chore: mirror weave-gitops-4.0.15
upstream_repo: https://helm.gitops.weave.works
This commit is contained in:
parent
cd6dd2a273
commit
3cbbc9e2cf
|
@ -0,0 +1,23 @@
|
|||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*.orig
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
||||
.vscode/
|
|
@ -0,0 +1,2 @@
|
|||
formatter:
|
||||
pad_line_comments: 2
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: v2
|
||||
appVersion: v0.18.0
|
||||
description: Weave Gitops is a set of tools and services to aid your interactions with Flux
|
||||
name: gitops-server
|
||||
type: application
|
||||
version: 4.0.15
|
||||
home: https://github.com/giantswarm/gitops-server-app
|
||||
icon: https://s.giantswarm.io/app-icons/weaveworks/1/icon_light.svg
|
||||
keywords:
|
||||
- gitops
|
||||
- flux
|
||||
annotations:
|
||||
application.giantswarm.io/team: team-honeybadger
|
||||
config.giantswarm.io/version: 1.x.x
|
|
@ -0,0 +1,52 @@
|
|||
# Weave Gitops Helm Chart
|
||||
|
||||
This is the [Weave Gitops](https://github.com/weaveworks/weave-gitops) [Helm](https://helm.sh) chart.
|
||||
|
||||
It installs the weave-gitops-server component as a 1-replica deployment.
|
||||
|
||||
Optionally it will also install:
|
||||
* Service Account
|
||||
* ClusterRoleBinding (to the service account) and ClusterRole with the
|
||||
permissions required to run Gitops.
|
||||
* Service, this is optional as you may want to limit access to the UI to via
|
||||
port-forwarding
|
||||
* Ingress
|
||||
* Test User -- A test user with hard-coded username & password with minimal
|
||||
permissions
|
||||
|
||||
This chart assumes kubernetes > 1.17
|
||||
|
||||
## Security
|
||||
|
||||
The role that this chart creates includes 2 main 'blocks' of permissions; that
|
||||
should be treated separately and carefully:
|
||||
|
||||
* `impersonate` This is how the gitops-server gathers data to display in the UI,
|
||||
it impersonates the user, determined by OIDC/plain auth. This means that
|
||||
a user's permissions in the UI will reflect their permissions in the cluster
|
||||
* `get`, `list`, `watch` on `helmrepositories` and `secrets`. These permissions
|
||||
are required by the profiles system.
|
||||
|
||||
### Impersonate
|
||||
|
||||
When deploying gitops-server it is recommended to limit the types of resource
|
||||
and specific resources that the service account can impersonate. e.g.
|
||||
```yaml
|
||||
rbac:
|
||||
create: true
|
||||
impersonationResources: ["groups"]
|
||||
impersonationResourceNames: ["gitops-reader"]
|
||||
```
|
||||
|
||||
Using groups is the recommended way of doing this as it means that you don't
|
||||
have to enumerate all users in a group.
|
||||
|
||||
### Get helmrepositories
|
||||
|
||||
This permissions are scoped to enable the profiles functionality of gitops-server
|
||||
and should not need to change.
|
||||
|
||||
### Test User
|
||||
|
||||
This user should not be used, it is intended for development and testing
|
||||
purposes and relies on static credentials in a secret.
|
|
@ -0,0 +1,11 @@
|
|||
# Helm chart reference
|
||||
<!-- The contents of this file is generated directly from the chart's values.yaml, please make any edits there -->
|
||||
|
||||
This is a reference of all the configurable values in weave gitops's
|
||||
helm chart. This is intended for customizing your installation after
|
||||
you've gone through the [getting started](../getting-started/intro.mdx) guide.
|
||||
|
||||
This reference was generated for the chart version {{ template
|
||||
"chart.version" . }} which installs weave gitops {{ template "chart.appVersion" . }}.
|
||||
|
||||
{{ template "chart.valuesSection" . }}
|
|
@ -0,0 +1,22 @@
|
|||
1. Get the application URL by running these commands:
|
||||
{{- if .Values.ingress.enabled }}
|
||||
{{- range $host := .Values.ingress.hosts }}
|
||||
{{- range .paths }}
|
||||
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- else if contains "NodePort" .Values.service.type }}
|
||||
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "chart.fullname" . }})
|
||||
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
|
||||
echo http://$NODE_IP:$NODE_PORT
|
||||
{{- else if contains "LoadBalancer" .Values.service.type }}
|
||||
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
|
||||
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "chart.fullname" . }}'
|
||||
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "chart.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
|
||||
echo http://$SERVICE_IP:{{ .Values.service.port }}
|
||||
{{- else if contains "ClusterIP" .Values.service.type }}
|
||||
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "chart.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
|
||||
export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
|
||||
echo "Visit http://127.0.0.1:8080 to use your application"
|
||||
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
|
||||
{{- end }}
|
|
@ -0,0 +1,91 @@
|
|||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "chart.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "chart.fullname" -}}
|
||||
{{- if .Values.fullnameOverride }}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride }}
|
||||
{{- if contains $name .Release.Name }}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "chart.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "chart.labels" -}}
|
||||
helm.sh/chart: {{ include "chart.chart" . }}
|
||||
{{ include "chart.selectorLabels" . }}
|
||||
{{- if .Chart.AppVersion }}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
{{- end }}
|
||||
application.giantswarm.io/team: {{ index .Chart.Annotations "application.giantswarm.io/team" | quote }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "chart.selectorLabels" -}}
|
||||
app.kubernetes.io/name: {{ include "chart.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "chart.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
{{- default (include "chart.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else }}
|
||||
{{- default "default" .Values.serviceAccount.name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Return the target Kubernetes version
|
||||
*/}}
|
||||
{{- define "common.capabilities.kubeVersion" -}}
|
||||
{{- if .Values.global }}
|
||||
{{- if .Values.global.kubeVersion }}
|
||||
{{- .Values.global.kubeVersion -}}
|
||||
{{- else }}
|
||||
{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
|
||||
{{- end -}}
|
||||
{{- else }}
|
||||
{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "resource.vpa.enabled" -}}
|
||||
{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1") (.Values.giantswarm.resources.vpa.enabled) }}true{{ else }}false{{ end }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "deployment.resources" -}}
|
||||
requests:
|
||||
{{ toYaml .Values.giantswarm.resources.server.requests | indent 2 -}}
|
||||
{{ if eq (include "resource.vpa.enabled" .) "false" }}
|
||||
limits:
|
||||
{{ toYaml .Values.giantswarm.resources.server.limits | indent 2 -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
|
@ -0,0 +1,16 @@
|
|||
{{- if .Values.adminUser.create }}
|
||||
{{- if .Values.adminUser.createSecret }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: cluster-user-auth
|
||||
namespace: {{ .Release.Namespace }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{- with .Values.adminUser }}
|
||||
username: {{ .username | b64enc | quote }}
|
||||
password: {{ .passwordHash | required "passwordHash must be set!" | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,79 @@
|
|||
{{- if .Values.adminUser.create }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: wego-admin-role
|
||||
namespace: {{ .Release.Namespace }}
|
||||
rules:
|
||||
- apiGroups: ["*"]
|
||||
resources: ["*"]
|
||||
verbs: [ "get", "list", "watch" ]
|
||||
|
||||
- apiGroups: ["source.toolkit.fluxcd.io"]
|
||||
resources: [ "buckets", "helmcharts", "gitrepositories", "helmrepositories", "ocirepositories" ]
|
||||
verbs: [ "get", "list", "watch", "patch" ]
|
||||
|
||||
- apiGroups: ["kustomize.toolkit.fluxcd.io"]
|
||||
resources: [ "kustomizations" ]
|
||||
verbs: [ "get", "list", "watch", "patch" ]
|
||||
|
||||
- apiGroups: ["helm.toolkit.fluxcd.io"]
|
||||
resources: [ "helmreleases" ]
|
||||
verbs: [ "get", "list", "watch", "patch" ]
|
||||
|
||||
- apiGroups: [ "notification.toolkit.fluxcd.io" ]
|
||||
resources: [ "providers", "alerts" ]
|
||||
verbs: [ "get", "list", "watch", "patch" ]
|
||||
|
||||
- apiGroups: ["infra.contrib.fluxcd.io"]
|
||||
resources: ["terraforms"]
|
||||
verbs: [ "get", "list", "watch", "patch" ]
|
||||
|
||||
{{- if gt (len $.Values.giantswarm.rbac.additionalRules) 0 -}}
|
||||
{{- toYaml $.Values.giantswarm.rbac.additionalRules | nindent 2 -}}
|
||||
{{- end }}
|
||||
{{- if .Values.adminUser.createClusterRole }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: wego-admin-cluster-role
|
||||
rules:
|
||||
- apiGroups: ["*"]
|
||||
resources: ["*"]
|
||||
verbs: [ "get", "list", "watch" ]
|
||||
|
||||
- apiGroups: ["source.toolkit.fluxcd.io"]
|
||||
resources: [ "buckets", "helmcharts", "gitrepositories", "helmrepositories", "ocirepositories" ]
|
||||
verbs: [ "get", "list", "watch", "patch" ]
|
||||
|
||||
- apiGroups: ["kustomize.toolkit.fluxcd.io"]
|
||||
resources: [ "kustomizations" ]
|
||||
verbs: [ "get", "list", "watch", "patch" ]
|
||||
|
||||
- apiGroups: ["helm.toolkit.fluxcd.io"]
|
||||
resources: [ "helmreleases" ]
|
||||
verbs: [ "get", "list", "watch", "patch" ]
|
||||
|
||||
- apiGroups: [ "notification.toolkit.fluxcd.io" ]
|
||||
resources: [ "providers", "alerts" ]
|
||||
verbs: [ "get", "list", "watch" ]
|
||||
|
||||
- apiGroups: ["infra.contrib.fluxcd.io"]
|
||||
resources: ["terraforms"]
|
||||
verbs: [ "get", "list", "watch", "patch" ]
|
||||
|
||||
- apiGroups: ["apiextensions.k8s.io"]
|
||||
resources: ["customresourcedefinitions"]
|
||||
verbs: ["list", "watch"]
|
||||
|
||||
- apiGroups: [ "notification.toolkit.fluxcd.io" ]
|
||||
resources: [ "providers", "alerts" ]
|
||||
verbs: [ "get", "list", "watch", "patch" ]
|
||||
|
||||
{{- if gt (len $.Values.giantswarm.rbac.additionalRules) 0 -}}
|
||||
{{- toYaml $.Values.giantswarm.rbac.additionalRules | nindent 2 -}}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,31 @@
|
|||
{{- if .Values.adminUser.create }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ .Values.adminUser.username }}-user-read-resources
|
||||
namespace: {{ .Release.Namespace }}
|
||||
subjects:
|
||||
- kind: User
|
||||
name: wego-admin
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: wego-admin-role
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{{- if .Values.adminUser.createClusterRole }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ .Values.adminUser.username }}-user-read-resources-cr
|
||||
subjects:
|
||||
- kind: User
|
||||
name: {{ .Values.adminUser.username }}
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: wego-admin-cluster-role
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,125 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "chart.fullname" . }}
|
||||
labels:
|
||||
{{- include "chart.labels" . | nindent 4 }}
|
||||
{{- with .Values.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicaCount }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "chart.selectorLabels" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
{{- with .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "chart.selectorLabels" . | nindent 8 }}
|
||||
{{- with .Values.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ include "chart.serviceAccountName" . }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.podSecurityContext | nindent 8 }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.securityContext | nindent 12 }}
|
||||
image: "{{ .Values.image.registry }}/{{ .Values.giantswarm.images.server.image }}:{{ .Values.giantswarm.images.server.tag | default .Chart.AppVersion }}"
|
||||
imagePullPolicy: {{ .Values.giantswarm.images.server.pullPolicy }}
|
||||
args:
|
||||
- "--log-level"
|
||||
- "{{ .Values.logLevel }}"
|
||||
{{- if .Values.serverTLS.enable }}
|
||||
- "--tls-cert-file"
|
||||
- "/etc/tls-volume/tls.crt"
|
||||
- "--tls-private-key-file"
|
||||
- "/etc/tls-volume/tls.key"
|
||||
{{- else }}
|
||||
- "--insecure"
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.enabled }}
|
||||
- "--enable-metrics"
|
||||
- "--metrics-address=:{{ .Values.metrics.service.port }}"
|
||||
{{- end }}
|
||||
{{- with .Values.additionalArgs }}
|
||||
{{- range . }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 9001
|
||||
protocol: TCP
|
||||
{{- if .Values.metrics.enabled }}
|
||||
- name: http-metrics
|
||||
containerPort: {{ .Values.metrics.service.port }}
|
||||
protocol: TCP
|
||||
{{- end }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
port: http
|
||||
{{- if .Values.serverTLS.enable }}
|
||||
scheme: HTTPS
|
||||
{{- end }}
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
port: http
|
||||
{{- if .Values.serverTLS.enable }}
|
||||
scheme: HTTPS
|
||||
{{- end }}
|
||||
env:
|
||||
{{- if .Values.envVars }}
|
||||
{{- with .Values.envVars }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- include "deployment.resources" . | nindent 12 }}
|
||||
{{- if or .Values.serverTLS.enable .Values.extraVolumeMounts }}
|
||||
volumeMounts:
|
||||
{{- end }}
|
||||
{{- if .Values.serverTLS.enable }}
|
||||
- name: tls-volume
|
||||
readOnly: true
|
||||
mountPath: "/etc/tls-volume"
|
||||
{{- end }}
|
||||
{{- with .Values.extraVolumeMounts }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.serverTLS.enable .Values.extraVolumes }}
|
||||
volumes:
|
||||
{{- end }}
|
||||
{{- if .Values.serverTLS.enable }}
|
||||
- name: tls-volume
|
||||
secret:
|
||||
secretName: {{ .Values.serverTLS.secretName }}
|
||||
{{ end }}
|
||||
{{- with .Values.extraVolumes }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
|
@ -0,0 +1,27 @@
|
|||
{{ if eq (include "resource.vpa.enabled" .) "true" }}
|
||||
apiVersion: autoscaling.k8s.io/v1
|
||||
kind: VerticalPodAutoscaler
|
||||
metadata:
|
||||
name: gitops-server
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "chart.labels" . | nindent 4 }}
|
||||
spec:
|
||||
resourcePolicy:
|
||||
containerPolicies:
|
||||
- containerName: {{ .Chart.Name }}
|
||||
controlledValues: RequestsAndLimits
|
||||
minAllowed:
|
||||
cpu: {{ .Values.giantswarm.resources.server.requests.cpu }}
|
||||
memory: {{ .Values.giantswarm.resources.server.requests.memory }}
|
||||
maxAllowed:
|
||||
cpu: 1000m
|
||||
memory: 1000Mi
|
||||
mode: Auto
|
||||
targetRef:
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
name: {{ include "chart.fullname" . }}
|
||||
updatePolicy:
|
||||
updateMode: Auto
|
||||
{{ end }}
|
|
@ -0,0 +1,61 @@
|
|||
{{- if .Values.ingress.enabled -}}
|
||||
{{- $fullName := include "chart.fullname" . -}}
|
||||
{{- $svcPort := .Values.service.port -}}
|
||||
{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
|
||||
{{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
|
||||
{{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
|
||||
apiVersion: networking.k8s.io/v1
|
||||
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
{{- else -}}
|
||||
apiVersion: extensions/v1beta1
|
||||
{{- end }}
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: {{ $fullName }}
|
||||
labels:
|
||||
{{- include "chart.labels" . | nindent 4 }}
|
||||
{{- with .Values.ingress.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
|
||||
ingressClassName: {{ .Values.ingress.className }}
|
||||
{{- end }}
|
||||
{{- if .Values.ingress.tls }}
|
||||
tls:
|
||||
{{- range .Values.ingress.tls }}
|
||||
- hosts:
|
||||
{{- range .hosts }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
secretName: {{ .secretName }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
rules:
|
||||
{{- range .Values.ingress.hosts }}
|
||||
- host: {{ .host | quote }}
|
||||
http:
|
||||
paths:
|
||||
{{- range .paths }}
|
||||
- path: {{ .path }}
|
||||
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
|
||||
pathType: {{ .pathType }}
|
||||
{{- end }}
|
||||
backend:
|
||||
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
|
||||
service:
|
||||
name: {{ $fullName }}
|
||||
port:
|
||||
number: {{ $svcPort }}
|
||||
{{- else }}
|
||||
serviceName: {{ $fullName }}
|
||||
servicePort: {{ $svcPort }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,34 @@
|
|||
{{- if .Values.networkPolicy.create -}}
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-dashboard-ingress
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
{{- include "chart.selectorLabels" . | nindent 6 }}
|
||||
ingress:
|
||||
- ports:
|
||||
- port: 9001
|
||||
protocol: TCP
|
||||
{{- if .Values.metrics.enabled }}
|
||||
- port: {{ .Values.metrics.service.port }}
|
||||
protocol: TCP
|
||||
{{- end }}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-dashboard-egress
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
{{- include "chart.selectorLabels" . | nindent 6 }}
|
||||
egress:
|
||||
- {}
|
||||
policyTypes:
|
||||
- Egress
|
||||
{{- end -}}
|
|
@ -0,0 +1,15 @@
|
|||
{{- if .Values.oidcSecret.create -}}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: oidc-auth
|
||||
labels:
|
||||
{{- include "chart.labels" . | nindent 4 }}
|
||||
data:
|
||||
{{- with .Values.oidcSecret }}
|
||||
clientID: {{ .clientID | required "oidcSecret.clientID must be set" | b64enc | quote }}
|
||||
clientSecret: {{ .clientSecret | required "oidcSecret.clientSecret must be set" | b64enc | quote }}
|
||||
issuerURL: {{ .issuerURL | required "oidcSecret.issuerURL must be set" | b64enc | quote }}
|
||||
redirectURL: {{ .redirectURL | required "oidcSecret.redirectURL must be set" | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,47 @@
|
|||
{{- if .Values.giantswarm.rbac.create -}}
|
||||
{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
{{- else }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
{{- end }}
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ include "chart.fullname" . }}
|
||||
rules:
|
||||
# impersonation rules for ui calls
|
||||
{{- if .Values.giantswarm.rbac.impersonation.users.enabled }}
|
||||
- apiGroups: [""]
|
||||
resources: ["users"]
|
||||
verbs: [ "impersonate" ]
|
||||
{{- with .Values.giantswarm.rbac.impersonation.users.resourceNames }}
|
||||
resourceNames: {{ . | toJson }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.giantswarm.rbac.impersonation.groups.enabled }}
|
||||
{{- if and .Values.giantswarm.rbac.impersonation.groups.enabled (not .Values.giantswarm.rbac.impersonation.users.enabled) }}
|
||||
{{- fail "Enabling impersonation for groups requires users impersonation permissions, see https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation" }}
|
||||
{{- end }}
|
||||
- apiGroups: [""]
|
||||
resources: ["groups"]
|
||||
verbs: [ "impersonate" ]
|
||||
{{- with .Values.giantswarm.rbac.impersonation.groups.resourceNames }}
|
||||
resourceNames: {{ . | toJson }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
# Access to enterprise entitlement
|
||||
- apiGroups: [""]
|
||||
resources: [ "secrets" ]
|
||||
verbs: [ "get", "list" ]
|
||||
{{- with .Values.giantswarm.rbac.viewSecretsResourceNames }}
|
||||
resourceNames: {{ . | toJson }}
|
||||
{{- end }}
|
||||
# The service account needs to read namespaces to know where it can query
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "namespaces" ]
|
||||
verbs: [ "get", "list", "watch" ]
|
||||
# The service account needs to list custom resources to query if given feature
|
||||
# is available or not.
|
||||
- apiGroups: [ "apiextensions.k8s.io" ]
|
||||
resources: [ "customresourcedefinitions" ]
|
||||
verbs: [ "list" ]
|
||||
{{- end -}}
|
|
@ -0,0 +1,24 @@
|
|||
{{- if .Values.giantswarm.rbac.create -}}
|
||||
{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
{{- else }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
{{- end }}
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ include "chart.fullname" . }}
|
||||
labels:
|
||||
{{- include "chart.labels" . | nindent 4 }}
|
||||
{{- with .Values.giantswarm.rbac.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "chart.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: {{ include "chart.fullname" . }}
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{{- end -}}
|
|
@ -0,0 +1,33 @@
|
|||
{{- if .Values.service.create -}}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "chart.fullname" . }}
|
||||
labels:
|
||||
{{- include "chart.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
{{- with .Values.service.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.enabled }}
|
||||
{{- tpl (.Values.metrics.service.annotations | toYaml) $ | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: {{ .Values.service.type }}
|
||||
ports:
|
||||
- port: {{ .Values.service.port }}
|
||||
targetPort: http
|
||||
{{- if and (eq .Values.service.type "NodePort") .Values.service.nodePort }}
|
||||
nodePort: {{ .Values.service.nodePort }}
|
||||
{{- end }}
|
||||
protocol: TCP
|
||||
name: http
|
||||
{{- if .Values.metrics.enabled }}
|
||||
- port: {{ .Values.metrics.service.port }}
|
||||
targetPort: {{ .Values.metrics.service.port }}
|
||||
protocol: TCP
|
||||
name: http-metrics
|
||||
{{- end }}
|
||||
selector:
|
||||
{{- include "chart.selectorLabels" . | nindent 4 }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,12 @@
|
|||
{{- if .Values.serviceAccount.create -}}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "chart.serviceAccountName" . }}
|
||||
labels:
|
||||
{{- include "chart.labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,21 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: "{{ include "chart.fullname" . }}-test-connection"
|
||||
labels:
|
||||
{{- include "chart.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
"helm.sh/hook": test
|
||||
spec:
|
||||
containers:
|
||||
- name: wget
|
||||
image: "{{ .Values.image.registry }}/{{ .Values.giantswarm.images.test.image }}:{{ .Values.giantswarm.images.test.tag }}"
|
||||
imagePullPolicy: {{ .Values.giantswarm.images.test.pullPolicy }}
|
||||
command: ['wget']
|
||||
args: ['{{ include "chart.fullname" . }}:{{ .Values.service.port }}']
|
||||
securityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: 1000
|
||||
resources:
|
||||
{{- toYaml .Values.giantswarm.resources.test | nindent 8 }}
|
||||
restartPolicy: Never
|
|
@ -0,0 +1,497 @@
|
|||
{
|
||||
"$schema": "http://json-schema.org/schema#",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"adminUser": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"create": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"createClusterRole": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"createSecret": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"passwordHash": {
|
||||
"type": "string"
|
||||
},
|
||||
"username": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"affinity": {
|
||||
"type": "object"
|
||||
},
|
||||
"annotations": {
|
||||
"type": "object"
|
||||
},
|
||||
"envVars": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"name": {
|
||||
"type": "string"
|
||||
},
|
||||
"value": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"extraVolumeMounts": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"mountPath": {
|
||||
"type": "string"
|
||||
},
|
||||
"name": {
|
||||
"type": "string"
|
||||
},
|
||||
"readOnly": {
|
||||
"type": "boolean"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"extraVolumes": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"csi": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"driver": {
|
||||
"type": "string"
|
||||
},
|
||||
"readOnly": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"volumeAttributes": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"secretProviderClass": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"name": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"fullnameOverride": {
|
||||
"type": "string"
|
||||
},
|
||||
"giantswarm": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"images": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"server": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"image": {
|
||||
"type": "string"
|
||||
},
|
||||
"pullPolicy": {
|
||||
"type": "string"
|
||||
},
|
||||
"tag": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"test": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"image": {
|
||||
"type": "string"
|
||||
},
|
||||
"pullPolicy": {
|
||||
"type": "string"
|
||||
},
|
||||
"tag": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"rbac": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"additionalRules": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"apiGroups": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"resources": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"verbs": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"create": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"impersonation": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"groups": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"enabled": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"resourceNames": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"users": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"enabled": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"resourceNames": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"viewSecretsResourceNames": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"resources": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"vpa":{
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"enabled": {
|
||||
"type": "boolean"
|
||||
}
|
||||
}
|
||||
},
|
||||
"server": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"limits": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"cpu": {
|
||||
"type": "string"
|
||||
},
|
||||
"memory": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"requests": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"cpu": {
|
||||
"type": "string"
|
||||
},
|
||||
"memory": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"test": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"limits": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"cpu": {
|
||||
"type": "string"
|
||||
},
|
||||
"memory": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"requests": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"cpu": {
|
||||
"type": "string"
|
||||
},
|
||||
"memory": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"image": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"registry": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"imagePullSecrets": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"name": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"ingress": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"annotations": {
|
||||
"type": "object"
|
||||
},
|
||||
"className": {
|
||||
"type": "string"
|
||||
},
|
||||
"enabled": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"hosts": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"host": {
|
||||
"type": "string"
|
||||
},
|
||||
"paths": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"path": {
|
||||
"type": "string"
|
||||
},
|
||||
"pathType": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"tls": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"hosts": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"secretName": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"logLevel": {
|
||||
"type": "string"
|
||||
},
|
||||
"metrics": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"enabled": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"service": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"annotations": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"prometheus.io/path": {
|
||||
"type": "string"
|
||||
},
|
||||
"prometheus.io/port": {
|
||||
"type": "string"
|
||||
},
|
||||
"prometheus.io/scrape": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"port": {
|
||||
"type": "integer"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"nameOverride": {
|
||||
"type": "string"
|
||||
},
|
||||
"networkPolicy": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"create": {
|
||||
"type": "boolean"
|
||||
}
|
||||
}
|
||||
},
|
||||
"nodeSelector": {
|
||||
"type": "object"
|
||||
},
|
||||
"oidcSecret": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"create": {
|
||||
"type": "boolean"
|
||||
}
|
||||
}
|
||||
},
|
||||
"podAnnotations": {
|
||||
"type": "object"
|
||||
},
|
||||
"podLabels": {
|
||||
"type": "object"
|
||||
},
|
||||
"podSecurityContext": {
|
||||
"type": "object"
|
||||
},
|
||||
"replicaCount": {
|
||||
"type": "integer"
|
||||
},
|
||||
"securityContext": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"allowPrivilegeEscalation": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"capabilities": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"drop": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"readOnlyRootFilesystem": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"runAsNonRoot": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"runAsUser": {
|
||||
"type": "integer"
|
||||
},
|
||||
"seccompProfile": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"type": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"serverTLS": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"enable": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"secretName": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"service": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"annotations": {
|
||||
"type": "object"
|
||||
},
|
||||
"create": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"port": {
|
||||
"type": "integer"
|
||||
},
|
||||
"type": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"serviceAccount": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"annotations": {
|
||||
"type": "object"
|
||||
},
|
||||
"create": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"name": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"tolerations": {
|
||||
"type": "array"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,206 @@
|
|||
giantswarm:
|
||||
images:
|
||||
server:
|
||||
image: giantswarm/weaveworks-wego-app
|
||||
pullPolicy: IfNotPresent
|
||||
tag: v0.18.0
|
||||
test:
|
||||
image: giantswarm/busybox
|
||||
pullPolicy: IfNotPresent
|
||||
tag: 1.36.0
|
||||
resources:
|
||||
vpa:
|
||||
enabled: true
|
||||
server:
|
||||
limits:
|
||||
cpu: 200m
|
||||
memory: 256Mi
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
test:
|
||||
requests:
|
||||
cpu: 10m
|
||||
memory: 2Mi
|
||||
limits:
|
||||
cpu: 10m
|
||||
memory: 4Mi
|
||||
rbac:
|
||||
create: true
|
||||
impersonation:
|
||||
users:
|
||||
enabled: true
|
||||
# -- If non-empty, this limits the users names that the service account
|
||||
# can impersonate, e.g. `['user1@corporation.com', 'user2@corporation.com']`
|
||||
resourceNames: []
|
||||
groups:
|
||||
enabled: true
|
||||
# -- If non-empty, this limits the groups names that the service account
|
||||
# can impersonate, e.g. `['admins', 'operations', 'devops']`
|
||||
resourceNames: []
|
||||
# -- If non-empty, this limits the secrets that can be accessed by
|
||||
# the service account to the specified ones, e.g. `['weave-gitops-enterprise-credentials']`
|
||||
viewSecretsResourceNames: ["cluster-user-auth", "oidc-auth"]
|
||||
# -- If non-empty, these additional rules will be appended to the RBAC role and the cluster role.
|
||||
# for example,
|
||||
# additionalRules:
|
||||
# - apiGroups: ["infra.contrib.fluxcd.io"]
|
||||
# resources: ["terraforms"]
|
||||
# verbs: [ "get", "list", "patch" ]
|
||||
additionalRules: []
|
||||
replicaCount: 1
|
||||
image:
|
||||
registry: gsoci.azurecr.io
|
||||
imagePullSecrets: []
|
||||
nameOverride: ""
|
||||
fullnameOverride: ""
|
||||
# -- What log level to output. Valid levels are 'debug', 'info', 'warn' and 'error'
|
||||
logLevel: info
|
||||
# Additional arguments to pass in
|
||||
# additionalArgs:
|
||||
# Any other environment variables:
|
||||
envVars:
|
||||
- name: WEAVE_GITOPS_FEATURE_TENANCY
|
||||
value: "true"
|
||||
- name: WEAVE_GITOPS_FEATURE_CLUSTER
|
||||
value: "false"
|
||||
# -- Annotations to add to the deployment
|
||||
annotations: {}
|
||||
# Should the 'oidc-auth' secret be created. For a detailed
|
||||
# explanation of these attributes please see our documentation:
|
||||
# https://docs.gitops.weave.works/docs/configuration/securing-access-to-the-dashboard/#login-via-an-oidc-provider
|
||||
oidcSecret:
|
||||
create: false
|
||||
# clientID:
|
||||
# clientSecret:
|
||||
# issuerURL:
|
||||
# redirectURL:
|
||||
serviceAccount:
|
||||
# -- Specifies whether a service account should be created
|
||||
create: true
|
||||
# -- Annotations to add to the service account
|
||||
annotations: {}
|
||||
# -- The name of the service account to use.
|
||||
# If not set and create is true, a name is generated using the fullname template
|
||||
name: ""
|
||||
adminUser:
|
||||
# -- Whether the local admin user should be created.
|
||||
# If you use this make sure you add it to `giantswarm.rbac.impersonation.users.resourceNames`.
|
||||
create: false
|
||||
# -- Specifies whether the clusterRole & binding to the admin user should be created.
|
||||
# Will be created only if `adminUser.create` is enabled. Without this,
|
||||
# the adminUser will only be able to see resources in the target namespace.
|
||||
createClusterRole: true
|
||||
# -- Whether we should create the secret for the local
|
||||
# adminUser. Will be created only if `adminUser.create` is
|
||||
# enabled. Without this, we'll still set up the roles and
|
||||
# permissions, but the secret with username and password has to be
|
||||
# provided separately.
|
||||
createSecret: true
|
||||
# -- Set username for local admin user, this should match the value in the secret `cluster-user-auth`
|
||||
# which can be created with `adminUser.createSecret`. Requires `adminUser.create`.
|
||||
username: gitops-test-user
|
||||
# -- (string) Set the password for local admin user. Requires `adminUser.create` and `adminUser.createSecret`
|
||||
# This needs to have been hashed using bcrypt.
|
||||
# You can do this via our CLI with `gitops get bcrypt-hash`.
|
||||
passwordHash: ""
|
||||
podAnnotations: {}
|
||||
podLabels: {}
|
||||
# aadpodidbinding: identity
|
||||
podSecurityContext: {}
|
||||
# fsGroup: 2000
|
||||
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsUser: 1000
|
||||
readOnlyRootFilesystem: true
|
||||
service:
|
||||
create: true
|
||||
type: ClusterIP
|
||||
port: 9001
|
||||
# nodePort:
|
||||
annotations: {}
|
||||
ingress:
|
||||
enabled: false
|
||||
className: ""
|
||||
annotations: {}
|
||||
# kubernetes.io/ingress.class: nginx
|
||||
# kubernetes.io/tls-acme: "true"
|
||||
hosts: []
|
||||
# - host: chart-example.local
|
||||
# paths:
|
||||
# - path: /
|
||||
# pathType: ImplementationSpecific
|
||||
#
|
||||
tls: []
|
||||
# - secretName: chart-example-tls
|
||||
# hosts:
|
||||
# - chart-example.local
|
||||
extraVolumes: []
|
||||
extraVolumeMounts: []
|
||||
# Example using extraVolumes and extraVolumeMounts to load 'oidc-auth' secret
|
||||
# with a secrets store CSI driver. Specify the secretName 'oidc-auth' in the
|
||||
# secretProviderClass so this will be created by the secrets store CSI driver.
|
||||
# See https://secrets-store-csi-driver.sigs.k8s.io/topics/sync-as-kubernetes-secret.html
|
||||
# extraVolumeMounts:
|
||||
# - name: ww-gitops-oauth-volume
|
||||
# mountPath: /mnt/secrets
|
||||
# readOnly: true
|
||||
# extraVolumes:
|
||||
# - name: ww-gitops-oauth-volume
|
||||
# csi:
|
||||
# driver: secrets-store.csi.k8s.io
|
||||
# readOnly: true
|
||||
# volumeAttributes:
|
||||
# secretProviderClass: ww-gitops-oauth-provider
|
||||
|
||||
networkPolicy:
|
||||
# -- Specifies whether default network policies should be created.
|
||||
create: true
|
||||
nodeSelector: {}
|
||||
tolerations: []
|
||||
affinity: {}
|
||||
serverTLS:
|
||||
# -- Enable TLS termination in gitops itself. If you enable this,
|
||||
# you need to create a secret, and specify the secretName. Another
|
||||
# option is to create an ingress.
|
||||
enable: false
|
||||
# -- Specify the tls secret name. This type of secrets have a key called `tls.crt` and `tls.key` containing their corresponding values in base64 format.
|
||||
# See
|
||||
# https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets for more details and examples
|
||||
secretName: "my-secret-tls"
|
||||
# Example of tls secret
|
||||
#
|
||||
# apiVersion: v1
|
||||
# kind: Secret
|
||||
# metadata:
|
||||
# name: my-secret-tls
|
||||
# type: kubernetes.io/tls
|
||||
# data:
|
||||
# # the data is abbreviated in this example
|
||||
# tls.crt: |
|
||||
# MIIC2DCCAcCgAwIBAgIBATANBgkqh ...
|
||||
# tls.key: |
|
||||
# MIIEpgIBAAKCAQEA7yn3bRHQ5FHMQ ...
|
||||
#
|
||||
# You can also create a tls secre t from files whith this k8s command:
|
||||
# kubectl create secret tls my-tls-secret \
|
||||
# --cert=path/to/cert/file \
|
||||
# --key=path/to/key/file
|
||||
metrics:
|
||||
# -- Start the metrics exporter
|
||||
enabled: false
|
||||
service:
|
||||
# -- Port to start the metrics exporter on
|
||||
port: 2112
|
||||
# -- Annotations to set on the service
|
||||
annotations:
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/path: "/metrics"
|
||||
prometheus.io/port: "{{ .Values.metrics.service.port }}"
|
Loading…
Reference in New Issue