoring.agent" . ) }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "service-backend.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- if eq "true" ( include "monitoring.apply-servicemonitor-label" . ) }} + {{- include "monitoring.servicemonitor-label" . | nindent 4 }} + {{- else }} + {{- include "service-backend.selectorLabels" . | nindent 4 }} + {{- end }} +spec: + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + {{- include "service-backend.selectorLabels" . | nindent 6 }} + endpoints: + - port: api + bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + scheme: https + tlsConfig: + ca: + secret: + name: {{ include "service-backend.fullname" . }}-apiserver-cert + key: tls.crt + serverName: "{{ include "service-backend.fullname" . }}.{{ .Release.Namespace }}.svc" +{{- end }} diff --git a/charts/service-backend/values.openapiv3_schema.yaml b/charts/service-backend/values.openapiv3_schema.yaml new file mode 100644 index 000000000..c08facb74 --- /dev/null +++ b/charts/service-backend/values.openapiv3_schema.yaml @@ -0,0 +1,695 @@ +properties: + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + fullnameOverride: + type: string + image: + properties: + registry: + type: string + repository: + type: string + resources: + properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + tag: + type: string + required: + - registry + - repository + - tag + type: object + imagePullPolicy: + type: string + imagePullSecrets: + items: + type: string + type: array + monitoring: + properties: + agent: + enum: + - prometheus.io + - prometheus.io/operator + - prometheus.io/builtin + type: string + serviceMonitor: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + required: + - agent + - serviceMonitor + type: object + nameOverride: + type: string + nodeSelector: + additionalProperties: + type: string + type: object + podAnnotations: + additionalProperties: + type: string + type: object + podSecurityContext: + properties: + fsGroup: + format: int64 + type: integer + fsGroupChangePolicy: + type: string + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + registryFQDN: + type: string + replicaCount: + type: integer + server: + properties: + consumerScope: + type: string + cookie: + properties: + encryptionKey: + type: string + signingKey: + type: string + required: + - encryptionKey + - signingKey + type: object + namespacePrefix: + type: string + oidc: + properties: + callbackURL: + type: string + clientID: + type: string + clientSecret: + type: string + issuerURL: + type: string + required: + - callbackURL + - clientID + - clientSecret + - issuerURL + type: object + providerPrettyName: + type: string + required: + - consumerScope + - cookie + - namespacePrefix + - oidc + - providerPrettyName + type: object + serviceAccount: + properties: + annotations: + additionalProperties: + type: string + type: object + create: + type: boolean + name: + type: string + required: + - create + type: object + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array +required: +- image +- imagePullPolicy +- monitoring +- registryFQDN +- replicaCount +- server +- serviceAccount +type: object diff --git a/charts/service-backend/values.yaml b/charts/service-backend/values.yaml new file mode 100644 index 000000000..2cdee2c81 --- /dev/null +++ b/charts/service-backend/values.yaml @@ -0,0 +1,95 @@ +# Default values for service-backend. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# Overrides name template +nameOverride: "" +# Overrides fullname template +fullnameOverride: "" + +replicaCount: 1 + +# Docker registry fqdn used to pull docker images +# Set this to use docker registry hosted at ${registryFQDN}/${registry}/${image} +registryFQDN: ghcr.io +image: + # Docker registry used to pull operator image + registry: appscode + # Name of operator container image + repository: service-provider + # Overrides the image tag whose default is the chart appVersion. + tag: "" + # Compute Resources required by the operator container + resources: {} + # Security options this container should run with + securityContext: # +doc-gen:break + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + +# Specify an array of imagePullSecrets. +# Secrets must be manually created in the namespace. +# +# Example: +# helm template charts/stash \ +# --set imagePullSecrets[0].name=sec0 \ +# --set imagePullSecrets[1].name=sec1 +imagePullSecrets: [] +# Container image pull policy +imagePullPolicy: Always + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +monitoring: + # Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin") + agent: "" + serviceMonitor: + # Specify the labels for ServiceMonitor. + # Prometheus crd will select ServiceMonitor using these labels. + # Only usable when monitoring agent is `prometheus.io/operator`. + labels: {} + + +server: + oidc: + # issuer client ID + clientID: "" + # issuer client Secret + clientSecret: "" + issuerURL: "https://accounts.appscode.com/" + callbackURL: "https://bind.appscode.com/callback" + providerPrettyName: "" + # the sync namespace created in the provider side will be named like bb- + namespacePrefix: "kubeware-" + # How consumers access the service provider cluster. In Kubernetes, "namespaced" allows namespace isolation. + # In kcp, "cluster" allows workspace isolation, and with that allows cluster-scoped resources to bind, and it is generally more performant. + consumerScope: "Namespaced" + + cookie: + # The key which is used to sign cookies, base64 encoded. Valid lengths are 32 or 64 bytes. + signingKey: "" + # The key which is used to encrypt cookies, base64 encoded, optional. Valid lengths are 16, 24, or 32 bytes selecting AES-128, AES-192, or AES-256. + encryptionKey: "" diff --git a/charts/service-provider/.helmignore b/charts/service-provider/.helmignore new file mode 100644 index 000000000..be86b789d --- /dev/null +++ b/charts/service-provider/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# Helm files +OWNERS diff --git a/charts/service-provider/Chart.yaml b/charts/service-provider/Chart.yaml new file mode 100755 index 000000000..ff86a8c16 --- /dev/null +++ b/charts/service-provider/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +description: Kubeware Service Provider by AppsCode +name: service-provider +version: v2024.2.11 +appVersion: v0.0.1 +home: https://github.com/kubeware +icon: https://cdn.appscode.com/images/products/stash/service-provider-icon.png +sources: +- https://github.com/kubeware +maintainers: +- name: appscode + email: support@appscode.com diff --git a/charts/service-provider/OWNERS b/charts/service-provider/OWNERS new file mode 100644 index 000000000..6731d355c --- /dev/null +++ b/charts/service-provider/OWNERS @@ -0,0 +1,5 @@ +approvers: +- tamalsaha +reviewers: +- tamalsaha + diff --git a/charts/service-provider/README.md b/charts/service-provider/README.md new file mode 100644 index 000000000..06101cad0 --- /dev/null +++ b/charts/service-provider/README.md @@ -0,0 +1,111 @@ +# Kubeware Service Provider + +[Kubeware Service Provider by AppsCode](https://github.com/kubeware) - Kubeware Service Provider by AppsCode + +## TL;DR; + +```bash +$ helm repo add appscode https://charts.appscode.com/stable/ +$ helm repo update +$ helm search repo appscode/service-provider --version=v2024.2.11 +$ helm upgrade -i service-provider appscode/service-provider -n kubeops --create-namespace --version=v2024.2.11 +``` + +## Introduction + +This chart deploys a Kubeware Service Provider on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + +- Kubernetes 1.21+ + +## Installing the Chart + +To install/upgrade the chart with the release name `service-provider`: + +```bash +$ helm upgrade -i service-provider appscode/service-provider -n kubeops --create-namespace --version=v2024.2.11 +``` + +The command deploys a Kubeware Service Provider on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall the `service-provider`: + +```bash +$ helm uninstall service-provider -n kubeops +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +The following table lists the configurable parameters of the `service-provider` chart and their default values. + +| Parameter | Description | Default | +|---------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------| +| nameOverride | Overrides name template | "" | +| fullnameOverride | Overrides fullname template | "" | +| replicaCount | Number of stash operator replicas to create (only 1 is supported) | 1 | +| registryFQDN | Docker registry fqdn used to pull Stash related images. Set this to use docker registry hosted at ${registryFQDN}/${registry}/${image} | ghcr.io | +| operator.registry | Docker registry used to pull operator image | appscode | +| operator.repository | Name of operator container image | service-provider | +| operator.tag | Operator container image tag | "" | +| operator.resources | Compute Resources required by the operator container | {"requests":{"cpu":"100m"}} | +| operator.securityContext | Security options this container should run with | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534} | +| rbacproxy.registry | Docker registry used to pull operator image | appscode | +| rbacproxy.repository | Name of operator container image | kube-rbac-proxy | +| rbacproxy.tag | Operator container image tag | v0.11.0 | +| rbacproxy.resources | Compute Resources required by the operator container | {"requests":{"cpu":"100m"}} | +| rbacproxy.securityContext | Security options this container should run with | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534} | +| imagePullSecrets | Specify an array of imagePullSecrets. Secrets must be manually created in the namespace.
Example:
`helm template charts/stash \`
`--set imagePullSecrets[0].name=sec0 \`
`--set imagePullSecrets[1].name=sec1` | [] | +| imagePullPolicy | Container image pull policy | IfNotPresent | +| criticalAddon | If true, installs Stash operator as critical addon | false | +| logLevel | Log level for operator | 3 | +| annotations | Annotations applied to operator deployment | {} | +| podAnnotations | Annotations passed to operator pod(s). | {} | +| podLabels | Labels passed to operator pod(s) | {} | +| nodeSelector | Node labels for pod assignment | {"kubernetes.io/os":"linux"} | +| tolerations | Tolerations for pod assignment | [] | +| affinity | Affinity rules for pod assignment | {} | +| podSecurityContext | Security options the operator pod should run with. | {"fsGroup":65535} | +| serviceAccount.create | Specifies whether a service account should be created | true | +| serviceAccount.annotations | Annotations to add to the service account | {} | +| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | +| apiserver.groupPriorityMinimum | The minimum priority the webhook api group should have at least. Please see https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L58-L64 for more information on proper values of this field. | 10000 | +| apiserver.versionPriority | The ordering of the webhook api inside of the group. Please see https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L66-L70 for more information on proper values of this field | 15 | +| apiserver.enableMutatingWebhook | If true, mutating webhook is configured for Kubernetes workloads | true | +| apiserver.enableValidatingWebhook | If true, validating webhook is configured for Stash CRDss | false | +| apiserver.ca | CA certificate used by the Kubernetes api server. This field is automatically assigned by the operator. | not-ca-cert | +| apiserver.bypassValidatingWebhookXray | If true, bypasses checks that validating webhook is actually enabled in the Kubernetes cluster. | false | +| apiserver.useKubeapiserverFqdnForAks | If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true) | true | +| apiserver.healthcheck.enabled | If true, enables the readiness and liveliness probes for the operator pod. | false | +| apiserver.servingCerts.generate | If true, generates on install/upgrade the certs that allow the kube-apiserver (and potentially ServiceMonitor) to authenticate operators pods. Otherwise specify certs in `apiserver.servingCerts.{caCrt, serverCrt, serverKey}`. | true | +| apiserver.servingCerts.caCrt | CA certficate used by serving certificate of webhook server. | "" | +| apiserver.servingCerts.serverCrt | Serving certficate used by webhook server. | "" | +| apiserver.servingCerts.serverKey | Private key for the serving certificate used by webhook server. | "" | +| monitoring.agent | Name of monitoring agent (either "prometheus.io/operator" or "prometheus.io/builtin") | "none" | +| monitoring.serviceMonitor.labels | Specify the labels for ServiceMonitor. Prometheus crd will select ServiceMonitor using these labels. Only usable when monitoring agent is `prometheus.io/operator`. | {} | +| provider.namespacePrefix | the sync namespace created in the provider side will be named like bb- | "kubeware-" | +| provider.providerPrettyName | the name of the provider | "Appscode" | +| provider.consumerScope | How consumers access the service provider cluster. In Kubernetes, "namespaced" allows namespace isolation. In kcp, "cluster" allows workspace isolation, and with that allows cluster-scoped resources to bind, and it is generally more performant. | "Namespaced" | +| provider.external.address | The external address for the service provider cluster, including https:// and port. If not specified, service account's hosts are used. | "" | +| provider.external.serverName | The external (TLS) server name used by consumers to talk to the service provider cluster. This can be useful to select the right certificate via SNI. | "" | +| provider.external.CAFile | The external CA file for the service provider cluster. If not specified, service account's CA is used. | "" | + + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example: + +```bash +$ helm upgrade -i service-provider appscode/service-provider -n kubeops --create-namespace --version=v2024.2.11 --set replicaCount=1 +``` + +Alternatively, a YAML file that specifies the values for the parameters can be provided while +installing the chart. For example: + +```bash +$ helm upgrade -i service-provider appscode/service-provider -n kubeops --create-namespace --version=v2024.2.11 --values values.yaml +``` diff --git a/charts/service-provider/ci/ci-values.yaml b/charts/service-provider/ci/ci-values.yaml new file mode 100644 index 000000000..8a70e66a6 --- /dev/null +++ b/charts/service-provider/ci/ci-values.yaml @@ -0,0 +1,9 @@ +# https://github.com/helm/charts/blob/master/test/README.md#providing-custom-test-values +operator: + securityContext: + seccompProfile: + type: RuntimeDefault +rbacproxy: + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/charts/service-provider/crds/kubeware.dev_apiservicebindings.yaml b/charts/service-provider/crds/kubeware.dev_apiservicebindings.yaml new file mode 100644 index 000000000..8d937be69 --- /dev/null +++ b/charts/service-provider/crds/kubeware.dev_apiservicebindings.yaml @@ -0,0 +1,172 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + name: apiservicebindings.kubeware.dev +spec: + group: kubeware.dev + names: + categories: + - kubewares + kind: APIServiceBinding + listKind: APIServiceBindingList + plural: apiservicebindings + shortNames: + - sb + singular: apiservicebinding + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.providerPrettyName + name: Provider + type: string + - jsonPath: .metadata.annotations.kubeware\.dev/resources + name: Resources + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Message + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: APIServiceBinding binds an API service represented by a APIServiceExport + in a service provider cluster into a consumer cluster. This object lives + in the consumer cluster. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: spec specifies how an API service from a service provider + should be bound in the local consumer cluster. + properties: + kubeconfigSecretRefs: + description: kubeconfigSecretName is the secret ref that contains + the kubeconfig of the service cluster. + items: + properties: + key: + description: The key of the secret to select from. Must be + "kubeconfig". + enum: + - kubeconfig + type: string + name: + description: Name of the referent. + minLength: 1 + type: string + namespace: + description: Namespace of the referent. + minLength: 1 + type: string + required: + - key + - name + - namespace + type: object + type: array + required: + - kubeconfigSecretRefs + type: object + status: + description: status contains reconciliation information for a service + binding. + properties: + conditions: + description: conditions is a list of conditions that apply to the + APIServiceBinding. + items: + description: Condition defines an observation of a object operational + state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. This should be when the underlying condition changed. + If that is not known, then using the time when the API field + changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition + in CamelCase. The specific API may choose whether or not this + field is considered a guaranteed API. This field may not be + empty. + type: string + severity: + description: Severity provides an explicit classification of + Reason code, so the users or machines can immediately understand + the current situation and act accordingly. The Severity field + MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + kubeconfigs: + items: + properties: + key: + description: The key of the secret to select from. Must be + "kubeconfig". + enum: + - kubeconfig + type: string + name: + description: Name of the referent. + minLength: 1 + type: string + namespace: + description: Namespace of the referent. + minLength: 1 + type: string + required: + - key + - name + - namespace + type: object + type: array + providerPrettyName: + description: providerPrettyName is the pretty name of the service + provider cluster. This can be shared among different APIServiceBindings. + items: + type: string + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/service-provider/crds/kubeware.dev_apiserviceexportrequests.yaml b/charts/service-provider/crds/kubeware.dev_apiserviceexportrequests.yaml new file mode 100644 index 000000000..6f58f88f7 --- /dev/null +++ b/charts/service-provider/crds/kubeware.dev_apiserviceexportrequests.yaml @@ -0,0 +1,160 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + name: apiserviceexportrequests.kubeware.dev +spec: + group: kubeware.dev + names: + categories: + - kubewares + kind: APIServiceExportRequest + listKind: APIServiceExportRequestList + plural: apiserviceexportrequests + singular: apiserviceexportrequest + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: "APIServiceExportRequest is represents a request session of kubectl-bind-apiservice. + \n The service provider can prune these objects after some time." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: spec specifies how an API service from a service provider + should be bound in the local consumer cluster. + properties: + parameters: + description: parameters holds service provider specific parameters + for this binding request. + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-validations: + - message: parameters are immutable + rule: self == oldSelf + resources: + description: resources is a list of resources that should be exported. + items: + properties: + group: + default: "" + description: group is the name of an API group. For core groups + this is the empty string '""'. + pattern: ^(|[a-z0-9]([-a-z0-9]*[a-z0-9](\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)?)$ + type: string + resource: + description: 'resource is the name of the resource. Note: it + is worth noting that you can not ask for permissions for resource + provided by a CRD not provided by an service binding export.' + pattern: ^[a-z][-a-z0-9]*[a-z0-9]$ + type: string + versions: + description: versions is a list of versions that should be exported. + If this is empty a sensible default is chosen by the service + provider. + items: + type: string + type: array + required: + - resource + type: object + minItems: 1 + type: array + x-kubernetes-validations: + - message: resources are immutable + rule: self == oldSelf + required: + - resources + type: object + status: + description: status contains reconciliation information for a service + binding. + properties: + conditions: + description: conditions is a list of conditions that apply to the + ClusterBinding. It is updated by the konnector and the service provider. + items: + description: Condition defines an observation of a object operational + state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. This should be when the underlying condition changed. + If that is not known, then using the time when the API field + changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition + in CamelCase. The specific API may choose whether or not this + field is considered a guaranteed API. This field may not be + empty. + type: string + severity: + description: Severity provides an explicit classification of + Reason code, so the users or machines can immediately understand + the current situation and act accordingly. The Severity field + MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + phase: + default: Pending + description: phase is the current phase of the binding request. It + starts in Pending and transitions to Succeeded or Failed. See the + condition for detailed information. + enum: + - Pending + - Failed + - Succeeded + type: string + terminalMessage: + description: terminalMessage is a human readable message that describes + the reason for the current phase. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/service-provider/crds/kubeware.dev_apiserviceexports.yaml b/charts/service-provider/crds/kubeware.dev_apiserviceexports.yaml new file mode 100644 index 000000000..6598c4850 --- /dev/null +++ b/charts/service-provider/crds/kubeware.dev_apiserviceexports.yaml @@ -0,0 +1,416 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + name: apiserviceexports.kubeware.dev +spec: + group: kubeware.dev + names: + categories: + - kubewares + kind: APIServiceExport + listKind: APIServiceExportList + plural: apiserviceexports + singular: apiserviceexport + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Established")].status + name: Established + priority: 5 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: 'APIServiceExport specifies the resource to be exported. It is + mostly a CRD: - the spec is a CRD spec, but without webhooks - the status + reflects that on the consumer cluster' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: spec specifies the resource. + properties: + clusterScopedIsolation: + description: ClusterScopedIsolation specifies how cluster scoped service + objects are isolated between multiple consumers on the provider + side. It can be "Prefixed", "Namespaced", or "None". + enum: + - Prefixed + - Namespaced + - None + type: string + group: + description: "group is the API group of the defined custom resource. + Empty string means the core API group. \tThe resources are served + under `/apis//...` or `/api` for the core group." + type: string + informerScope: + description: "informerScope is the scope of the APIServiceExport. + It can be either Cluster or Namespace. \n Cluster: The konnector + has permission to watch all namespaces at once and cluster-scoped + resources. This is more efficient than watching each namespace individually. + Namespaced: The konnector has permission to watch only single namespaces. + This is more resource intensive. And it means cluster-scoped resources + cannot be exported." + enum: + - Cluster + - Namespaced + type: string + x-kubernetes-validations: + - message: informerScope is immutable + rule: self == oldSelf + names: + description: names specify the resource and kind names for the custom + resource. + properties: + categories: + description: categories is a list of grouped resources this custom + resource belongs to (e.g. 'all'). This is published in API discovery + documents, and used by clients to support invocations like `kubectl + get all`. + items: + type: string + type: array + kind: + description: kind is the serialized kind of the resource. It is + normally CamelCase and singular. Custom resource instances will + use this value as the `kind` attribute in API calls. + type: string + listKind: + description: listKind is the serialized kind of the list for this + resource. Defaults to "`kind`List". + type: string + plural: + description: plural is the plural name of the resource to serve. + The custom resources are served under `/apis///.../`. + Must match the name of the CustomResourceDefinition (in the + form `.`). Must be all lowercase. + type: string + shortNames: + description: shortNames are short names for the resource, exposed + in API discovery documents, and used by clients to support invocations + like `kubectl get `. It must be all lowercase. + items: + type: string + type: array + singular: + description: singular is the singular name of the resource. It + must be all lowercase. Defaults to lowercased `kind`. + type: string + required: + - kind + - plural + type: object + scope: + description: scope indicates whether the defined custom resource is + cluster- or namespace-scoped. Allowed values are `Cluster` and `Namespaced`. + enum: + - Cluster + - Namespaced + type: string + versions: + description: "versions is the API version of the defined custom resource. + \n Note: the OpenAPI v3 schemas must be equal for all versions until + CEL version migration is supported." + items: + description: APIServiceExportVersion describes one API version of + a resource. + properties: + additionalPrinterColumns: + description: additionalPrinterColumns specifies additional columns + returned in Table output. See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables + for details. If no columns are specified, a single column + displaying the age of the custom resource is used. + items: + description: CustomResourceColumnDefinition specifies a column + for server side printing. + properties: + description: + description: description is a human readable description + of this column. + type: string + format: + description: format is an optional OpenAPI type definition + for this column. The 'name' format is applied to the + primary identifier column to assist in clients identifying + column is the resource name. See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types + for details. + type: string + jsonPath: + description: jsonPath is a simple JSON path (i.e. with + array notation) which is evaluated against each custom + resource to produce the value for this column. + type: string + name: + description: name is a human readable name for the column. + type: string + priority: + description: priority is an integer defining the relative + importance of this column compared to others. Lower + numbers are considered higher priority. Columns that + may be omitted in limited space scenarios should be + given a priority greater than 0. + format: int32 + type: integer + type: + description: type is an OpenAPI type definition for this + column. See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types + for details. + type: string + required: + - jsonPath + - name + - type + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + deprecated: + description: deprecated indicates this version of the custom + resource API is deprecated. When set to true, API requests + to this version receive a warning header in the server response. + Defaults to false. + type: boolean + deprecationWarning: + description: deprecationWarning overrides the default warning + returned to API clients. May only be set when `deprecated` + is true. The default warning indicates this version is deprecated + and recommends use of the newest served version of equal or + greater stability, if one exists. + type: string + name: + description: name is the version name, e.g. “v1”, “v2beta1”, + etc. The custom resources are served under this version at + `/apis///...` if `served` is true. + minLength: 1 + pattern: ^v[1-9][0-9]*([a-z]+[1-9][0-9]*)?$ + type: string + schema: + description: schema describes the structural schema used for + validation, pruning, and defaulting of this version of the + custom resource. + properties: + openAPIV3Schema: + description: openAPIV3Schema is the OpenAPI v3 schema to + use for validation and pruning. + type: object + x-kubernetes-map-type: atomic + x-kubernetes-preserve-unknown-fields: true + required: + - openAPIV3Schema + type: object + served: + default: true + description: served is a flag enabling/disabling this version + from being served via REST APIs + type: boolean + storage: + description: storage indicates this version should be used when + persisting custom resources to storage. There must be exactly + one version with storage=true. + type: boolean + subresources: + description: subresources specify what subresources this version + of the defined custom resource have. + properties: + scale: + description: scale indicates the custom resource should + serve a `/scale` subresource that returns an `autoscaling/v1` + Scale object. + properties: + labelSelectorPath: + description: 'labelSelectorPath defines the JSON path + inside of a custom resource that corresponds to Scale + `status.selector`. Only JSON paths without the array + notation are allowed. Must be a JSON Path under `.status` + or `.spec`. Must be set to work with HorizontalPodAutoscaler. + The field pointed by this JSON path must be a string + field (not a complex selector struct) which contains + a serialized label selector in string form. More info: + https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions#scale-subresource + If there is no value under the given path in the custom + resource, the `status.selector` value in the `/scale` + subresource will default to the empty string.' + type: string + specReplicasPath: + description: specReplicasPath defines the JSON path + inside of a custom resource that corresponds to Scale + `spec.replicas`. Only JSON paths without the array + notation are allowed. Must be a JSON Path under `.spec`. + If there is no value under the given path in the custom + resource, the `/scale` subresource will return an + error on GET. + type: string + statusReplicasPath: + description: statusReplicasPath defines the JSON path + inside of a custom resource that corresponds to Scale + `status.replicas`. Only JSON paths without the array + notation are allowed. Must be a JSON Path under `.status`. + If there is no value under the given path in the custom + resource, the `status.replicas` value in the `/scale` + subresource will default to 0. + type: string + required: + - specReplicasPath + - statusReplicasPath + type: object + status: + description: 'status indicates the custom resource should + serve a `/status` subresource. When enabled: 1. requests + to the custom resource primary endpoint ignore changes + to the `status` stanza of the object. 2. requests to the + custom resource `/status` subresource ignore changes to + anything other than the `status` stanza of the object.' + type: object + type: object + required: + - name + - schema + - served + - storage + type: object + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - informerScope + type: object + x-kubernetes-validations: + - message: informerScope must be Cluster for cluster-scoped resources + rule: self.scope == "Namespaced" || self.informerScope == "Cluster" + - message: clusterScopedIsolation must be defined for cluster-scoped resources + rule: self.scope == "Namespaced" || has(self.clusterScopedIsolation) + - message: clusterScopedIsolation is not relevant for namespaced resources + rule: self.scope == "Cluster" || !has(self.clusterScopedIsolation) + status: + description: status contains reconciliation information for the resource. + properties: + acceptedNames: + description: acceptedNames are the names that are actually being used + to serve discovery. They may be different than the names in spec. + properties: + categories: + description: categories is a list of grouped resources this custom + resource belongs to (e.g. 'all'). This is published in API discovery + documents, and used by clients to support invocations like `kubectl + get all`. + items: + type: string + type: array + kind: + description: kind is the serialized kind of the resource. It is + normally CamelCase and singular. Custom resource instances will + use this value as the `kind` attribute in API calls. + type: string + listKind: + description: listKind is the serialized kind of the list for this + resource. Defaults to "`kind`List". + type: string + plural: + description: plural is the plural name of the resource to serve. + The custom resources are served under `/apis///.../`. + Must match the name of the CustomResourceDefinition (in the + form `.`). Must be all lowercase. + type: string + shortNames: + description: shortNames are short names for the resource, exposed + in API discovery documents, and used by clients to support invocations + like `kubectl get `. It must be all lowercase. + items: + type: string + type: array + singular: + description: singular is the singular name of the resource. It + must be all lowercase. Defaults to lowercased `kind`. + type: string + required: + - kind + - plural + type: object + conditions: + description: conditions is a list of conditions that apply to the + APIServiceExport. It is updated by the konnector on the consumer + cluster. + items: + description: Condition defines an observation of a object operational + state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. This should be when the underlying condition changed. + If that is not known, then using the time when the API field + changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition + in CamelCase. The specific API may choose whether or not this + field is considered a guaranteed API. This field may not be + empty. + type: string + severity: + description: Severity provides an explicit classification of + Reason code, so the users or machines can immediately understand + the current situation and act accordingly. The Severity field + MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + storedVersions: + description: storedVersions lists all versions of CustomResources + that were ever persisted. Tracking these versions allows a migration + path for stored versions in etcd. The field is mutable so a migration + controller can finish a migration to another version (ensuring no + old objects are left in storage), and then remove the rest of the + versions from this list. Versions may not be removed from `spec.versions` + while they exist in this list. + items: + type: string + type: array + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: informerScope is immutable + rule: self.metadata.name == self.spec.names.plural+"."+self.spec.group + served: true + storage: true + subresources: + status: {} diff --git a/charts/service-provider/crds/kubeware.dev_apiservicenamespaces.yaml b/charts/service-provider/crds/kubeware.dev_apiservicenamespaces.yaml new file mode 100644 index 000000000..0c00567b5 --- /dev/null +++ b/charts/service-provider/crds/kubeware.dev_apiservicenamespaces.yaml @@ -0,0 +1,61 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + name: apiservicenamespaces.kubeware.dev +spec: + group: kubeware.dev + names: + categories: + - kubewares + kind: APIServiceNamespace + listKind: APIServiceNamespaceList + plural: apiservicenamespaces + singular: apiservicenamespace + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.namespace + name: Namespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: "APIServiceNamespace defines how consumer namespaces map to service + namespaces. These objects are created by the konnector, and a service namespace + is then created by the service provider. \n The name of the APIServiceNamespace + equals the namespace name in the consumer cluster." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: spec specifies a service namespace. + type: object + status: + description: status contains reconciliation information for a service + namespace + properties: + namespace: + description: namespace is the service provider namespace name that + will be bound to the consumer namespace named like this object. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/service-provider/crds/kubeware.dev_clusterbindings.yaml b/charts/service-provider/crds/kubeware.dev_clusterbindings.yaml new file mode 100644 index 000000000..65da47103 --- /dev/null +++ b/charts/service-provider/crds/kubeware.dev_clusterbindings.yaml @@ -0,0 +1,164 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + name: clusterbindings.kubeware.dev +spec: + group: kubeware.dev + names: + categories: + - kubewares + kind: ClusterBinding + listKind: ClusterBindingList + plural: clusterbindings + singular: clusterbinding + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.konnectorVersion + name: Konnector Version + type: string + - jsonPath: .status.lastHeartbeatTime + name: Last Heartbeat + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterBinding represents a bound consumer class. It lives in + a service provider cluster and is a singleton named "cluster". + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: spec represents the data in the newly created ClusterBinding. + properties: + kubeconfigSecretRef: + description: kubeconfigSecretName is the secret ref that contains + the kubeconfig of the service cluster. + properties: + key: + description: The key of the secret to select from. Must be "kubeconfig". + enum: + - kubeconfig + type: string + name: + description: Name of the referent. + minLength: 1 + type: string + required: + - key + - name + type: object + x-kubernetes-validations: + - message: kubeconfigSecretRef is immutable + rule: self == oldSelf + providerPrettyName: + description: providerPrettyName is the pretty name of the service + provider cluster. This can be shared among different ServiceBindings. + minLength: 1 + type: string + serviceProviderSpec: + description: serviceProviderSpec contains all the data and information + about the service which has been bound to the service binding request. + The service providers decide what they need and what to configure + based on what then include in this field, such as service region, + type, tiers, etc... + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - kubeconfigSecretRef + - providerPrettyName + type: object + status: + description: status contains reconciliation information for the service + binding. + properties: + conditions: + description: conditions is a list of conditions that apply to the + ClusterBinding. It is updated by the konnector and the service provider. + items: + description: Condition defines an observation of a object operational + state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. This should be when the underlying condition changed. + If that is not known, then using the time when the API field + changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition + in CamelCase. The specific API may choose whether or not this + field is considered a guaranteed API. This field may not be + empty. + type: string + severity: + description: Severity provides an explicit classification of + Reason code, so the users or machines can immediately understand + the current situation and act accordingly. The Severity field + MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + heartbeatInterval: + description: heartbeatInterval is the maximal interval between heartbeats + that the konnector promises to send. The service provider can assume + that the konnector is not unhealthy if it does not receive a heartbeat + within this time. + type: string + konnectorVersion: + description: konnectorVersion is the version of the konnector that + is running on the consumer cluster. + type: string + lastHeartbeatTime: + description: lastHeartbeatTime is the last time the konnector updated + the status. + format: date-time + type: string + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: cluster binding name should be cluster + rule: self.metadata.name == "cluster" + served: true + storage: true + subresources: + status: {} diff --git a/charts/service-provider/doc.yaml b/charts/service-provider/doc.yaml new file mode 100644 index 000000000..106e80dab --- /dev/null +++ b/charts/service-provider/doc.yaml @@ -0,0 +1,18 @@ +project: + name: Kubeware Service Provider by AppsCode + shortName: Kubeware Service Provider + url: https://github.com/kubeware + description: Kubeware Service Provider by AppsCode + app: a Kubeware Service Provider +repository: + url: https://charts.appscode.com/stable/ + name: appscode +chart: + name: service-provider + values: -- generate from values file -- + valuesExample: -- generate from values file -- +prerequisites: +- Kubernetes 1.21+ +release: + name: service-provider + namespace: kubeops diff --git a/charts/service-provider/templates/NOTES.txt b/charts/service-provider/templates/NOTES.txt new file mode 100644 index 000000000..12752db6c --- /dev/null +++ b/charts/service-provider/templates/NOTES.txt @@ -0,0 +1,3 @@ +To verify that Stash has started, run: + + kubectl get deployment --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "service-provider.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" diff --git a/charts/service-provider/templates/_helpers.tpl b/charts/service-provider/templates/_helpers.tpl new file mode 100644 index 000000000..4a5d227e6 --- /dev/null +++ b/charts/service-provider/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "service-provider.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "service-provider.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "service-provider.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "service-provider.labels" -}} +helm.sh/chart: {{ include "service-provider.chart" . }} +{{ include "service-provider.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "service-provider.selectorLabels" -}} +app.kubernetes.io/name: {{ include "service-provider.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- with .Values.podLabels }} +{{- toYaml . | nindent 0 }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "service-provider.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "service-provider.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{- define "service-provider.webhookServiceName" -}} +{{- printf "%s-webhook-server" (include "service-provider.fullname" . ) | trunc 63 | trimPrefix "-" -}} +{{- end -}} + +{{/* +Returns the registry used for operator docker image +*/}} +{{- define "operator.registry" -}} +{{- list .Values.registryFQDN .Values.operator.registry | compact | join "/" }} +{{- end }} + +{{/* +Returns the registry used for kube-rbac-proxy docker image +*/}} +{{- define "rbacproxy.registry" -}} +{{- list .Values.registryFQDN .Values.rbacproxy.registry | compact | join "/" }} +{{- end }} + +{{- define "appscode.imagePullSecrets" -}} +{{- with .Values.imagePullSecrets -}} +imagePullSecrets: +{{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} + +{{- define "image-pull-secrets" -}} +{{- with .Values.imagePullSecrets -}} +imagePullSecrets: +{{- toYaml . | nindent 2 }} +{{- end -}} +{{- end -}} diff --git a/charts/service-provider/templates/provider/deployment.yaml b/charts/service-provider/templates/provider/deployment.yaml new file mode 100644 index 000000000..09dc34321 --- /dev/null +++ b/charts/service-provider/templates/provider/deployment.yaml @@ -0,0 +1,81 @@ +{{- $major := default "0" .Capabilities.KubeVersion.Major | trimSuffix "+" | int64 }} +{{- $minor := default "0" .Capabilities.KubeVersion.Minor | trimSuffix "+" | int64 }} +{{- $criticalAddon := and .Values.criticalAddon (or (eq .Release.Namespace "kube-system") (and (ge $major 1) (ge $minor 17))) -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "service-provider.fullname" . }}-operator + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/component: operator + {{- include "service-provider.labels" . | nindent 4 }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/component: operator + {{- include "service-provider.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app.kubernetes.io/component: operator + {{- include "service-provider.selectorLabels" . | nindent 8 }} + annotations: + {{- if $criticalAddon }} + scheduler.alpha.kubernetes.io/critical-pod: '' + {{- end }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- include "appscode.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ include "service-provider.serviceAccountName" . }} + containers: + - name: operator + image: "{{ include "operator.registry" . }}/{{ .Values.operator.repository }}:{{ .Values.operator.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.imagePullPolicy }} + securityContext: + {{- toYaml .Values.operator.securityContext | nindent 10 }} + args: + - provider + - --namespace-prefix={{ .Values.provider.namespacePrefix }} + - --pretty-name={{ .Values.provider.providerPrettyName }} + - --consumer-scope={{ .Values.provider.consumerScope }} + - --external-address={{ .Values.provider.external.address }} + - --external-ca-file={{ .Values.provider.external.CAFile }} + - --external-server-name={{ .Values.provider.external.serverName }} +{{/* - --subject=*/}} +{{/* - --cluster-id=*/}} +{{/* - --group=*/}} +{{/* - --resource=*/}} +{{/* - --kubeconfig="/.kube/config"*/}} +{{/* - --namespace=*/}} + resources: + {{- toYaml .Values.operator.resources | nindent 10 }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if or .Values.tolerations $criticalAddon }} + tolerations: + {{- with .Values.tolerations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if $criticalAddon }} + - key: CriticalAddonsOnly + operator: Exists + {{- end -}} + {{- end -}} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if $criticalAddon }} + priorityClassName: system-cluster-critical + {{- end -}} diff --git a/charts/service-provider/templates/rbac/auth_proxy.yaml b/charts/service-provider/templates/rbac/auth_proxy.yaml new file mode 100644 index 000000000..051e31457 --- /dev/null +++ b/charts/service-provider/templates/rbac/auth_proxy.yaml @@ -0,0 +1,35 @@ +{{- if or .Values.apiserver.enableMutatingWebhook .Values.apiserver.enableValidatingWebhook }} + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "service-provider.fullname" . }}-auth-proxy +rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "service-provider.fullname" . }}-auth-proxy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "service-provider.fullname" . }}-auth-proxy +subjects: + - kind: ServiceAccount + name: {{ include "service-provider.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + +{{ end }} diff --git a/charts/service-provider/templates/rbac/cluster_role.yaml b/charts/service-provider/templates/rbac/cluster_role.yaml new file mode 100644 index 000000000..44b583d1f --- /dev/null +++ b/charts/service-provider/templates/rbac/cluster_role.yaml @@ -0,0 +1,76 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "service-provider.fullname" . }} + labels: + {{- include "service-provider.labels" . | nindent 4 }} +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: ["get", "list", "watch"] +- apiGroups: + - rbac.authorization.k8s.io + resources: + - "clusterroles" + - "clusterrolebindings" + - "roles" + - "rolebindings" + verbs: ["*"] +- apiGroups: + - "" + resources: + - "namespaces" + - "serviceaccounts" + verbs: ["get", "list", "watch", "create"] +- apiGroups: + - "apiextensions.k8s.io" + resources: + - "customresourcedefinitions" + verbs: ["get", "list", "watch"] +- apiGroups: + - "kubeware.dev" + resources: + - "apiserviceexportrequests" + verbs: ["*"] +- apiGroups: + - "kubeware.dev" + resources: + - "apiserviceexportrequests/status" + verbs: ["patch","update","get"] +- apiGroups: + - "" + resources: + - "secrets" + verbs: ["*"] +- apiGroups: + - "kubeware.dev" + resources: + - "clusterbindings" + verbs: ["get", "watch", "list", "create"] +- apiGroups: + - "kubeware.dev" + resources: + - "clusterbindings/status" + verbs: ["get","patch","update"] +- apiGroups: + - "kubeware.dev" + resources: + - "apiserviceexports" + verbs: ["get", "watch", "list", "create"] +- apiGroups: + - "kubeware.dev" + resources: + - "apiserviceexports/status" + verbs: ["get","patch","update"] +- apiGroups: + - "kubeware.dev" + resources: + - "apiservicenamespaces" + verbs: ["*"] +- apiGroups: + - "kubeware.dev" + resources: + - "apiservicenamespaces/status" + verbs: ["patch", "update", "get"] diff --git a/charts/service-provider/templates/rbac/cluster_role_binding.yaml b/charts/service-provider/templates/rbac/cluster_role_binding.yaml new file mode 100644 index 000000000..262593955 --- /dev/null +++ b/charts/service-provider/templates/rbac/cluster_role_binding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "service-provider.fullname" . }} + labels: + {{- include "service-provider.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "service-provider.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "service-provider.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/charts/service-provider/templates/rbac/serviceaccount.yaml b/charts/service-provider/templates/rbac/serviceaccount.yaml new file mode 100644 index 000000000..e77831d9b --- /dev/null +++ b/charts/service-provider/templates/rbac/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "service-provider.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "service-provider.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/service-provider/templates/rbac/user_roles.yaml b/charts/service-provider/templates/rbac/user_roles.yaml new file mode 100644 index 000000000..107229ae3 --- /dev/null +++ b/charts/service-provider/templates/rbac/user_roles.yaml @@ -0,0 +1,32 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: appscode:kubeware:edit + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: + - kubeware.dev + resources: + - "*" + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: appscode:kubeware:view + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: + - kubeware.dev + resources: + - "*" + verbs: ["get", "list", "watch"] diff --git a/charts/service-provider/templates/webhook-server/cert.yaml b/charts/service-provider/templates/webhook-server/cert.yaml new file mode 100644 index 000000000..903f435e8 --- /dev/null +++ b/charts/service-provider/templates/webhook-server/cert.yaml @@ -0,0 +1,31 @@ +{{- $caCrt := "" }} +{{- $serverCrt := "" }} +{{- $serverKey := "" }} +{{- if .Values.apiserver.servingCerts.generate }} +{{- $ca := genCA "ca" 3650 }} +{{- $cn := include "service-provider.webhookServiceName" . -}} +{{- $altName1 := printf "%s.%s" $cn .Release.Namespace }} +{{- $altName2 := printf "%s.%s.svc" $cn .Release.Namespace }} +{{- $server := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }} +{{- $caCrt = b64enc $ca.Cert }} +{{- $serverCrt = b64enc $server.Cert }} +{{- $serverKey = b64enc $server.Key }} +{{- else }} +{{- $caCrt = required "Required when apiserver.servingCerts.generate is false" .Values.apiserver.servingCerts.caCrt }} +{{- $serverCrt = required "Required when apiserver.servingCerts.generate is false" .Values.apiserver.servingCerts.serverCrt }} +{{- $serverKey = required "Required when apiserver.servingCerts.generate is false" .Values.apiserver.servingCerts.serverKey }} +{{- end }} +{{- if or .Values.apiserver.enableMutatingWebhook .Values.apiserver.enableValidatingWebhook }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "service-provider.fullname" . }}-webhook-cert + namespace: {{ .Release.Namespace }} + labels: + {{- include "service-provider.labels" . | nindent 4 }} +type: Opaque +data: + ca.crt: {{ $caCrt }} + tls.crt: {{ $serverCrt }} + tls.key: {{ $serverKey }} +{{- end }} diff --git a/charts/service-provider/templates/webhook-server/deployment.yaml b/charts/service-provider/templates/webhook-server/deployment.yaml new file mode 100644 index 000000000..cba8e5438 --- /dev/null +++ b/charts/service-provider/templates/webhook-server/deployment.yaml @@ -0,0 +1,124 @@ +{{- $major := default "0" .Capabilities.KubeVersion.Major | trimSuffix "+" | int64 }} +{{- $minor := default "0" .Capabilities.KubeVersion.Minor | trimSuffix "+" | int64 }} +{{- $criticalAddon := and .Values.criticalAddon (or (eq .Release.Namespace "kube-system") (and (ge $major 1) (ge $minor 17))) -}} +{{- if or .Values.apiserver.enableMutatingWebhook .Values.apiserver.enableValidatingWebhook }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "service-provider.fullname" . }}-webhook-server + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/component: webhook-server + {{- include "service-provider.labels" . | nindent 4 }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/component: webhook-server + {{- include "service-provider.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app.kubernetes.io/component: webhook-server + {{- include "service-provider.selectorLabels" . | nindent 8 }} + annotations: + checksum/apiregistration.yaml: {{ include (print $.Template.BasePath "/webhook-server/cert.yaml") . | sha256sum }} + {{- if $criticalAddon }} + scheduler.alpha.kubernetes.io/critical-pod: '' + {{- end }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- include "appscode.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ include "service-provider.serviceAccountName" . }} + containers: + - name: webhook-server + image: "{{ include "operator.registry" . }}/{{ .Values.operator.repository }}:{{ .Values.operator.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.imagePullPolicy }} + securityContext: + {{- toYaml .Values.operator.securityContext | nindent 10 }} + args: + - webhook + - --webhook-name={{ include "service-provider.fullname" . }} + ports: + - name: webhook-server + containerPort: 9443 + protocol: TCP + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.apiserver.healthcheck.enabled }} + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + {{- end }} + resources: + {{- toYaml .Values.operator.resources | nindent 10 }} + volumeMounts: + - name: serving-cert + mountPath: /var/serving-cert + readOnly: true + - name: kube-rbac-proxy + image: "{{ include "rbacproxy.registry" . }}/{{ .Values.rbacproxy.repository }}:{{ .Values.rbacproxy.tag }}" + securityContext: + {{- toYaml .Values.rbacproxy.securityContext | nindent 10 }} + args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: + {{- toYaml .Values.rbacproxy.resources | nindent 10 }} + volumes: + - name: serving-cert + secret: + defaultMode: 420 + secretName: {{ include "service-provider.fullname" . }}-webhook-cert + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if or .Values.tolerations $criticalAddon }} + tolerations: + {{- with .Values.tolerations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if $criticalAddon }} + - key: CriticalAddonsOnly + operator: Exists + {{- end -}} + {{- end -}} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if $criticalAddon }} + priorityClassName: system-cluster-critical + {{- end -}} +{{ end }} diff --git a/charts/service-provider/templates/webhook-server/monitoring/service.yaml b/charts/service-provider/templates/webhook-server/monitoring/service.yaml new file mode 100644 index 000000000..52f390b35 --- /dev/null +++ b/charts/service-provider/templates/webhook-server/monitoring/service.yaml @@ -0,0 +1,27 @@ +{{- if or .Values.apiserver.enableMutatingWebhook .Values.apiserver.enableValidatingWebhook }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "service-provider.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "service-provider.labels" . | nindent 4 }} + {{- if eq .Values.monitoring.agent "prometheus.io/builtin" }} + annotations: + prometheus.io/scrape: "true" + {{- if .Values.monitoring.operator }} + prometheus.io/operator_path: "/metrics" + prometheus.io/operator_port: "8443" + prometheus.io/operator_scheme: "https" + {{- end }} + {{- end }} +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + app.kubernetes.io/component: webhook-server + {{- include "service-provider.selectorLabels" . | nindent 4 }} +{{ end }} diff --git a/charts/service-provider/templates/webhook-server/monitoring/servicemonitor.yaml b/charts/service-provider/templates/webhook-server/monitoring/servicemonitor.yaml new file mode 100644 index 000000000..648d21c94 --- /dev/null +++ b/charts/service-provider/templates/webhook-server/monitoring/servicemonitor.yaml @@ -0,0 +1,37 @@ +{{- if or .Values.apiserver.enableMutatingWebhook .Values.apiserver.enableValidatingWebhook }} +{{- if eq .Values.monitoring.agent "prometheus.io/operator" }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "service-provider.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- if .Values.monitoring.serviceMonitor.labels }} + {{- range $key, $val := .Values.monitoring.serviceMonitor.labels }} + {{ $key }}: {{ $val }} + {{- end }} + {{- else }} + {{- include "service-provider.selectorLabels" . | nindent 4 }} + {{- end }} +spec: + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + {{- include "service-provider.selectorLabels" . | nindent 6 }} + endpoints: + {{- if .Values.monitoring.operator }} + - port: https + bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + path: /metrics + scheme: https + tlsConfig: + ca: + secret: + name: {{ include "service-provider.fullname" . }}-webhook-cert + key: tls.crt + serverName: "{{ include "service-provider.fullname" . }}.{{ .Release.Namespace }}.svc" + {{- end }} +{{- end }} +{{ end }} diff --git a/charts/service-provider/templates/webhook-server/mutating_webhook.yaml b/charts/service-provider/templates/webhook-server/mutating_webhook.yaml new file mode 100644 index 000000000..b17bae6ec --- /dev/null +++ b/charts/service-provider/templates/webhook-server/mutating_webhook.yaml @@ -0,0 +1,30 @@ +{{- if .Values.apiserver.enableMutatingWebhook }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ include "service-provider.fullname" . }} + labels: + {{- include "service-provider.labels" . | nindent 4 }} +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "service-provider.webhookServiceName" . }} + namespace: {{ .Release.Namespace }} + path: /mutate-kubeware-dev-v1-clusterbinding + caBundle: {{ b64enc .Values.apiserver.ca }} + failurePolicy: Fail + name: clusterbindings.kubeware.dev + rules: + - apiGroups: + - kubeware.dev + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - clusterbindings + sideEffects: None +{{ end }} diff --git a/charts/service-provider/templates/webhook-server/validating_webhook.yaml b/charts/service-provider/templates/webhook-server/validating_webhook.yaml new file mode 100644 index 000000000..f5e9b4178 --- /dev/null +++ b/charts/service-provider/templates/webhook-server/validating_webhook.yaml @@ -0,0 +1,30 @@ +{{- if .Values.apiserver.enableValidatingWebhook }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ include "service-provider.fullname" . }} + labels: + {{- include "service-provider.labels" . | nindent 4 }} +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "service-provider.webhookServiceName" . }} + namespace: {{ .Release.Namespace }} + path: /validate-kubeware-dev-v1-clusterbinding + caBundle: {{ b64enc .Values.apiserver.ca }} + failurePolicy: Fail + name: clusterbindings.kubeware.dev + rules: + - apiGroups: + - kubeware.dev + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - clusterbindings + sideEffects: None +{{ end }} diff --git a/charts/service-provider/templates/webhook-server/webhook_service.yaml b/charts/service-provider/templates/webhook-server/webhook_service.yaml new file mode 100644 index 000000000..aaa398804 --- /dev/null +++ b/charts/service-provider/templates/webhook-server/webhook_service.yaml @@ -0,0 +1,17 @@ +{{- if or .Values.apiserver.enableMutatingWebhook .Values.apiserver.enableValidatingWebhook }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "service-provider.webhookServiceName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "service-provider.labels" . | nindent 4 }} +spec: + selector: + app.kubernetes.io/component: webhook-server + {{- include "service-provider.selectorLabels" . | nindent 4 }} + ports: + - port: 443 + protocol: TCP + targetPort: 9443 +{{ end }} diff --git a/charts/service-provider/values.openapiv3_schema.yaml b/charts/service-provider/values.openapiv3_schema.yaml new file mode 100644 index 000000000..891e31f10 --- /dev/null +++ b/charts/service-provider/values.openapiv3_schema.yaml @@ -0,0 +1,846 @@ +properties: + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + annotations: + additionalProperties: + type: string + type: object + apiserver: + properties: + bypassValidatingWebhookXray: + type: boolean + ca: + type: string + enableMutatingWebhook: + type: boolean + enableValidatingWebhook: + type: boolean + groupPriorityMinimum: + type: integer + healthcheck: + properties: + enabled: + type: boolean + type: object + servingCerts: + properties: + caCrt: + type: string + generate: + type: boolean + serverCrt: + type: string + serverKey: + type: string + required: + - generate + type: object + useKubeapiserverFqdnForAks: + type: boolean + versionPriority: + type: integer + required: + - bypassValidatingWebhookXray + - ca + - enableMutatingWebhook + - enableValidatingWebhook + - groupPriorityMinimum + - healthcheck + - servingCerts + - useKubeapiserverFqdnForAks + - versionPriority + type: object + criticalAddon: + type: boolean + fullnameOverride: + type: string + imagePullPolicy: + type: string + imagePullSecrets: + items: + type: string + type: array + logLevel: + format: int32 + type: integer + monitoring: + properties: + agent: + enum: + - prometheus.io + - prometheus.io/operator + - prometheus.io/builtin + type: string + serviceMonitor: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + required: + - agent + - serviceMonitor + type: object + nameOverride: + type: string + nodeSelector: + additionalProperties: + type: string + type: object + operator: + properties: + registry: + type: string + repository: + type: string + resources: + properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + tag: + type: string + required: + - registry + - repository + - tag + type: object + podAnnotations: + additionalProperties: + type: string + type: object + podLabels: + additionalProperties: + type: string + type: object + podSecurityContext: + properties: + fsGroup: + format: int64 + type: integer + fsGroupChangePolicy: + type: string + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + provider: + properties: + consumerScope: + type: string + external: + properties: + CAFile: + type: string + address: + type: string + serverName: + type: string + required: + - CAFile + - address + - serverName + type: object + namespacePrefix: + type: string + providerPrettyName: + type: string + required: + - consumerScope + - external + - namespacePrefix + - providerPrettyName + type: object + rbacproxy: + properties: + registry: + type: string + repository: + type: string + resources: + properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + tag: + type: string + required: + - registry + - repository + - tag + type: object + registryFQDN: + type: string + replicaCount: + format: int32 + type: integer + serviceAccount: + properties: + annotations: + additionalProperties: + type: string + type: object + create: + type: boolean + name: + type: string + required: + - create + type: object + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array +required: +- imagePullPolicy +- monitoring +- operator +- provider +- rbacproxy +- registryFQDN +- replicaCount +- serviceAccount +type: object diff --git a/charts/service-provider/values.yaml b/charts/service-provider/values.yaml new file mode 100644 index 000000000..6814239ae --- /dev/null +++ b/charts/service-provider/values.yaml @@ -0,0 +1,152 @@ +# Default values for service-provider. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# Overrides name template +nameOverride: "" +# Overrides fullname template +fullnameOverride: "" +# Number of stash operator replicas to create (only 1 is supported) +replicaCount: 1 + +# Docker registry fqdn used to pull Stash related images. +# Set this to use docker registry hosted at ${registryFQDN}/${registry}/${image} +registryFQDN: ghcr.io +operator: + # Docker registry used to pull operator image + registry: appscode + # Name of operator container image + repository: service-provider + # Operator container image tag + tag: "" + # Compute Resources required by the operator container + resources: # +doc-gen:break + requests: + cpu: "100m" + # Security options this container should run with + securityContext: # +doc-gen:break + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + # seccompProfile: + # type: RuntimeDefault + +rbacproxy: + # Docker registry used to pull operator image + registry: appscode + # Name of operator container image + repository: kube-rbac-proxy + # Operator container image tag + tag: v0.11.0 + # Compute Resources required by the operator container + resources: # +doc-gen:break + requests: + cpu: "100m" + # Security options this container should run with + securityContext: # +doc-gen:break + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + # seccompProfile: + # type: RuntimeDefault + +# Specify an array of imagePullSecrets. +# Secrets must be manually created in the namespace. +# +# Example: +# helm template charts/stash \ +# --set imagePullSecrets[0].name=sec0 \ +# --set imagePullSecrets[1].name=sec1 +imagePullSecrets: [] +# Container image pull policy +imagePullPolicy: IfNotPresent +# If true, installs Stash operator as critical addon +criticalAddon: false +# Log level for operator +logLevel: 3 +# Annotations applied to operator deployment +annotations: {} +# Annotations passed to operator pod(s). +podAnnotations: {} +# Labels passed to operator pod(s) +podLabels: {} +# Node labels for pod assignment +nodeSelector: # +doc-gen:break + kubernetes.io/os: linux +# Tolerations for pod assignment +tolerations: [] +# Affinity rules for pod assignment +affinity: {} +# Security options the operator pod should run with. +podSecurityContext: # +doc-gen:break + fsGroup: 65535 +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: +apiserver: + # The minimum priority the webhook api group should have at least. Please see + # https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L58-L64 + # for more information on proper values of this field. + groupPriorityMinimum: 10000 + # The ordering of the webhook api inside of the group. Please see + # https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L66-L70 + # for more information on proper values of this field + versionPriority: 15 + # If true, mutating webhook is configured for Kubernetes workloads + enableMutatingWebhook: true + # If true, validating webhook is configured for Stash CRDss + enableValidatingWebhook: false + # CA certificate used by the Kubernetes api server. This field is automatically assigned by the operator. + ca: not-ca-cert + # If true, bypasses checks that validating webhook is actually enabled in the Kubernetes cluster. + bypassValidatingWebhookXray: false + # If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true) + useKubeapiserverFqdnForAks: true + healthcheck: + # If true, enables the readiness and liveliness probes for the operator pod. + enabled: false + servingCerts: + # If true, generates on install/upgrade the certs that allow the kube-apiserver (and potentially ServiceMonitor) + # to authenticate operators pods. Otherwise specify certs in `apiserver.servingCerts.{caCrt, serverCrt, serverKey}`. + generate: true + # CA certficate used by serving certificate of webhook server. + caCrt: "" + # Serving certficate used by webhook server. + serverCrt: "" + # Private key for the serving certificate used by webhook server. + serverKey: "" +monitoring: + # Name of monitoring agent (either "prometheus.io/operator" or "prometheus.io/builtin") + agent: "none" + serviceMonitor: + # Specify the labels for ServiceMonitor. + # Prometheus crd will select ServiceMonitor using these labels. + # Only usable when monitoring agent is `prometheus.io/operator`. + labels: {} + +provider: + # the sync namespace created in the provider side will be named like bb- + namespacePrefix: "kubeware-" + # the name of the provider + providerPrettyName: "Appscode" + # How consumers access the service provider cluster. In Kubernetes, "namespaced" allows namespace isolation. + # In kcp, "cluster" allows workspace isolation, and with that allows cluster-scoped resources to bind, and it is generally more performant. + consumerScope: "Namespaced" + external: + # The external address for the service provider cluster, including https:// and port. If not specified, service account's hosts are used. + address: "" + # The external (TLS) server name used by consumers to talk to the service provider cluster. This can be useful to select the right certificate via SNI. + serverName: "" + # The external CA file for the service provider cluster. If not specified, service account's CA is used. + CAFile: "" diff --git a/hack/license/dockerfile.txt b/hack/license/dockerfile.txt index 47377ceba..8b1378917 100644 --- a/hack/license/dockerfile.txt +++ b/hack/license/dockerfile.txt @@ -1,14 +1 @@ -# Copyright AppsCode Inc. and Contributors -# -# Licensed under the AppsCode Community License 1.0.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://github.com/appscode/licenses/raw/1.0.0/AppsCode-Community-1.0.0.md -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. diff --git a/hack/license/makefile.txt b/hack/license/makefile.txt index 47377ceba..8b1378917 100644 --- a/hack/license/makefile.txt +++ b/hack/license/makefile.txt @@ -1,14 +1 @@ -# Copyright AppsCode Inc. and Contributors -# -# Licensed under the AppsCode Community License 1.0.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://github.com/appscode/licenses/raw/1.0.0/AppsCode-Community-1.0.0.md -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. diff --git a/hack/scripts/ct.sh b/hack/scripts/ct.sh index 298c2a635..241e3f9fd 100755 --- a/hack/scripts/ct.sh +++ b/hack/scripts/ct.sh @@ -24,6 +24,9 @@ for dir in charts/*/; do if [ $num_files -le 1 ] || [[ "$dir" = "accounts-ui" ]] || [[ "$dir" = "ace" ]] || + [[ "$dir" = "catalog-manager" ]] || + [[ "$dir" = "service-backend" ]] || + [[ "$dir" = "service-provider" ]] || [[ "$dir" = "billing" ]] || [[ "$dir" = "dns-proxy" ]] || [[ "$dir" = "grafana" ]] ||