Add gitops-server
ci/woodpecker/push/woodpecker Pipeline failed
Details
ci/woodpecker/push/woodpecker Pipeline failed
Details
This commit is contained in:
parent
ff4f8ef910
commit
e55a24dbd6
|
@ -0,0 +1,27 @@
|
|||
{{ if eq (include "resource.vpa.enabled" .) "true" }}
|
||||
apiVersion: autoscaling.k8s.io/v1
|
||||
kind: VerticalPodAutoscaler
|
||||
metadata:
|
||||
name: gitops-server
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "chart.labels" . | nindent 4 }}
|
||||
spec:
|
||||
resourcePolicy:
|
||||
containerPolicies:
|
||||
- containerName: {{ .Chart.Name }}
|
||||
controlledValues: RequestsAndLimits
|
||||
minAllowed:
|
||||
cpu: {{ .Values.giantswarm.resources.server.requests.cpu }}
|
||||
memory: {{ .Values.giantswarm.resources.server.requests.memory }}
|
||||
maxAllowed:
|
||||
cpu: 1000m
|
||||
memory: 1000Mi
|
||||
mode: Auto
|
||||
targetRef:
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
name: {{ include "chart.fullname" . }}
|
||||
updatePolicy:
|
||||
updateMode: Auto
|
||||
{{ end }}
|
90
helmule.yaml
90
helmule.yaml
|
@ -1,3 +1,6 @@
|
|||
variables:
|
||||
global: example
|
||||
|
||||
repositories:
|
||||
# -- Because their helm repo seems not to be accessible
|
||||
- name: zot-git
|
||||
|
@ -6,7 +9,13 @@ repositories:
|
|||
git_ref: main
|
||||
# git_ref: zot-0.1.42
|
||||
path: charts
|
||||
- name: weave
|
||||
helm:
|
||||
url: https://helm.gitops.weave.works
|
||||
charts:
|
||||
# -------------------------------------------------------------------
|
||||
# -- Zot Application
|
||||
# -------------------------------------------------------------------
|
||||
- name: zot
|
||||
repository: zot-git
|
||||
extensions:
|
||||
|
@ -16,6 +25,8 @@ charts:
|
|||
- name: Add values for CI
|
||||
source_dir: ./extensions/ci-values
|
||||
target_dir: ci
|
||||
variables:
|
||||
target_repo: zot-app
|
||||
patches:
|
||||
- name: Add team annotation
|
||||
yq:
|
||||
|
@ -48,14 +59,85 @@ charts:
|
|||
- yamlfmt values.yaml --conf ./yamlfmt.yaml
|
||||
- rm -f yamlfmt.yaml
|
||||
mirrors:
|
||||
- zot-app-git
|
||||
- apps-git
|
||||
# -------------------------------------------------------------------
|
||||
# -- GitOps Server Application
|
||||
# -------------------------------------------------------------------
|
||||
- name: weave-gitops
|
||||
repository: weave
|
||||
version: 4.0.15
|
||||
variables:
|
||||
target_repo: app-gitops-server
|
||||
mirrors:
|
||||
- apps-git
|
||||
extensions:
|
||||
- name: Add VPA
|
||||
source_dir: ./extensions/vpa-gitops-server
|
||||
target_dir: templates/gs-vpa
|
||||
patches:
|
||||
- name: Git patch
|
||||
git:
|
||||
path: ./patches/git/gitops-server.patch
|
||||
- name: Generate values.schema
|
||||
custom_command:
|
||||
commands:
|
||||
- helm schema-gen values.yaml > values.schema.json
|
||||
- name: Git patch for values schema
|
||||
git:
|
||||
path: ./patches/git/gitops-server-values-schema.patch
|
||||
- name: Git patch for test-job security
|
||||
git:
|
||||
path: ./patches/git/gitops-server-test-job.patch
|
||||
# -- Update Chart.ymal
|
||||
- name: Change the chart name
|
||||
yq:
|
||||
op: Replace
|
||||
file: Chart.yaml
|
||||
key: .name
|
||||
value: gitops-server
|
||||
- name: Set the home URL
|
||||
yq:
|
||||
op: Add
|
||||
file: Chart.yaml
|
||||
key: .home
|
||||
value: https://github.com/giantswarm/gitops-server-app
|
||||
- name: set the icon url
|
||||
yq:
|
||||
op: Add
|
||||
file: Chart.yaml
|
||||
key: .icon
|
||||
value: https://s.giantswarm.io/app-icons/weaveworks/1/icon_light.svg
|
||||
- name: Add keywords
|
||||
yq:
|
||||
op: Add
|
||||
file: Chart.yaml
|
||||
key: .keywords
|
||||
value: '["gitops", "flux"]'
|
||||
- name: Add team annotation
|
||||
yq:
|
||||
op: Add
|
||||
key: .annotations."application.giantswarm.io/team"
|
||||
value: team-honeybadger
|
||||
file: Chart.yaml
|
||||
- name: Add team annotation
|
||||
yq:
|
||||
op: Add
|
||||
key: .annotations."config.giantswarm.io/version"
|
||||
value: 1.x.x
|
||||
file: Chart.yaml
|
||||
- name: yamlfmt
|
||||
custom_command:
|
||||
commands:
|
||||
- "cat <<EOT >> .yamlfmt\n formatter:\n pad_line_comments: 2\nEOT"
|
||||
- yamlfmt values.yaml --conf ./yamlfmt.yaml
|
||||
- rm -f yamlfmt.yaml
|
||||
mirrors:
|
||||
- name: zot-app-git
|
||||
- name: apps-git
|
||||
git:
|
||||
url: git@git.badhouseplants.net:allanger/zot-app.git
|
||||
url: git@git.badhouseplants.net:allanger/{{ vars.target_repo }}.git
|
||||
git_dir: app-{{ name }}-git
|
||||
branch: upgrade-{{ name }}-to-{{ version }}
|
||||
path: helm/{{ name }}
|
||||
commit: |-
|
||||
chore: mirror {{ name }}-{{ version }}
|
||||
|
||||
upstream_repo: {{ repo_url }}
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
diff --git a/templates/tests/test-connection.yaml b/templates/tests/test-connection.yaml
|
||||
index 8dfed87..b4b98bc 100644
|
||||
--- a/templates/tests/test-connection.yaml
|
||||
+++ b/templates/tests/test-connection.yaml
|
||||
@@ -9,7 +9,13 @@ metadata:
|
||||
spec:
|
||||
containers:
|
||||
- name: wget
|
||||
- image: busybox
|
||||
+ image: "{{ .Values.image.registry }}/{{ .Values.giantswarm.images.test.image }}:{{ .Values.giantswarm.images.test.tag }}"
|
||||
+ imagePullPolicy: {{ .Values.giantswarm.images.test.pullPolicy }}
|
||||
command: ['wget']
|
||||
args: ['{{ include "chart.fullname" . }}:{{ .Values.service.port }}']
|
||||
+ securityContext:
|
||||
+ readOnlyRootFilesystem: true
|
||||
+ runAsUser: 1000
|
||||
+ resources:
|
||||
+ {{- toYaml .Values.giantswarm.resources.test | nindent 8 }}
|
||||
restartPolicy: Never
|
|
@ -0,0 +1,210 @@
|
|||
diff --git a/values.schema.json b/values.schema.json
|
||||
index f759f82..c0762fa 100644
|
||||
--- a/values.schema.json
|
||||
+++ b/values.schema.json
|
||||
@@ -43,10 +43,51 @@
|
||||
}
|
||||
},
|
||||
"extraVolumeMounts": {
|
||||
- "type": "array"
|
||||
+ "type": "array",
|
||||
+ "items": {
|
||||
+ "type": "object",
|
||||
+ "properties": {
|
||||
+ "mountPath": {
|
||||
+ "type": "string"
|
||||
+ },
|
||||
+ "name": {
|
||||
+ "type": "string"
|
||||
+ },
|
||||
+ "readOnly": {
|
||||
+ "type": "boolean"
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
},
|
||||
"extraVolumes": {
|
||||
- "type": "array"
|
||||
+ "type": "array",
|
||||
+ "items": {
|
||||
+ "type": "object",
|
||||
+ "properties": {
|
||||
+ "csi": {
|
||||
+ "type": "object",
|
||||
+ "properties": {
|
||||
+ "driver": {
|
||||
+ "type": "string"
|
||||
+ },
|
||||
+ "readOnly": {
|
||||
+ "type": "boolean"
|
||||
+ },
|
||||
+ "volumeAttributes": {
|
||||
+ "type": "object",
|
||||
+ "properties": {
|
||||
+ "secretProviderClass": {
|
||||
+ "type": "string"
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ },
|
||||
+ "name": {
|
||||
+ "type": "string"
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
},
|
||||
"fullnameOverride": {
|
||||
"type": "string"
|
||||
@@ -91,7 +132,30 @@
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"additionalRules": {
|
||||
- "type": "array"
|
||||
+ "type": "array",
|
||||
+ "items": {
|
||||
+ "type": "object",
|
||||
+ "properties": {
|
||||
+ "apiGroups": {
|
||||
+ "type": "array",
|
||||
+ "items": {
|
||||
+ "type": "string"
|
||||
+ }
|
||||
+ },
|
||||
+ "resources": {
|
||||
+ "type": "array",
|
||||
+ "items": {
|
||||
+ "type": "string"
|
||||
+ }
|
||||
+ },
|
||||
+ "verbs": {
|
||||
+ "type": "array",
|
||||
+ "items": {
|
||||
+ "type": "string"
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
},
|
||||
"create": {
|
||||
"type": "boolean"
|
||||
@@ -106,7 +170,10 @@
|
||||
"type": "boolean"
|
||||
},
|
||||
"resourceNames": {
|
||||
- "type": "array"
|
||||
+ "type": "array",
|
||||
+ "items": {
|
||||
+ "type": "string"
|
||||
+ }
|
||||
}
|
||||
}
|
||||
},
|
||||
@@ -117,7 +184,10 @@
|
||||
"type": "boolean"
|
||||
},
|
||||
"resourceNames": {
|
||||
- "type": "array"
|
||||
+ "type": "array",
|
||||
+ "items": {
|
||||
+ "type": "string"
|
||||
+ }
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -134,6 +204,14 @@
|
||||
"resources": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
+ "vpa":{
|
||||
+ "type": "object",
|
||||
+ "properties": {
|
||||
+ "enabled": {
|
||||
+ "type": "boolean"
|
||||
+ }
|
||||
+ }
|
||||
+ },
|
||||
"server": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
@@ -187,14 +265,6 @@
|
||||
}
|
||||
}
|
||||
}
|
||||
- },
|
||||
- "vpa": {
|
||||
- "type": "object",
|
||||
- "properties": {
|
||||
- "enabled": {
|
||||
- "type": "boolean"
|
||||
- }
|
||||
- }
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -209,7 +279,15 @@
|
||||
}
|
||||
},
|
||||
"imagePullSecrets": {
|
||||
- "type": "array"
|
||||
+ "type": "array",
|
||||
+ "items": {
|
||||
+ "type": "object",
|
||||
+ "properties": {
|
||||
+ "name": {
|
||||
+ "type": "string"
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
},
|
||||
"ingress": {
|
||||
"type": "object",
|
||||
@@ -224,10 +302,46 @@
|
||||
"type": "boolean"
|
||||
},
|
||||
"hosts": {
|
||||
- "type": "array"
|
||||
+ "type": "array",
|
||||
+ "items": {
|
||||
+ "type": "object",
|
||||
+ "properties": {
|
||||
+ "host": {
|
||||
+ "type": "string"
|
||||
+ },
|
||||
+ "paths": {
|
||||
+ "type": "array",
|
||||
+ "items": {
|
||||
+ "type": "object",
|
||||
+ "properties": {
|
||||
+ "path": {
|
||||
+ "type": "string"
|
||||
+ },
|
||||
+ "pathType": {
|
||||
+ "type": "string"
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
},
|
||||
"tls": {
|
||||
- "type": "array"
|
||||
+ "type": "array",
|
||||
+ "items": {
|
||||
+ "type": "object",
|
||||
+ "properties": {
|
||||
+ "hosts": {
|
||||
+ "type": "array",
|
||||
+ "items": {
|
||||
+ "type": "string"
|
||||
+ }
|
||||
+ },
|
||||
+ "secretName": {
|
||||
+ "type": "string"
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
}
|
||||
},
|
|
@ -0,0 +1,307 @@
|
|||
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
|
||||
index af32c5b..1fdf723 100644
|
||||
--- a/templates/_helpers.tpl
|
||||
+++ b/templates/_helpers.tpl
|
||||
@@ -39,6 +39,7 @@ helm.sh/chart: {{ include "chart.chart" . }}
|
||||
{{- if .Chart.AppVersion }}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
{{- end }}
|
||||
+application.giantswarm.io/team: {{ index .Chart.Annotations "application.giantswarm.io/team" | quote }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- end }}
|
||||
|
||||
@@ -75,3 +76,16 @@ Return the target Kubernetes version
|
||||
{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
+
|
||||
+{{- define "resource.vpa.enabled" -}}
|
||||
+{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1") (.Values.giantswarm.resources.vpa.enabled) }}true{{ else }}false{{ end }}
|
||||
+{{- end -}}
|
||||
+
|
||||
+{{- define "deployment.resources" -}}
|
||||
+requests:
|
||||
+{{ toYaml .Values.giantswarm.resources.server.requests | indent 2 -}}
|
||||
+{{ if eq (include "resource.vpa.enabled" .) "false" }}
|
||||
+limits:
|
||||
+{{ toYaml .Values.giantswarm.resources.server.limits | indent 2 -}}
|
||||
+{{- end -}}
|
||||
+{{- end -}}
|
||||
diff --git a/templates/admin-user-roles.yaml b/templates/admin-user-roles.yaml
|
||||
index 74a1844..c0fa72c 100644
|
||||
--- a/templates/admin-user-roles.yaml
|
||||
+++ b/templates/admin-user-roles.yaml
|
||||
@@ -30,8 +30,8 @@ rules:
|
||||
resources: ["terraforms"]
|
||||
verbs: [ "get", "list", "watch", "patch" ]
|
||||
|
||||
-{{- if gt (len $.Values.rbac.additionalRules) 0 -}}
|
||||
-{{- toYaml $.Values.rbac.additionalRules | nindent 2 -}}
|
||||
+{{- if gt (len $.Values.giantswarm.rbac.additionalRules) 0 -}}
|
||||
+{{- toYaml $.Values.giantswarm.rbac.additionalRules | nindent 2 -}}
|
||||
{{- end }}
|
||||
{{- if .Values.adminUser.createClusterRole }}
|
||||
---
|
||||
@@ -72,8 +72,8 @@ rules:
|
||||
resources: [ "providers", "alerts" ]
|
||||
verbs: [ "get", "list", "watch", "patch" ]
|
||||
|
||||
-{{- if gt (len $.Values.rbac.additionalRules) 0 -}}
|
||||
-{{- toYaml $.Values.rbac.additionalRules | nindent 2 -}}
|
||||
+{{- if gt (len $.Values.giantswarm.rbac.additionalRules) 0 -}}
|
||||
+{{- toYaml $.Values.giantswarm.rbac.additionalRules | nindent 2 -}}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
diff --git a/templates/deployment.yaml b/templates/deployment.yaml
|
||||
index a54c37c..a498259 100644
|
||||
--- a/templates/deployment.yaml
|
||||
+++ b/templates/deployment.yaml
|
||||
@@ -36,8 +36,8 @@ spec:
|
||||
- name: {{ .Chart.Name }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.securityContext | nindent 12 }}
|
||||
- image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
|
||||
- imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
+ image: "{{ .Values.image.registry }}/{{ .Values.giantswarm.images.server.image }}:{{ .Values.giantswarm.images.server.tag | default .Chart.AppVersion }}"
|
||||
+ imagePullPolicy: {{ .Values.giantswarm.images.server.pullPolicy }}
|
||||
args:
|
||||
- "--log-level"
|
||||
- "{{ .Values.logLevel }}"
|
||||
@@ -88,7 +88,7 @@ spec:
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
resources:
|
||||
- {{- toYaml .Values.resources | nindent 12 }}
|
||||
+ {{- include "deployment.resources" . | nindent 12 }}
|
||||
{{- if or .Values.serverTLS.enable .Values.extraVolumeMounts }}
|
||||
volumeMounts:
|
||||
{{- end }}
|
||||
diff --git a/templates/role.yaml b/templates/role.yaml
|
||||
index b292176..5a55339 100644
|
||||
--- a/templates/role.yaml
|
||||
+++ b/templates/role.yaml
|
||||
@@ -1,4 +1,4 @@
|
||||
-{{- if .Values.rbac.create -}}
|
||||
+{{- if .Values.giantswarm.rbac.create -}}
|
||||
{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
{{- else }}
|
||||
@@ -6,32 +6,39 @@ apiVersion: rbac.authorization.k8s.io/v1
|
||||
{{- end }}
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
- name: {{ include "chart.fullname" . }}
|
||||
+ name: {{ include "chart.fullname" . }}
|
||||
rules:
|
||||
# impersonation rules for ui calls
|
||||
+ {{- if .Values.giantswarm.rbac.impersonation.users.enabled }}
|
||||
- apiGroups: [""]
|
||||
- resources: {{ .Values.rbac.impersonationResources | toJson }}
|
||||
+ resources: ["users"]
|
||||
verbs: [ "impersonate" ]
|
||||
- {{- with .Values.rbac.impersonationResourceNames }}
|
||||
+ {{- with .Values.giantswarm.rbac.impersonation.users.resourceNames }}
|
||||
resourceNames: {{ . | toJson }}
|
||||
{{- end }}
|
||||
+ {{- end }}
|
||||
+ {{- if .Values.giantswarm.rbac.impersonation.groups.enabled }}
|
||||
+ {{- if and .Values.giantswarm.rbac.impersonation.groups.enabled (not .Values.giantswarm.rbac.impersonation.users.enabled) }}
|
||||
+ {{- fail "Enabling impersonation for groups requires users impersonation permissions, see https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation" }}
|
||||
+ {{- end }}
|
||||
+ - apiGroups: [""]
|
||||
+ resources: ["groups"]
|
||||
+ verbs: [ "impersonate" ]
|
||||
+ {{- with .Values.giantswarm.rbac.impersonation.groups.resourceNames }}
|
||||
+ resourceNames: {{ . | toJson }}
|
||||
+ {{- end }}
|
||||
+ {{- end }}
|
||||
# Access to enterprise entitlement
|
||||
- apiGroups: [""]
|
||||
resources: [ "secrets" ]
|
||||
verbs: [ "get", "list" ]
|
||||
- {{- if and .Values.rbac.viewSecrets .Values.rbac.viewSecretsResourceNames }}
|
||||
- {{- fail "You've supplied both rbac.viewSecrets and rbac.viewSecretsResourceNames. Please only use rbac.viewSecretsResourceNames" }}
|
||||
- {{- end }}
|
||||
- # or should return the first non-falsy result
|
||||
- {{- with (or .Values.rbac.viewSecretsResourceNames .Values.rbac.viewSecrets) }}
|
||||
+ {{- with .Values.giantswarm.rbac.viewSecretsResourceNames }}
|
||||
resourceNames: {{ . | toJson }}
|
||||
{{- end }}
|
||||
-
|
||||
# The service account needs to read namespaces to know where it can query
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "namespaces" ]
|
||||
verbs: [ "get", "list", "watch" ]
|
||||
-
|
||||
# The service account needs to list custom resources to query if given feature
|
||||
# is available or not.
|
||||
- apiGroups: [ "apiextensions.k8s.io" ]
|
||||
diff --git a/templates/rolebinding.yaml b/templates/rolebinding.yaml
|
||||
index b8756fe..df718ff 100644
|
||||
--- a/templates/rolebinding.yaml
|
||||
+++ b/templates/rolebinding.yaml
|
||||
@@ -1,4 +1,4 @@
|
||||
-{{- if .Values.rbac.create -}}
|
||||
+{{- if .Values.giantswarm.rbac.create -}}
|
||||
{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
{{- else }}
|
||||
@@ -9,7 +9,7 @@ metadata:
|
||||
name: {{ include "chart.fullname" . }}
|
||||
labels:
|
||||
{{- include "chart.labels" . | nindent 4 }}
|
||||
- {{- with .Values.rbac.annotations }}
|
||||
+ {{- with .Values.giantswarm.rbac.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
diff --git a/values.yaml b/values.yaml
|
||||
index 374ad32..7b3b35f 100644
|
||||
--- a/values.yaml
|
||||
+++ b/values.yaml
|
||||
@@ -1,16 +1,57 @@
|
||||
-# Default values for chart.
|
||||
-# This is a YAML-formatted file.
|
||||
-# Declare variables to be passed into your templates.
|
||||
+giantswarm:
|
||||
+ images:
|
||||
+ server:
|
||||
+ image: giantswarm/weaveworks-wego-app
|
||||
+ pullPolicy: IfNotPresent
|
||||
+ tag: v0.18.0
|
||||
+ test:
|
||||
+ image: giantswarm/busybox
|
||||
+ pullPolicy: IfNotPresent
|
||||
+ tag: 1.36.0
|
||||
+ resources:
|
||||
+ vpa:
|
||||
+ enabled: true
|
||||
+ server:
|
||||
+ limits:
|
||||
+ cpu: 200m
|
||||
+ memory: 256Mi
|
||||
+ requests:
|
||||
+ cpu: 100m
|
||||
+ memory: 128Mi
|
||||
+ test:
|
||||
+ requests:
|
||||
+ cpu: 10m
|
||||
+ memory: 2Mi
|
||||
+ limits:
|
||||
+ cpu: 10m
|
||||
+ memory: 4Mi
|
||||
+ rbac:
|
||||
+ create: true
|
||||
+ impersonation:
|
||||
+ users:
|
||||
+ enabled: true
|
||||
+ # -- If non-empty, this limits the users names that the service account
|
||||
+ # can impersonate, e.g. `['user1@corporation.com', 'user2@corporation.com']`
|
||||
+ resourceNames: []
|
||||
+ groups:
|
||||
+ enabled: true
|
||||
+ # -- If non-empty, this limits the groups names that the service account
|
||||
+ # can impersonate, e.g. `['admins', 'operations', 'devops']`
|
||||
+ resourceNames: []
|
||||
+ # -- If non-empty, this limits the secrets that can be accessed by
|
||||
+ # the service account to the specified ones, e.g. `['weave-gitops-enterprise-credentials']`
|
||||
+ viewSecretsResourceNames: ["cluster-user-auth", "oidc-auth"]
|
||||
+ # -- If non-empty, these additional rules will be appended to the RBAC role and the cluster role.
|
||||
+ # for example,
|
||||
+ # additionalRules:
|
||||
+ # - apiGroups: ["infra.contrib.fluxcd.io"]
|
||||
+ # resources: ["terraforms"]
|
||||
+ # verbs: [ "get", "list", "patch" ]
|
||||
+ additionalRules: []
|
||||
|
||||
-# Note: paragraphs starting with `# --` will end up in our manual -
|
||||
-# see https://github.com/norwoodj/helm-docs
|
||||
replicaCount: 1
|
||||
image:
|
||||
- # FIXME check the app name
|
||||
- repository: ghcr.io/weaveworks/wego-app
|
||||
- pullPolicy: IfNotPresent
|
||||
- # Overrides the image tag whose default is the chart appVersion.
|
||||
- tag: "v0.18.0"
|
||||
+ registry: gsoci.azurecr.io
|
||||
imagePullSecrets: []
|
||||
nameOverride: ""
|
||||
fullnameOverride: ""
|
||||
@@ -43,28 +84,9 @@ serviceAccount:
|
||||
# -- The name of the service account to use.
|
||||
# If not set and create is true, a name is generated using the fullname template
|
||||
name: ""
|
||||
-rbac:
|
||||
- # -- Specifies whether the clusterRole & binding to the service account should be created
|
||||
- create: true
|
||||
- # -- If non-empty, this limits the resources that the service
|
||||
- # account can impersonate. This applies to both users and groups, e.g.
|
||||
- # `['user1@corporation.com', 'user2@corporation.com', 'operations']`
|
||||
- impersonationResourceNames: []
|
||||
- # -- Limit the type of principal that can be impersonated
|
||||
- impersonationResources: ["users", "groups"]
|
||||
- # -- If non-empty, this limits the secrets that can be accessed by
|
||||
- # the service account to the specified ones, e.g. `['weave-gitops-enterprise-credentials']`
|
||||
- viewSecretsResourceNames: ["cluster-user-auth", "oidc-auth"]
|
||||
- # -- If non-empty, these additional rules will be appended to the RBAC role and the cluster role.
|
||||
- # for example,
|
||||
- # additionalRules:
|
||||
- # - apiGroups: ["infra.contrib.fluxcd.io"]
|
||||
- # resources: ["terraforms"]
|
||||
- # verbs: [ "get", "list", "patch" ]
|
||||
- additionalRules: []
|
||||
adminUser:
|
||||
# -- Whether the local admin user should be created.
|
||||
- # If you use this make sure you add it to `rbac.impersonationResourceNames`.
|
||||
+ # If you use this make sure you add it to `giantswarm.rbac.impersonation.users.resourceNames`.
|
||||
create: false
|
||||
# -- Specifies whether the clusterRole & binding to the admin user should be created.
|
||||
# Will be created only if `adminUser.create` is enabled. Without this,
|
||||
@@ -82,7 +104,7 @@ adminUser:
|
||||
# -- (string) Set the password for local admin user. Requires `adminUser.create` and `adminUser.createSecret`
|
||||
# This needs to have been hashed using bcrypt.
|
||||
# You can do this via our CLI with `gitops get bcrypt-hash`.
|
||||
- passwordHash:
|
||||
+ passwordHash: ""
|
||||
podAnnotations: {}
|
||||
podLabels: {}
|
||||
# aadpodidbinding: identity
|
||||
@@ -111,7 +133,7 @@ ingress:
|
||||
annotations: {}
|
||||
# kubernetes.io/ingress.class: nginx
|
||||
# kubernetes.io/tls-acme: "true"
|
||||
- hosts:
|
||||
+ hosts: []
|
||||
# - host: chart-example.local
|
||||
# paths:
|
||||
# - path: /
|
||||
@@ -123,8 +145,8 @@ ingress:
|
||||
# - chart-example.local
|
||||
extraVolumes: []
|
||||
extraVolumeMounts: []
|
||||
-# Example using extraVolumes and extraVolumeMounts to load 'oidc-auth' secret
|
||||
-# with a secrets store CSI driver. Specify the secretName 'oidc-auth' in the
|
||||
+# Example using extraVolumes and extraVolumeMounts to load 'oidc-auth' secret
|
||||
+# with a secrets store CSI driver. Specify the secretName 'oidc-auth' in the
|
||||
# secretProviderClass so this will be created by the secrets store CSI driver.
|
||||
# See https://secrets-store-csi-driver.sigs.k8s.io/topics/sync-as-kubernetes-secret.html
|
||||
# extraVolumeMounts:
|
||||
@@ -138,17 +160,6 @@ extraVolumeMounts: []
|
||||
# readOnly: true
|
||||
# volumeAttributes:
|
||||
# secretProviderClass: ww-gitops-oauth-provider
|
||||
-resources: {}
|
||||
-# We usually recommend not to specify default resources and to leave this as a conscious
|
||||
-# choice for the user. This also increases chances charts run on environments with little
|
||||
-# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
||||
-# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
||||
-# limits:
|
||||
-# cpu: 100m
|
||||
-# memory: 128Mi
|
||||
-# requests:
|
||||
-# cpu: 100m
|
||||
-# memory: 128Mi
|
||||
|
||||
networkPolicy:
|
||||
# -- Specifies whether default network policies should be created.
|
Loading…
Reference in New Issue