diff --git a/assets/epinio-crd/epinio-crd-100.0.0+up0.9.1.tgz b/assets/epinio-crd/epinio-crd-100.0.0+up0.9.1.tgz new file mode 100644 index 00000000000..7bf13826687 Binary files /dev/null and b/assets/epinio-crd/epinio-crd-100.0.0+up0.9.1.tgz differ diff --git a/assets/epinio/epinio-100.0.0+up0.9.1.tgz b/assets/epinio/epinio-100.0.0+up0.9.1.tgz new file mode 100644 index 00000000000..8227f7f5a29 Binary files /dev/null and b/assets/epinio/epinio-100.0.0+up0.9.1.tgz differ diff --git a/charts/epinio-crd/100.0.0+up0.9.1/Chart.yaml b/charts/epinio-crd/100.0.0+up0.9.1/Chart.yaml new file mode 100644 index 00000000000..888b6e4f93c --- /dev/null +++ b/charts/epinio-crd/100.0.0+up0.9.1/Chart.yaml @@ -0,0 +1,10 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: epinio-system + catalog.cattle.io/release-name: epinio-crd +apiVersion: v1 +description: Installs the CRDs for epinio. +name: epinio-crd +type: application +version: 100.0.0+up0.9.1 diff --git a/charts/epinio-crd/100.0.0+up0.9.1/README.md b/charts/epinio-crd/100.0.0+up0.9.1/README.md new file mode 100644 index 00000000000..527081aec49 --- /dev/null +++ b/charts/epinio-crd/100.0.0+up0.9.1/README.md @@ -0,0 +1,2 @@ +# epinio-crd +A Rancher chart that installs the CRDs used by epinio. diff --git a/charts/epinio-crd/100.0.0+up0.9.1/templates/app-crd.yaml b/charts/epinio-crd/100.0.0+up0.9.1/templates/app-crd.yaml new file mode 100644 index 00000000000..d80dd27497b --- /dev/null +++ b/charts/epinio-crd/100.0.0+up0.9.1/templates/app-crd.yaml @@ -0,0 +1,106 @@ +# Copied from here: +# https://github.com/epinio/application/blob/main/config/crd/bases/application.epinio.io_apps.yaml +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + creationTimestamp: null + name: apps.application.epinio.io +spec: + group: application.epinio.io + names: + kind: App + listKind: AppList + plural: apps + singular: app + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: App is the Schema for the apps API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AppSpec defines the desired state of App + properties: + blobuid: + description: BlobUID stores the blob uid that was used when the application + was last staged (from code). It can be empty if the application + was never staged (e.g. pushed with container image). Epinio will + use the value set by the user explicitly but if one is not set, + it will try to use the previously set blobUID from the application + CRD. + type: string + builderimage: + description: This field stores the builder image that was used when + the application was last staged (from code). It can be empty if + the application was never staged (e.g. pushed with container image). + Epinio will use the builder image set by the user explicitly but + if one is not set, it will try to use the previously set image. + type: string + chartname: + description: ChartName stores the name of the application support + chart used to deploy the currently running application. This is + set on deployment, for use in updates. The name references an epinio + AppCharts resource. + type: string + imageurl: + description: ImageURL stores the image reference of the currently + running application. This is set on deployment, for use in updates. + type: string + origin: + properties: + container: + type: string + git: + properties: + repository: + type: string + revision: + type: string + required: + - repository + type: object + path: + type: string + type: object + routes: + items: + type: string + type: array + stageid: + description: StageID stores the id of the latest attempt to stage + the application, regardless of outcome. This enables access to the + staging logs of an application which never staged successfully. + type: string + required: + - origin + type: object + status: + description: AppStatus defines the observed state of App + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/epinio-crd/100.0.0+up0.9.1/templates/appcharts-crd.yaml b/charts/epinio-crd/100.0.0+up0.9.1/templates/appcharts-crd.yaml new file mode 100644 index 00000000000..339d9cd8483 --- /dev/null +++ b/charts/epinio-crd/100.0.0+up0.9.1/templates/appcharts-crd.yaml @@ -0,0 +1,70 @@ +# Copied from here: +# https://github.com/epinio/application/blob/main/config/crd/bases/application.epinio.io_appcharts.yaml +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + creationTimestamp: null + name: appcharts.application.epinio.io +spec: + group: application.epinio.io + names: + kind: AppChart + listKind: AppChartList + plural: appcharts + singular: appchart + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: AppChart is the Schema for the appcharts API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AppChartSpec defines the desired state of AppChart + properties: + description: + description: Description of the chart. Long form to be used in detailed + displays + type: string + helmChart: + description: HelmChart is the name of the Helm chart used to deploy + an application. + type: string + helmRepo: + description: HelmRepo is the URL to the Helm repository where to fetch + the helm chart. This can be empty. In that case the HelmChart field + has to reference the chart as full URL instead of as a simple name. + type: string + shortDescription: + description: ShortDescription of the chart. To be used in list displays + type: string + type: object + status: + description: AppChartStatus defines the observed state of AppChart + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/epinio-crd/100.0.0+up0.9.1/templates/service-crd.yaml b/charts/epinio-crd/100.0.0+up0.9.1/templates/service-crd.yaml new file mode 100644 index 00000000000..22688bbccbe --- /dev/null +++ b/charts/epinio-crd/100.0.0+up0.9.1/templates/service-crd.yaml @@ -0,0 +1,81 @@ +# Copied from here: +# https://github.com/epinio/application/blob/main/config/crd/bases/application.epinio.io_services.yaml +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + creationTimestamp: null + name: services.application.epinio.io +spec: + group: application.epinio.io + names: + kind: Service + listKind: ServiceList + plural: services + singular: service + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Service is the Schema for the services API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceSpec defines the desired state of Service + properties: + chart: + description: HelmChart is the name of the Helm chart used to deploy + the service + type: string + description: + description: Description of the service to be used when the service + is described + type: string + helmRepo: + description: HelmRepo is the Helm repository where to fetch the helm + chart + properties: + name: + type: string + url: + type: string + type: object + name: + description: Name of the service (i.e. redis-small) + type: string + shortDescription: + description: ShortDescription of the service to be used in lists + type: string + values: + description: Values are the values provided by the operator. They + are used to customize the deployment of the service. + type: string + type: object + status: + description: ServiceStatus defines the observed state of Service + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/epinio/100.0.0+up0.9.1/Chart.lock b/charts/epinio/100.0.0+up0.9.1/Chart.lock new file mode 100644 index 00000000000..321ad45fd90 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/Chart.lock @@ -0,0 +1,12 @@ +dependencies: +- name: minio + repository: https://charts.min.io/ + version: 3.6.3 +- name: kubed + repository: https://charts.appscode.com/stable/ + version: v0.13.2 +- name: epinio-ui + repository: https://epinio.github.io/helm-charts + version: 0.2.0 +digest: sha256:e7b10c3fd474cb9ad675efee5e81fc74281e8d09133b808232840296e55c3927 +generated: "2022-04-27T17:26:10.6688455+03:00" diff --git a/charts/epinio/100.0.0+up0.9.1/Chart.yaml b/charts/epinio/100.0.0+up0.9.1/Chart.yaml new file mode 100644 index 00000000000..7264cadf756 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/Chart.yaml @@ -0,0 +1,44 @@ +annotations: + artifacthub.io/license: Apache-2.0 + catalog.cattle.io/auto-install: epinio-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Epinio + catalog.cattle.io/experimental: "true" + catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.24.0-0' + catalog.cattle.io/namespace: cattle-epinio-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.6.0-0 <= 2.6.100-0' + catalog.cattle.io/release-name: epinio + catalog.cattle.io/type: cluster-tool +apiVersion: v2 +appVersion: v0.7.1 +dependencies: +- condition: epinio-ui.enabled + name: epinio-ui + repository: file://./charts/epinio-ui + tags: + - epinio-ui +- condition: kubed.enabled, global.kubed.enabled + name: kubed + repository: file://./charts/kubed + tags: + - kubed +- condition: minio.enabled, global.minio.enabled + name: minio + repository: file://./charts/minio + tags: + - minio +description: The official way to install Epinio +home: https://github.com/epinio/epinio +icon: https://charts.rancher.io/assets/logos/epinio.svg +keywords: +- epinio +- paas +maintainers: +- email: team@epinio.io + name: SUSE +name: epinio +sources: +- https://github.com/epinio/epinio +version: 100.0.0+up0.9.1 diff --git a/charts/epinio/100.0.0+up0.9.1/README.md b/charts/epinio/100.0.0+up0.9.1/README.md new file mode 100644 index 00000000000..017d4098903 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/README.md @@ -0,0 +1,93 @@ +# Epinio Helm Chart + +From app to URL in one command. + +## Introduction + +This chart deploys Epinio PaaS on a Kubernetes cluster. It also deploys some of +its dependencies as subcharts. + +The documentation is centralized in the [doc website](https://docs.epinio.io/installation/installation.html). + +## Prerequisites + +Epinio needs a number of external components to be running on your cluster in order to +work. You may already have those deployed, otherwise follow the instructions here +to deploy them. + +Important: Some of the namespaces of the components are hardcoded in the Epinio +code and thus are important to be the same as described here. In the future this +may be configurable on the Epinio Helm chart. + +### Ingress Controller + +Epinio creates Ingress resources for the API server, the applications and depending +on your setup, the internal container registry. Those resources won't work unless +an Ingress controller is running on your cluster. + +If you don't have an Ingress controller already running, you can install Traefik with: + +``` +$ kubectl create namespace traefik +$ export LOAD_BALANCER_IP=$(LOAD_BALANCER_IP:-) # Set this to the IP of your load balancer if you know that +$ helm install traefik --namespace traefik "https://helm.traefik.io/traefik/traefik-10.3.4.tgz" \ + --set globalArguments='' \ + --set-string ports.web.redirectTo=websecure \ + --set-string ingressClass.enabled=true \ + --set-string ingressClass.isDefaultClass=true \ + --set-string service.spec.loadBalancerIP=$LOAD_BALANCER_IP +``` + +### Cert Manager + +Epinio needs [cert-manager](https://cert-manager.io/) in order to create TLS +certificates for the various Ingresses (see "Ingress controller" above). + +If cert-manager is not already installed on the cluster, it can be installed like this: + +``` +$ kubectl create namespace cert-manager +$ helm repo add jetstack https://charts.jetstack.io +$ helm repo update +$ helm install cert-manager --namespace cert-manager jetstack/cert-manager \ + --set installCRDs=true \ + --set extraArgs[0]=--enable-certificate-owner-ref=true +``` + +### Kubed + +Kubed is installed as a subchart when `.Values.kubed.enabled` is true (default). +If you already have kubed running, you can skip the installation by setting +the helm value "kubed.enabled" to "false". + +### S3 storage + +Epinio is using an S3 compatible storage to store the application source code. +This chart will install [Minio](https://min.io/) when `.Values.minio.enabled` is +true (default). Any S3 compatible solution can be used instead by setting this +value to `false` and using [the values under `s3`](https://github.com/epinio/helm-charts/blob/main/chart/epinio/values.yaml#L44) +to point to the desired S3 server. + +### Container Registry + +When Epinio builds a container image for an application from source, it needs +to store that image to a container registry. Epinio installs a container registry +on the cluster when `.Values.containerregistry.enabled` is `true` (default). + +Any container registry that supports basic auth authentication can be used (e.g. gcr, dockerhub etc) +instead by setting this value to `false` and using +[the values under `registry`](https://github.com/epinio/helm-charts/blob/main/chart/epinio/values.yaml#L104-L107) +to point to the desired container registry. + +## Install Epinio + +If the above dependencies are available or going to be installed by this chart, +Epinio can be installed with the following: + +``` +$ helm install epinio -n epinio --create-namespace epinio/epinio --values epinio-values.yaml --set global.domain=myepiniodomain.org +``` + +The only value that is mandatory is the `.Values.global.domain` which +should be a wildcard domain, pointing to the IP address of your running +Ingress controller. diff --git a/charts/epinio/100.0.0+up0.9.1/app-readme.md b/charts/epinio/100.0.0+up0.9.1/app-readme.md new file mode 100644 index 00000000000..bf11afb51c0 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/app-readme.md @@ -0,0 +1,5 @@ +# Epinio PaaS + +Opinionated platform that runs on Kubernetes to take you from Code to URL in one step. + +__Attention__: Requires `cert-manager` as dependency. diff --git a/charts/epinio/100.0.0+up0.9.1/charts/epinio-ui/.helmignore b/charts/epinio/100.0.0+up0.9.1/charts/epinio-ui/.helmignore new file mode 100644 index 00000000000..0e8a0eb36f4 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/epinio-ui/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/epinio/100.0.0+up0.9.1/charts/epinio-ui/Chart.yaml b/charts/epinio/100.0.0+up0.9.1/charts/epinio-ui/Chart.yaml new file mode 100644 index 00000000000..d4ef6d9b90e --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/epinio-ui/Chart.yaml @@ -0,0 +1,18 @@ +annotations: + artifacthub.io/license: Apache-2.0 +apiVersion: v2 +appVersion: v0.6.2 +description: A Helm chart for the Epinio UI +home: https://github.com/epinio/epinio +icon: https://charts.rancher.io/assets/logos/epinio.svg +keywords: +- epinio +- paas +maintainers: +- email: team@epinio.io + name: SUSE +name: epinio-ui +sources: +- https://github.com/epinio/ui +type: application +version: 0.2.0 diff --git a/charts/epinio/100.0.0+up0.9.1/charts/epinio-ui/templates/_helpers.tpl b/charts/epinio/100.0.0+up0.9.1/charts/epinio-ui/templates/_helpers.tpl new file mode 100644 index 00000000000..4be4c30497e --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/epinio-ui/templates/_helpers.tpl @@ -0,0 +1,96 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "epinio-ui.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "epinio-ui.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "epinio-ui.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "epinio-ui.labels" -}} +helm.sh/chart: {{ include "epinio-ui.chart" . }} +{{ include "epinio-ui.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "epinio-ui.selectorLabels" -}} +app.kubernetes.io/name: {{ include "epinio-ui.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "epinio-ui.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "epinio-ui.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +URL registry prefix for container images (Rancher compatibility support) +*/}} +{{- define "epinio-ui.registry" -}} +{{- if .Values.global.cattle -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{ trimSuffix "/" .Values.global.cattle.systemDefaultRegistry }}/ +{{- else -}} +{{ .Values.epinioUI.image.registry }}/ +{{- end -}} +{{- else -}} +{{ .Values.epinioUI.image.registry }}/ +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, add below linux tolerations to +workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +beta.kubernetes.io/os: linux +{{- else -}} +kubernetes.io/os: linux +{{- end -}} +{{- end -}} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/epinio-ui/templates/certificate.yaml b/charts/epinio/100.0.0+up0.9.1/charts/epinio-ui/templates/certificate.yaml new file mode 100644 index 00000000000..a04bc53fd70 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/epinio-ui/templates/certificate.yaml @@ -0,0 +1,14 @@ +{{- if .Values.ingress.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: epinio-ui + namespace: {{ .Release.Namespace }} +spec: + dnsNames: + - {{ .Values.global.domain }} + issuerRef: + kind: ClusterIssuer + name: {{ .Values.global.tlsIssuer }} + secretName: epinio-ui-tls +{{- end }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/epinio-ui/templates/ingress.yaml b/charts/epinio/100.0.0+up0.9.1/charts/epinio-ui/templates/ingress.yaml new file mode 100644 index 00000000000..749ee71d616 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/epinio-ui/templates/ingress.yaml @@ -0,0 +1,32 @@ +{{- if .Values.ingress.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" + labels: + {{- include "epinio-ui.labels" . | nindent 4 }} + name: epinio-ui + namespace: {{ .Release.Namespace }} +spec: + {{- if .Values.ingress.ingressClassName }} + ingressClassName: "{{ .Values.ingress.ingressClassName }}" + {{- end }} + rules: + - host: {{ .Values.global.domain }} + http: + paths: + - backend: + service: + name: epinio-ui + port: + number: 80 + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - {{ .Values.global.domain }} + secretName: epinio-ui-tls +{{- end }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/epinio-ui/templates/server.yaml b/charts/epinio/100.0.0+up0.9.1/charts/epinio-ui/templates/server.yaml new file mode 100644 index 00000000000..a23f77b4f10 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/epinio-ui/templates/server.yaml @@ -0,0 +1,103 @@ +{{- $secret := (lookup "v1" "Secret" .Release.Namespace "epinio-ui").data -}} +{{- $encryptionKey := empty $secret | ternary (printf "%x" (randAscii 32)) (b64dec (default "" $secret.encryptionKey)) -}} +{{- $sessionSecret := empty $secret | ternary (randAlphaNum 16) (b64dec (default "" $secret.sessionSecret)) -}} + +--- +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: epinio-ui + namespace: {{ .Release.Namespace }} +stringData: + encryptionKey: {{ $encryptionKey }} + sessionSecret: {{ $sessionSecret }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: epinio-ui + namespace: {{ .Release.Namespace }} + labels: + {{- include "epinio-ui.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "epinio-ui.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "epinio-ui.labels" . | nindent 8 }} + spec: + nodeSelector: + {{- include "linux-node-selector" . | nindent 8 -}} + tolerations: + {{- include "linux-node-tolerations" . | nindent 8 -}} + containers: + - name: epinio-ui + image: {{ template "epinio-ui.registry" . }}{{ .Values.epinioUI.image.repository }}:{{ .Values.epinioUI.image.tag }} + imagePullPolicy: {{ .Values.epinioUI.imagePullPolicy }} + workingDir: /db + + env: + - name: EPINIO_API_URL + value: {{ default (printf "http://epinio-server.%s.svc.cluster.local" .Release.Namespace) .Values.epinioApiUrl }} + - name: EPINIO_WSS_URL + value: {{ default (printf "ws://epinio-server.%s.svc.cluster.local" .Release.Namespace) .Values.epinioWssUrl }} + - name: EPINIO_API_SKIP_SSL + value: {{ .Values.epinioApiSkipSSL | quote }} + - name: EPINIO_VERSION + value: {{ .Values.epinioVersion | quote }} + - name: HTTP_CLIENT_TIMEOUT_IN_SECS + value: "120" + - name: SESSION_STORE_SECRET + valueFrom: + secretKeyRef: + name: epinio-ui + key: sessionSecret + - name: SESSION_STORE_EXPIRY + value: "1440" + - name: UI_PATH + value: "/ui" + - name: AUTH_ENDPOINT_TYPE + value: epinio + - name: ENCRYPTION_KEY + valueFrom: + secretKeyRef: + name: epinio-ui + key: encryptionKey + + - name: DATABASE_PROVIDER + value: sqlite + - name: HTTPS + value: "false" + - name: CONSOLE_PROXY_TLS_ADDRESS + value: 0.0.0.0:8000 + - name: LOG_LEVEL + value: {{ .Values.logLevel | quote }} + + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 8 }} + {{- end }} + + securityContext: + runAsUser: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + livenessProbe: + tcpSocket: + port: 8000 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + tcpSocket: + port: 8000 + initialDelaySeconds: 5 + periodSeconds: 5 + {{- with .Values.volumes }} + volumes: + {{- toYaml . | nindent 6 }} + {{- end }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/epinio-ui/templates/service.yaml b/charts/epinio/100.0.0+up0.9.1/charts/epinio-ui/templates/service.yaml new file mode 100644 index 00000000000..442a7264256 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/epinio-ui/templates/service.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: epinio-ui + namespace: {{ .Release.Namespace }} + labels: + {{- include "epinio-ui.labels" . | nindent 4 }} +spec: + type: ClusterIP + selector: + {{- include "epinio-ui.selectorLabels" . | nindent 4 }} + ports: + - name: ui + port: 80 + targetPort: 8000 diff --git a/charts/epinio/100.0.0+up0.9.1/charts/epinio-ui/values.yaml b/charts/epinio/100.0.0+up0.9.1/charts/epinio-ui/values.yaml new file mode 100644 index 00000000000..e26a625245b --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/epinio-ui/values.yaml @@ -0,0 +1,41 @@ +epinioUI: + image: + repository: rancher/mirrored-epinio-epinio-ui + tag: v0.6.2-0.0.1 + imagePullPolicy: IfNotPresent +ingress: + enabled: true + # The ingressClassName is used to select the ingress controller. If empty no class will be added to the ingresses. + ingressClassName: "" +global: + domain: ui.epinio.dev + tlsIssuer: selfsigned-issuer +logLevel: info +# API URL of epinio instance, for proxied connections, defaults to http://epinio-server.%s.svc.cluster.local" +epinioApiUrl: "" +epinioWssUrl: "" + +# Skip checking for valid SSL cert when making requests to `EPINIO_API_URL` +epinioApiSkipSSL: "true" +# This is the version that is displayed in the ui and should match that of the epinio it's targetting +epinioVersion: "0.6.2" +volumeMounts: + - name: tmp + mountPath: /tmp + readOnly: false + - name: db + mountPath: /db + readOnly: false +# - name: ui +# mountPath: /ui +# subPath: dist +# readOnly: true + +volumes: + - name: tmp + emptyDir: {} + - name: db + emptyDir: {} +# - name: ui +# persistentVolumeClaim: +# claimName: ui diff --git a/charts/epinio/100.0.0+up0.9.1/charts/kubed/.helmignore b/charts/epinio/100.0.0+up0.9.1/charts/kubed/.helmignore new file mode 100644 index 00000000000..be86b789d79 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/kubed/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# Helm files +OWNERS diff --git a/charts/epinio/100.0.0+up0.9.1/charts/kubed/Chart.yaml b/charts/epinio/100.0.0+up0.9.1/charts/kubed/Chart.yaml new file mode 100644 index 00000000000..b01e55e5e04 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/kubed/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +appVersion: v0.13.2 +description: Config Syncer by AppsCode - Kubernetes daemon +home: https://github.com/kubeops/config-syncer +icon: https://cdn.appscode.com/images/products/kubed/icons/android-icon-192x192.png +maintainers: +- email: support@appscode.com + name: appscode +name: kubed +sources: +- https://github.com/kubeops/config-syncer +version: v0.13.2 diff --git a/charts/epinio/100.0.0+up0.9.1/charts/kubed/README.md b/charts/epinio/100.0.0+up0.9.1/charts/kubed/README.md new file mode 100644 index 00000000000..d747c51769b --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/kubed/README.md @@ -0,0 +1,94 @@ +# Config Syncer + +[Config Syncer by AppsCode](https://github.com/kubeops/config-syncer) - A Kubernetes cluster manager daemon + +## TL;DR; + +```console +$ helm repo add appscode https://charts.appscode.com/stable/ +$ helm repo update +$ helm install kubed appscode/kubed -n kube-system +``` + +## Introduction + +This chart deploys a Config Syncer operator on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + +- Kubernetes 1.11+ + +## Installing the Chart + +To install the chart with the release name `kubed`: + +```console +$ helm install kubed appscode/kubed -n kube-system +``` + +The command deploys a Config Syncer operator on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `kubed`: + +```console +$ helm delete kubed -n kube-system +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +The following table lists the configurable parameters of the `kubed` chart and their default values. + +| Parameter | Description | Default | +|--------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------| +| nameOverride | Overrides name template | "" | +| fullnameOverride | Overrides fullname template | "" | +| replicaCount | Number of Config Syncer operator replicas to create (only 1 is supported) | 1 | +| operator.registry | Docker registry used to pull Config Syncer operator image | appscode | +| operator.repository | Config Syncer operator container image | kubed | +| operator.tag | Config Syncer operator container image tag | v0.13.2 | +| operator.resources | Compute Resources required by the operator container | {} | +| operator.securityContext | Security options the operator container should run with | {} | +| imagePullSecrets | Specify an array of imagePullSecrets. Secrets must be manually created in the namespace.
Example:
`helm template charts/kubed \`
`--set imagePullSecrets[0].name=sec0 \`
`--set imagePullSecrets[1].name=sec1` | [] | +| imagePullPolicy | Container image pull policy | IfNotPresent | +| criticalAddon | If true, installs Config Syncer operator as critical addon | false | +| logLevel | Log level for operator | 3 | +| annotations | Annotations applied to operator deployment | {} | +| podAnnotations | Annotations passed to operator pod(s). | {} | +| nodeSelector | Node labels for pod assignment | {} | +| tolerations | Tolerations for pod assignment | [] | +| affinity | Affinity rules for pod assignment | {} | +| podSecurityContext | Security options the operator pod should run with. | {"fsGroup":65535} | +| serviceAccount.create | Specifies whether a service account should be created | true | +| serviceAccount.annotations | Annotations to add to the service account | {} | +| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" | +| apiserver.securePort | Port used by Config Syncer server | "8443" | +| apiserver.useKubeapiserverFqdnForAks | If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true) | true | +| apiserver.healthcheck.enabled | healthcheck configures the readiness and liveliness probes for the operator pod. | false | +| apiserver.servingCerts.generate | If true, generates on install/upgrade the certs that allow the kube-apiserver (and potentially ServiceMonitor) to authenticate operators pods. Otherwise specify certs in `apiserver.servingCerts.{caCrt, serverCrt, serverKey}`. | true | +| apiserver.servingCerts.caCrt | CA certficate used by serving certificate of Config Syncer server. | "" | +| apiserver.servingCerts.serverCrt | Serving certficate used by Config Syncer server. | "" | +| apiserver.servingCerts.serverKey | Private key for the serving certificate used by Config Syncer server. | "" | +| enableAnalytics | If true, sends usage analytics | true | +| config.clusterName | Set cluster-name to something meaningful to you, say, prod, prod-us-east, qa, etc. so that you can distinguish notifications sent by kubed | unicorn | +| config.configSourceNamespace | If set, configmaps and secrets from only this namespace will be synced | "" | +| config.kubeconfigContent | kubeconfig file content for configmap and secret syncer | "" | + + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example: + +```console +$ helm install kubed appscode/kubed -n kube-system --set replicaCount=1 +``` + +Alternatively, a YAML file that specifies the values for the parameters can be provided while +installing the chart. For example: + +```console +$ helm install kubed appscode/kubed -n kube-system --values values.yaml +``` diff --git a/charts/epinio/100.0.0+up0.9.1/charts/kubed/doc.yaml b/charts/epinio/100.0.0+up0.9.1/charts/kubed/doc.yaml new file mode 100644 index 00000000000..e3b2d7fae6e --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/kubed/doc.yaml @@ -0,0 +1,18 @@ +project: + name: Config Syncer by AppsCode + shortName: Config Syncer + url: https://github.com/kubeops/config-syncer + description: A Kubernetes cluster manager daemon + app: a Config Syncer operator +repository: + url: https://charts.appscode.com/stable/ + name: appscode +chart: + name: kubed + values: "-- generate from values file --" + valuesExample: "-- generate from values file --" +prerequisites: +- Kubernetes 1.11+ +release: + name: kubed + namespace: kube-system diff --git a/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/NOTES.txt b/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/NOTES.txt new file mode 100644 index 00000000000..aa9281fa093 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/NOTES.txt @@ -0,0 +1,3 @@ +To verify that Config Syncer has started, run: + + kubectl get deployment --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "kubed.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" diff --git a/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/_helpers.tpl b/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/_helpers.tpl new file mode 100644 index 00000000000..cbdcb8c0df1 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/_helpers.tpl @@ -0,0 +1,93 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "kubed.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubed.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubed.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "kubed.labels" -}} +helm.sh/chart: {{ include "kubed.chart" . }} +{{ include "kubed.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "kubed.selectorLabels" -}} +app.kubernetes.io/name: {{ include "kubed.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "kubed.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "kubed.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Windows cluster will add default taint for linux nodes, add below linux tolerations to +workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +beta.kubernetes.io/os: linux +{{- else -}} +kubernetes.io/os: linux +{{- end -}} +{{- end -}} + +{{/* +URL prefix for container images to be compatible with Rancher +*/}} +{{- define "registry-url" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{ trimSuffix "/" .Values.global.cattle.systemDefaultRegistry }}/ +{{- else -}} +{{ .Values.operator.registry }}/ +{{- end -}} +{{- end -}} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/apiregistration.yaml b/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/apiregistration.yaml new file mode 100644 index 00000000000..fcbf02a361a --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/apiregistration.yaml @@ -0,0 +1,58 @@ +{{- $serverCrt := "" }} +{{- $serverKey := "" }} +{{- if .Values.apiserver.servingCerts.generate }} +{{- $ca := genCA "ca" 3650 }} +{{- $cn := include "kubed.fullname" . -}} +{{- $altName1 := printf "%s.%s" $cn .Release.Namespace }} +{{- $altName2 := printf "%s.%s.svc" $cn .Release.Namespace }} +{{- $server := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }} +{{- $serverCrt = b64enc $server.Cert }} +{{- $serverKey = b64enc $server.Key }} +{{- else }} +{{- $serverCrt = required "Required when apiserver.servingCerts.generate is false" .Values.apiserver.servingCerts.serverCrt }} +{{- $serverKey = required "Required when apiserver.servingCerts.generate is false" .Values.apiserver.servingCerts.serverKey }} +{{- end }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kubed.fullname" . }}-apiserver-cert + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubed.labels" . | nindent 4 }} +type: Opaque +data: + tls.crt: {{ $serverCrt }} + tls.key: {{ $serverKey }} +--- +# to read the config for terminating authentication +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "kubed.fullname" . }}-apiserver-extension-server-authentication-reader + namespace: kube-system + labels: + {{- include "kubed.labels" . | nindent 4 }} +roleRef: + kind: Role + apiGroup: rbac.authorization.k8s.io + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: {{ template "kubed.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +# to delegate authentication and authorization +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "kubed.fullname" . }}-apiserver-auth-delegator + labels: + {{- include "kubed.labels" . | nindent 4 }} +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: {{ template "kubed.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/cluster-role-binding.yaml b/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/cluster-role-binding.yaml new file mode 100644 index 00000000000..8ea05646a56 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/cluster-role-binding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "kubed.fullname" . }} + labels: + {{- include "kubed.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kubed.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "kubed.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/cluster-role.yaml b/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/cluster-role.yaml new file mode 100644 index 00000000000..95e0147902a --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/cluster-role.yaml @@ -0,0 +1,24 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kubed.fullname" . }} + labels: + {{- include "kubed.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: + - configmaps + - secrets + verbs: ["get", "create", "patch", "delete", "list", "watch"] +- apiGroups: [""] + resources: + - namespaces + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: + - nodes + verbs: ["list"] +- apiGroups: [""] + resources: + - events + verbs: ["create"] diff --git a/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/deployment.yaml b/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/deployment.yaml new file mode 100644 index 00000000000..ac757984daf --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/deployment.yaml @@ -0,0 +1,119 @@ +{{- $major := default "0" .Capabilities.KubeVersion.Major | trimSuffix "+" | int64 }} +{{- $minor := default "0" .Capabilities.KubeVersion.Minor | trimSuffix "+" | int64 }} +{{- $criticalAddon := and .Values.criticalAddon (or (eq .Release.Namespace "kube-system") (and (ge $major 1) (ge $minor 17))) -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubed.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubed.labels" . | nindent 4 }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "kubed.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "kubed.selectorLabels" . | nindent 8 }} + annotations: + checksum/apiregistration.yaml: {{ include (print $.Template.BasePath "/apiregistration.yaml") . | sha256sum }} + {{- if $criticalAddon }} + scheduler.alpha.kubernetes.io/critical-pod: '' + {{- end }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "kubed.serviceAccountName" . }} + containers: + - name: kubed + securityContext: + {{- toYaml .Values.operator.securityContext | nindent 10 }} + image: {{ template "registry-url" . }}{{ .Values.operator.repository }}:{{ .Values.operator.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - run + - --v={{ .Values.logLevel }} + - --secure-port={{ default "8443" .Values.apiserver.securePort }} + - --audit-log-path=- + - --tls-cert-file=/var/serving-cert/tls.crt + - --tls-private-key-file=/var/serving-cert/tls.key + - --use-kubeapiserver-fqdn-for-aks={{ .Values.apiserver.useKubeapiserverFqdnForAks }} + - --enable-analytics={{ .Values.enableAnalytics }} + {{- with .Values.config.clusterName }} + - --cluster-name={{ . }} + {{- end }} + {{- with .Values.config.configSourceNamespace }} + - --config-source-namespace={{ . }} + {{- end }} + {{- if .Values.config.kubeconfigContent }} + - --kubeconfig-file=/srv/kubed/kubeconfig + {{- end }} + {{- range .Values.config.additionalOptions }} + - {{ . }} + {{- end }} + ports: + - containerPort: {{ default "8443" .Values.apiserver.securePort }} + {{- if .Values.apiserver.healthcheck.enabled }} + readinessProbe: + httpGet: + path: /healthz + port: {{ default "8443" .Values.apiserver.securePort }} + scheme: HTTPS + initialDelaySeconds: 5 + livenessProbe: + httpGet: + path: /healthz + port: {{ default "8443" .Values.apiserver.securePort }} + scheme: HTTPS + initialDelaySeconds: 5 + {{- end }} + resources: + {{- toYaml .Values.operator.resources | nindent 10 }} + volumeMounts: + - name: config + mountPath: /srv/kubed + - name: scratch + mountPath: /tmp + - mountPath: /var/serving-cert + name: serving-cert + volumes: + - name: config + secret: + secretName: {{ template "kubed.fullname" . }} + - name: scratch + emptyDir: {} + - name: serving-cert + secret: + defaultMode: 420 + secretName: {{ template "kubed.fullname" . }}-apiserver-cert + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + tolerations: + {{- include "linux-node-tolerations" . | nindent 8 -}} + {{- with .Values.tolerations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if $criticalAddon }} + - key: CriticalAddonsOnly + operator: Exists + {{- end -}} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + nodeSelector: + {{- include "linux-node-selector" . | nindent 8 -}} + {{- if $criticalAddon }} + priorityClassName: system-cluster-critical + {{- end -}} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/secret.yaml b/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/secret.yaml new file mode 100644 index 00000000000..a980ae34b46 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/secret.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kubed.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubed.labels" . | nindent 4 }} +data: + {{- if .Values.config.kubeconfigContent }} + kubeconfig: {{ .Values.config.kubeconfigContent | trim | b64enc | quote }} + {{- end }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/service.yaml b/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/service.yaml new file mode 100644 index 00000000000..95b76cf645b --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kubed.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubed.labels" . | nindent 4 }} +spec: + ports: + # Port used to expose admission webhook apiserver + - name: api + port: 443 + targetPort: {{ default "8443" .Values.apiserver.securePort }} + selector: + {{- include "kubed.selectorLabels" . | nindent 4 }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/serviceaccount.yaml b/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/serviceaccount.yaml new file mode 100644 index 00000000000..96f9c84c1b5 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/kubed/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubed.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubed.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/kubed/values.yaml b/charts/epinio/100.0.0+up0.9.1/charts/kubed/values.yaml new file mode 100644 index 00000000000..09c36a3e364 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/kubed/values.yaml @@ -0,0 +1,101 @@ +# Default values for kubed. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# Overrides name template +nameOverride: "" +# Overrides fullname template +fullnameOverride: "" + +# Number of Config Syncer operator replicas to create (only 1 is supported) +replicaCount: 1 + +operator: + # Config Syncer operator container image + repository: rancher/mirrored-kubed + # Config Syncer operator container image tag + tag: v0.13.2 + # Compute Resources required by the operator container + resources: {} + # Security options the operator container should run with + securityContext: {} + +# Specify an array of imagePullSecrets. +# Secrets must be manually created in the namespace. +# +# Example: +# helm template charts/kubed \ +# --set imagePullSecrets[0].name=sec0 \ +# --set imagePullSecrets[1].name=sec1 +imagePullSecrets: [] + +# Container image pull policy +imagePullPolicy: IfNotPresent + +# If true, installs Config Syncer operator as critical addon +criticalAddon: false + +# Log level for operator +logLevel: 3 + +# Annotations applied to operator deployment +annotations: {} + +# Annotations passed to operator pod(s). +podAnnotations: {} + +# Node labels for pod assignment +nodeSelector: {} + +# Tolerations for pod assignment +tolerations: [] + +# Affinity rules for pod assignment +affinity: {} + +# Security options the operator pod should run with. +podSecurityContext: # +doc-gen:break + # ensure that s/a token is readable xref: https://issues.k8s.io/70679 + fsGroup: 65535 + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +apiserver: + # Port used by Config Syncer server + securePort: "8443" + # If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true) + useKubeapiserverFqdnForAks: true + healthcheck: + # healthcheck configures the readiness and liveliness probes for the operator pod. + enabled: false + servingCerts: + # If true, generates on install/upgrade the certs that allow the kube-apiserver (and potentially ServiceMonitor) + # to authenticate operators pods. Otherwise specify certs in `apiserver.servingCerts.{caCrt, serverCrt, serverKey}`. + generate: true + # CA certficate used by serving certificate of Config Syncer server. + caCrt: "" + # Serving certficate used by Config Syncer server. + serverCrt: "" + # Private key for the serving certificate used by Config Syncer server. + serverKey: "" + +# If true, sends usage analytics +enableAnalytics: true + +config: + # Set cluster-name to something meaningful to you, say, prod, prod-us-east, qa, etc. + # so that you can distinguish notifications sent by kubed + clusterName: unicorn + # If set, configmaps and secrets from only this namespace will be synced + configSourceNamespace: "" + # kubeconfig file content for configmap and secret syncer + kubeconfigContent: "" +# additionalOptions: +# - --authentication-skip-lookup diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/.helmignore b/charts/epinio/100.0.0+up0.9.1/charts/minio/.helmignore new file mode 100644 index 00000000000..a9fe7278811 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# OWNERS file for Kubernetes +OWNERS \ No newline at end of file diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/Chart.yaml b/charts/epinio/100.0.0+up0.9.1/charts/minio/Chart.yaml new file mode 100644 index 00000000000..31bfb6701f1 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +appVersion: RELEASE.2022-03-24T00-43-44Z +description: Multi-Cloud Object Storage +home: https://min.io +icon: https://min.io/resources/img/logo/MINIO_wordmark.png +keywords: +- minio +- storage +- object-storage +- s3 +- cluster +maintainers: +- email: dev@minio.io + name: MinIO, Inc +name: minio +sources: +- https://github.com/minio/minio +version: 3.6.3 diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/README.md b/charts/epinio/100.0.0+up0.9.1/charts/minio/README.md new file mode 100644 index 00000000000..ad3eb7df774 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/README.md @@ -0,0 +1,235 @@ +# MinIO Helm Chart + +[![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io) [![license](https://img.shields.io/badge/license-AGPL%20V3-blue)](https://github.com/minio/minio/blob/master/LICENSE) + +MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. It is API compatible with Amazon S3 cloud storage service. Use MinIO to build high performance infrastructure for machine learning, analytics and application data workloads. + +For more detailed documentation please visit [here](https://docs.minio.io/) + +## Introduction + +This chart bootstraps MinIO Cluster on [Kubernetes](http://kubernetes.io) using the [Helm](https://helm.sh) package manager. + +## Prerequisites + +- Helm cli with Kubernetes cluster configured. +- PV provisioner support in the underlying infrastructure. (We recommend using ) +- Use Kubernetes version v1.19 and later for best experience. + +## Configure MinIO Helm repo + +```bash +helm repo add minio https://charts.min.io/ +``` + +### Installing the Chart + +Install this chart using: + +```bash +helm install --namespace minio --set rootUser=rootuser,rootPassword=rootpass123 --generate-name minio/minio +``` + +The command deploys MinIO on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. + +### Upgrading the Chart + +You can use Helm to update MinIO version in a live release. Assuming your release is named as `my-release`, get the values using the command: + +```bash +helm get values my-release > old_values.yaml +``` + +Then change the field `image.tag` in `old_values.yaml` file with MinIO image tag you want to use. Now update the chart using + +```bash +helm upgrade -f old_values.yaml my-release minio/minio +``` + +Default upgrade strategies are specified in the `values.yaml` file. Update these fields if you'd like to use a different strategy. + +### Configuration + +Refer the [Values file](./values.yaml) for all the possible config fields. + +You can specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```bash +helm install --name my-release --set persistence.size=1Ti minio/minio +``` + +The above command deploys MinIO server with a 1Ti backing persistent volume. + +Alternately, you can provide a YAML file that specifies parameter values while installing the chart. For example, + +```bash +helm install --name my-release -f values.yaml minio/minio +``` + +### Persistence + +This chart provisions a PersistentVolumeClaim and mounts corresponding persistent volume to default location `/export`. You'll need physical storage available in the Kubernetes cluster for this to work. If you'd rather use `emptyDir`, disable PersistentVolumeClaim by: + +```bash +helm install --set persistence.enabled=false minio/minio +``` + +> *"An emptyDir volume is first created when a Pod is assigned to a Node, and exists as long as that Pod is running on that node. When a Pod is removed from a node for any reason, the data in the emptyDir is deleted forever."* + +### Existing PersistentVolumeClaim + +If a Persistent Volume Claim already exists, specify it during installation. + +1. Create the PersistentVolume +2. Create the PersistentVolumeClaim +3. Install the chart + +```bash +helm install --set persistence.existingClaim=PVC_NAME minio/minio +``` + +### NetworkPolicy + +To enable network policy for MinIO, +install [a networking plugin that implements the Kubernetes +NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), +and set `networkPolicy.enabled` to `true`. + +For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting +the DefaultDeny namespace annotation. Note: this will enforce policy for *all* pods in the namespace: + +``` +kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" +``` + +With NetworkPolicy enabled, traffic will be limited to just port 9000. + +For more precise policy, set `networkPolicy.allowExternal=true`. This will +only allow pods with the generated client label to connect to MinIO. +This label will be displayed in the output of a successful install. + +### Existing secret + +Instead of having this chart create the secret for you, you can supply a preexisting secret, much +like an existing PersistentVolumeClaim. + +First, create the secret: + +```bash +kubectl create secret generic my-minio-secret --from-literal=rootUser=foobarbaz --from-literal=rootPassword=foobarbazqux +``` + +Then install the chart, specifying that you want to use an existing secret: + +```bash +helm install --set existingSecret=my-minio-secret minio/minio +``` + +The following fields are expected in the secret: + +| .data.\ in Secret | Corresponding variable | Description | Required | +|:------------------------|:-----------------------|:---------------|:---------| +| `rootUser` | `rootUser` | Root user. | yes | +| `rootPassword` | `rootPassword` | Root password. | yes | + +All corresponding variables will be ignored in values file. + +### Configure TLS + +To enable TLS for MinIO containers, acquire TLS certificates from a CA or create self-signed certificates. While creating / acquiring certificates ensure the corresponding domain names are set as per the standard [DNS naming conventions](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-identity) in a Kubernetes StatefulSet (for a distributed MinIO setup). Then create a secret using + +```bash +kubectl create secret generic tls-ssl-minio --from-file=path/to/private.key --from-file=path/to/public.crt +``` + +Then install the chart, specifying that you want to use the TLS secret: + +```bash +helm install --set tls.enabled=true,tls.certSecret=tls-ssl-minio minio/minio +``` + +### Installing certificates from third party CAs + +MinIO can connect to other servers, including MinIO nodes or other server types such as NATs and Redis. If these servers use certificates that were not registered with a known CA, add trust for these certificates to MinIO Server by bundling these certificates into a Kubernetes secret and providing it to Helm via the `trustedCertsSecret` value. If `.Values.tls.enabled` is `true` and you're installing certificates for third party CAs, remember to include MinIO's own certificate with key `public.crt`, if it also needs to be trusted. + +For instance, given that TLS is enabled and you need to add trust for MinIO's own CA and for the CA of a Keycloak server, a Kubernetes secret can be created from the certificate files using `kubectl`: + +``` +kubectl -n minio create secret generic minio-trusted-certs --from-file=public.crt --from-file=keycloak.crt +``` + +If TLS is not enabled, you would need only the third party CA: + +``` +kubectl -n minio create secret generic minio-trusted-certs --from-file=keycloak.crt +``` + +The name of the generated secret can then be passed to Helm using a values file or the `--set` parameter: + +``` +trustedCertsSecret: "minio-trusted-certs" + +or + +--set trustedCertsSecret=minio-trusted-certs +``` + +### Create buckets after install + +Install the chart, specifying the buckets you want to create after install: + +```bash +helm install --set buckets[0].name=bucket1,buckets[0].policy=none,buckets[0].purge=false minio/minio +``` + +Description of the configuration parameters used above - + +- `buckets[].name` - name of the bucket to create, must be a string with length > 0 +- `buckets[].policy` - can be one of none|download|upload|public +- `buckets[].purge` - purge if bucket exists already + +33# Create policies after install +Install the chart, specifying the policies you want to create after install: + +```bash +helm install --set policies[0].name=mypolicy,policies[0].statements[0].resources[0]='arn:aws:s3:::bucket1',policies[0].statements[0].actions[0]='s3:ListBucket',policies[0].statements[0].actions[1]='s3:GetObject' minio/minio +``` + +Description of the configuration parameters used above - + +- `policies[].name` - name of the policy to create, must be a string with length > 0 +- `policies[].statements[]` - list of statements, includes actions and resources +- `policies[].statements[].resources[]` - list of resources that applies the statement +- `policies[].statements[].actions[]` - list of actions granted + +### Create user after install + +Install the chart, specifying the users you want to create after install: + +```bash +helm install --set users[0].accessKey=accessKey,users[0].secretKey=secretKey,users[0].policy=none,users[1].accessKey=accessKey2,users[1].secretRef=existingSecret,users[1].secretKey=password,users[1].policy=none minio/minio +``` + +Description of the configuration parameters used above - + +- `users[].accessKey` - accessKey of user +- `users[].secretKey` - secretKey of usersecretRef +- `users[].existingSecret` - secret name that contains the secretKey of user +- `users[].existingSecretKey` - data key in existingSecret secret containing the secretKey +- `users[].policy` - name of the policy to assign to user + +## Uninstalling the Chart + +Assuming your release is named as `my-release`, delete it using the command: + +```bash +helm delete my-release +``` + +or + +```bash +helm uninstall my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/NOTES.txt b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/NOTES.txt new file mode 100644 index 00000000000..9337196945c --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/NOTES.txt @@ -0,0 +1,43 @@ +{{- if eq .Values.service.type "ClusterIP" "NodePort" }} +MinIO can be accessed via port {{ .Values.service.port }} on the following DNS name from within your cluster: +{{ template "minio.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local + +To access MinIO from localhost, run the below commands: + + 1. export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + + 2. kubectl port-forward $POD_NAME 9000 --namespace {{ .Release.Namespace }} + +Read more about port forwarding here: http://kubernetes.io/docs/user-guide/kubectl/kubectl_port-forward/ + +You can now access MinIO server on http://localhost:9000. Follow the below steps to connect to MinIO server with mc client: + + 1. Download the MinIO mc client - https://docs.minio.io/docs/minio-client-quickstart-guide + + 2. export MC_HOST_{{ template "minio.fullname" . }}-local=http://$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "minio.secretName" . }} -o jsonpath="{.data.rootUser}" | base64 --decode):$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "minio.secretName" . }} -o jsonpath="{.data.rootPassword}" | base64 --decode)@localhost:{{ .Values.service.port }} + + 3. mc ls {{ template "minio.fullname" . }}-local + +{{- end }} +{{- if eq .Values.service.type "LoadBalancer" }} +MinIO can be accessed via port {{ .Values.service.port }} on an external IP address. Get the service external IP address by: +kubectl get svc --namespace {{ .Release.Namespace }} -l app={{ template "minio.fullname" . }} + +Note that the public IP may take a couple of minutes to be available. + +You can now access MinIO server on http://:9000. Follow the below steps to connect to MinIO server with mc client: + + 1. Download the MinIO mc client - https://docs.minio.io/docs/minio-client-quickstart-guide + + 2. export MC_HOST_{{ template "minio.fullname" . }}-local=http://$(kubectl get secret {{ template "minio.secretName" . }} --namespace {{ .Release.Namespace }} -o jsonpath="{.data.rootUser}" | base64 --decode):$(kubectl get secret {{ template "minio.secretName" . }} -o jsonpath="{.data.rootPassword}" | base64 --decode)@:{{ .Values.service.port }} + + 3. mc ls {{ template "minio.fullname" . }} + +Alternately, you can use your browser or the MinIO SDK to access the server - https://docs.minio.io/categories/17 +{{- end }} + +{{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} +Note: Since NetworkPolicy is enabled, only pods with label +{{ template "minio.fullname" . }}-client=true" +will be able to connect to this minio cluster. +{{- end }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/_helper_create_bucket.txt b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/_helper_create_bucket.txt new file mode 100644 index 00000000000..15bbb3bfa59 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/_helper_create_bucket.txt @@ -0,0 +1,108 @@ +#!/bin/sh +set -e ; # Have script exit in the event of a failed command. + +{{- if .Values.configPathmc }} +MC_CONFIG_DIR="{{ .Values.configPathmc }}" +MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}" +{{- else }} +MC="/usr/bin/mc --insecure" +{{- end }} + +# connectToMinio +# Use a check-sleep-check loop to wait for MinIO service to be available +connectToMinio() { + SCHEME=$1 + ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts + set -e ; # fail if we can't read the keys. + ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ; + set +e ; # The connections to minio are allowed to fail. + echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ; + MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ; + $MC_COMMAND ; + STATUS=$? ; + until [ $STATUS = 0 ] + do + ATTEMPTS=`expr $ATTEMPTS + 1` ; + echo \"Failed attempts: $ATTEMPTS\" ; + if [ $ATTEMPTS -gt $LIMIT ]; then + exit 1 ; + fi ; + sleep 2 ; # 1 second intervals between attempts + $MC_COMMAND ; + STATUS=$? ; + done ; + set -e ; # reset `e` as active + return 0 +} + +# checkBucketExists ($bucket) +# Check if the bucket exists, by using the exit code of `mc ls` +checkBucketExists() { + BUCKET=$1 + CMD=$(${MC} ls myminio/$BUCKET > /dev/null 2>&1) + return $? +} + +# createBucket ($bucket, $policy, $purge) +# Ensure bucket exists, purging if asked to +createBucket() { + BUCKET=$1 + POLICY=$2 + PURGE=$3 + VERSIONING=$4 + + # Purge the bucket, if set & exists + # Since PURGE is user input, check explicitly for `true` + if [ $PURGE = true ]; then + if checkBucketExists $BUCKET ; then + echo "Purging bucket '$BUCKET'." + set +e ; # don't exit if this fails + ${MC} rm -r --force myminio/$BUCKET + set -e ; # reset `e` as active + else + echo "Bucket '$BUCKET' does not exist, skipping purge." + fi + fi + + # Create the bucket if it does not exist + if ! checkBucketExists $BUCKET ; then + echo "Creating bucket '$BUCKET'" + ${MC} mb myminio/$BUCKET + else + echo "Bucket '$BUCKET' already exists." + fi + + + # set versioning for bucket + if [ ! -z $VERSIONING ] ; then + if [ $VERSIONING = true ] ; then + echo "Enabling versioning for '$BUCKET'" + ${MC} version enable myminio/$BUCKET + elif [ $VERSIONING = false ] ; then + echo "Suspending versioning for '$BUCKET'" + ${MC} version suspend myminio/$BUCKET + fi + else + echo "Bucket '$BUCKET' versioning unchanged." + fi + + # At this point, the bucket should exist, skip checking for existence + # Set policy on the bucket + echo "Setting policy of bucket '$BUCKET' to '$POLICY'." + ${MC} policy set $POLICY myminio/$BUCKET +} + +# Try connecting to MinIO instance +{{- if .Values.tls.enabled }} +scheme=https +{{- else }} +scheme=http +{{- end }} +connectToMinio $scheme + +{{ if .Values.buckets }} +# Create the buckets +{{- range .Values.buckets }} +createBucket {{ .name }} {{ .policy }} {{ .purge }} {{ .versioning }} +{{- end }} +{{- end }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/_helper_create_policy.txt b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/_helper_create_policy.txt new file mode 100644 index 00000000000..d565b161e35 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/_helper_create_policy.txt @@ -0,0 +1,75 @@ +#!/bin/sh +set -e ; # Have script exit in the event of a failed command. + +{{- if .Values.configPathmc }} +MC_CONFIG_DIR="{{ .Values.configPathmc }}" +MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}" +{{- else }} +MC="/usr/bin/mc --insecure" +{{- end }} + +# connectToMinio +# Use a check-sleep-check loop to wait for MinIO service to be available +connectToMinio() { + SCHEME=$1 + ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts + set -e ; # fail if we can't read the keys. + ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ; + set +e ; # The connections to minio are allowed to fail. + echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ; + MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ; + $MC_COMMAND ; + STATUS=$? ; + until [ $STATUS = 0 ] + do + ATTEMPTS=`expr $ATTEMPTS + 1` ; + echo \"Failed attempts: $ATTEMPTS\" ; + if [ $ATTEMPTS -gt $LIMIT ]; then + exit 1 ; + fi ; + sleep 2 ; # 1 second intervals between attempts + $MC_COMMAND ; + STATUS=$? ; + done ; + set -e ; # reset `e` as active + return 0 +} + +# checkPolicyExists ($policy) +# Check if the policy exists, by using the exit code of `mc admin policy info` +checkPolicyExists() { + POLICY=$1 + CMD=$(${MC} admin policy info myminio $POLICY > /dev/null 2>&1) + return $? +} + +# createPolicy($name, $filename) +createPolicy () { + NAME=$1 + FILENAME=$2 + + # Create the name if it does not exist + echo "Checking policy: $NAME (in /config/$FILENAME.json)" + if ! checkPolicyExists $NAME ; then + echo "Creating policy '$NAME'" + else + echo "Policy '$NAME' already exists." + fi + ${MC} admin policy add myminio $NAME /config/$FILENAME.json + +} + +# Try connecting to MinIO instance +{{- if .Values.tls.enabled }} +scheme=https +{{- else }} +scheme=http +{{- end }} +connectToMinio $scheme + +{{ if .Values.policies }} +# Create the policies +{{- range $idx, $policy := .Values.policies }} +createPolicy {{ $policy.name }} policy_{{ $idx }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/_helper_create_user.txt b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/_helper_create_user.txt new file mode 100644 index 00000000000..565413eda8b --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/_helper_create_user.txt @@ -0,0 +1,87 @@ +#!/bin/sh +set -e ; # Have script exit in the event of a failed command. + +{{- if .Values.configPathmc }} +MC_CONFIG_DIR="{{ .Values.configPathmc }}" +MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}" +{{- else }} +MC="/usr/bin/mc --insecure" +{{- end }} + +# connectToMinio +# Use a check-sleep-check loop to wait for MinIO service to be available +connectToMinio() { + SCHEME=$1 + ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts + set -e ; # fail if we can't read the keys. + ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ; + set +e ; # The connections to minio are allowed to fail. + echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ; + MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ; + $MC_COMMAND ; + STATUS=$? ; + until [ $STATUS = 0 ] + do + ATTEMPTS=`expr $ATTEMPTS + 1` ; + echo \"Failed attempts: $ATTEMPTS\" ; + if [ $ATTEMPTS -gt $LIMIT ]; then + exit 1 ; + fi ; + sleep 2 ; # 1 second intervals between attempts + $MC_COMMAND ; + STATUS=$? ; + done ; + set -e ; # reset `e` as active + return 0 +} + +# checkUserExists ($username) +# Check if the user exists, by using the exit code of `mc admin user info` +checkUserExists() { + USER=$1 + CMD=$(${MC} admin user info myminio $USER > /dev/null 2>&1) + return $? +} + +# createUser ($username, $password, $policy) +createUser() { + USER=$1 + PASS=$2 + POLICY=$3 + + # Create the user if it does not exist + if ! checkUserExists $USER ; then + echo "Creating user '$USER'" + ${MC} admin user add myminio $USER $PASS + else + echo "User '$USER' already exists." + fi + + + # set policy for user + if [ ! -z $POLICY -a $POLICY != " " ] ; then + echo "Adding policy '$POLICY' for '$USER'" + ${MC} admin policy set myminio $POLICY user=$USER + else + echo "User '$USER' has no policy attached." + fi +} + +# Try connecting to MinIO instance +{{- if .Values.tls.enabled }} +scheme=https +{{- else }} +scheme=http +{{- end }} +connectToMinio $scheme + +{{ if .Values.users }} +# Create the users +{{- range .Values.users }} +{{- if .existingSecret }} +createUser {{ .accessKey }} $(cat /config/secrets/{{ .accessKey }}) {{ .policy }} +{{ else }} +createUser {{ .accessKey }} {{ .secretKey }} {{ .policy }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/_helper_custom_command.txt b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/_helper_custom_command.txt new file mode 100644 index 00000000000..b583a7782f1 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/_helper_custom_command.txt @@ -0,0 +1,58 @@ +#!/bin/sh +set -e ; # Have script exit in the event of a failed command. + +{{- if .Values.configPathmc }} +MC_CONFIG_DIR="{{ .Values.configPathmc }}" +MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}" +{{- else }} +MC="/usr/bin/mc --insecure" +{{- end }} + +# connectToMinio +# Use a check-sleep-check loop to wait for MinIO service to be available +connectToMinio() { + SCHEME=$1 + ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts + set -e ; # fail if we can't read the keys. + ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ; + set +e ; # The connections to minio are allowed to fail. + echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ; + MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ; + $MC_COMMAND ; + STATUS=$? ; + until [ $STATUS = 0 ] + do + ATTEMPTS=`expr $ATTEMPTS + 1` ; + echo \"Failed attempts: $ATTEMPTS\" ; + if [ $ATTEMPTS -gt $LIMIT ]; then + exit 1 ; + fi ; + sleep 2 ; # 1 second intervals between attempts + $MC_COMMAND ; + STATUS=$? ; + done ; + set -e ; # reset `e` as active + return 0 +} + +# runCommand ($@) +# Run custom mc command +runCommand() { + ${MC} "$@" + return $? +} + +# Try connecting to MinIO instance +{{- if .Values.tls.enabled }} +scheme=https +{{- else }} +scheme=http +{{- end }} +connectToMinio $scheme + +{{ if .Values.customCommands }} +# Run custom commands +{{- range .Values.customCommands }} +runCommand {{ .command }} +{{- end }} +{{- end }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/_helper_policy.tpl b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/_helper_policy.tpl new file mode 100644 index 00000000000..83a2e153b66 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/_helper_policy.tpl @@ -0,0 +1,18 @@ +{{- $statements_length := len .statements -}} +{{- $statements_length := sub $statements_length 1 -}} +{ + "Version": "2012-10-17", + "Statement": [ +{{- range $i, $statement := .statements }} + { + "Effect": "Allow", + "Action": [ +"{{ $statement.actions | join "\",\n\"" }}" + ]{{ if $statement.resources }}, + "Resource": [ +"{{ $statement.resources | join "\",\n\"" }}" + ]{{ end }} + }{{ if lt $i $statements_length }},{{end }} +{{- end }} + ] +} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/_helpers.tpl b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/_helpers.tpl new file mode 100644 index 00000000000..06e419f76c4 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/_helpers.tpl @@ -0,0 +1,216 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "minio.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "minio.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "minio.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "minio.networkPolicy.apiVersion" -}} +{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.Version -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare ">=1.7-0, <1.16-0" .Capabilities.KubeVersion.Version -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else if semverCompare "^1.16-0" .Capabilities.KubeVersion.Version -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "minio.deployment.apiVersion" -}} +{{- if semverCompare "<1.9-0" .Capabilities.KubeVersion.Version -}} +{{- print "apps/v1beta2" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "minio.statefulset.apiVersion" -}} +{{- if semverCompare "<1.16-0" .Capabilities.KubeVersion.Version -}} +{{- print "apps/v1beta2" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "minio.ingress.apiVersion" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for console ingress. +*/}} +{{- define "minio.consoleIngress.apiVersion" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Determine secret name. +*/}} +{{- define "minio.secretName" -}} +{{- if .Values.existingSecret -}} +{{- .Values.existingSecret }} +{{- else -}} +{{- include "minio.fullname" . -}} +{{- end -}} +{{- end -}} + +{{/* +Determine name for scc role and rolebinding +*/}} +{{- define "minio.sccRoleName" -}} +{{- printf "%s-%s" "scc" (include "minio.fullname" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Properly format optional additional arguments to MinIO binary +*/}} +{{- define "minio.extraArgs" -}} +{{- range .Values.extraArgs -}} +{{ " " }}{{ . }} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "minio.imagePullSecrets" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +Also, we can not use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- else if .Values.imagePullSecrets }} +imagePullSecrets: + {{ toYaml .Values.imagePullSecrets }} +{{- end -}} +{{- else if .Values.imagePullSecrets }} +imagePullSecrets: + {{ toYaml .Values.imagePullSecrets }} +{{- end -}} +{{- end -}} + +{{/* +Formats volumeMount for MinIO TLS keys and trusted certs +*/}} +{{- define "minio.tlsKeysVolumeMount" -}} +{{- if .Values.tls.enabled }} +- name: cert-secret-volume + mountPath: {{ .Values.certsPath }} +{{- end }} +{{- if or .Values.tls.enabled (ne .Values.trustedCertsSecret "") }} +{{- $casPath := printf "%s/CAs" .Values.certsPath | clean }} +- name: trusted-cert-secret-volume + mountPath: {{ $casPath }} +{{- end }} +{{- end -}} + +{{/* +Formats volume for MinIO TLS keys and trusted certs +*/}} +{{- define "minio.tlsKeysVolume" -}} +{{- if .Values.tls.enabled }} +- name: cert-secret-volume + secret: + secretName: {{ .Values.tls.certSecret }} + items: + - key: {{ .Values.tls.publicCrt }} + path: public.crt + - key: {{ .Values.tls.privateKey }} + path: private.key +{{- end }} +{{- if or .Values.tls.enabled (ne .Values.trustedCertsSecret "") }} +{{- $certSecret := eq .Values.trustedCertsSecret "" | ternary .Values.tls.certSecret .Values.trustedCertsSecret }} +{{- $publicCrt := eq .Values.trustedCertsSecret "" | ternary .Values.tls.publicCrt "" }} +- name: trusted-cert-secret-volume + secret: + secretName: {{ $certSecret }} + {{- if ne $publicCrt "" }} + items: + - key: {{ $publicCrt }} + path: public.crt + {{- end }} +{{- end }} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, add below linux tolerations to +workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +beta.kubernetes.io/os: linux +{{- else -}} +kubernetes.io/os: linux +{{- end -}} +{{- end -}} + +{{/* +URL prefix for container images to be compatible with Rancher +*/}} +{{- define "registry-url" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{ trimSuffix "/" .Values.global.cattle.systemDefaultRegistry }}/ +{{- end -}} +{{- end -}} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/configmap.yaml b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/configmap.yaml new file mode 100644 index 00000000000..95a7c6038a3 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/configmap.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "minio.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: + initialize: |- +{{ include (print $.Template.BasePath "/_helper_create_bucket.txt") . | indent 4 }} + add-user: |- +{{ include (print $.Template.BasePath "/_helper_create_user.txt") . | indent 4 }} + add-policy: |- +{{ include (print $.Template.BasePath "/_helper_create_policy.txt") . | indent 4 }} +{{- range $idx, $policy := .Values.policies }} + # {{ $policy.name }} + policy_{{ $idx }}.json: |- +{{ include (print $.Template.BasePath "/_helper_policy.tpl") . | indent 4 }} +{{ end }} + custom-command: |- +{{ include (print $.Template.BasePath "/_helper_custom_command.txt") . | indent 4 }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/console-ingress.yaml b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/console-ingress.yaml new file mode 100644 index 00000000000..2ce9a93bf3f --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/console-ingress.yaml @@ -0,0 +1,58 @@ +{{- if .Values.consoleIngress.enabled -}} +{{- $fullName := printf "%s-console" (include "minio.fullname" .) -}} +{{- $servicePort := .Values.consoleService.port -}} +{{- $ingressPath := .Values.consoleIngress.path -}} +apiVersion: {{ template "minio.consoleIngress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- with .Values.consoleIngress.labels }} +{{ toYaml . | indent 4 }} +{{- end }} + +{{- with .Values.consoleIngress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: +{{- if .Values.consoleIngress.ingressClassName }} + ingressClassName: {{ .Values.consoleIngress.ingressClassName }} +{{- end }} +{{- if .Values.consoleIngress.tls }} + tls: + {{- range .Values.consoleIngress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.consoleIngress.hosts }} + - http: + paths: + - path: {{ $ingressPath }} + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + pathType: Prefix + backend: + service: + name: {{ $fullName }} + port: + number: {{ $servicePort }} + {{- else }} + backend: + serviceName: {{ $fullName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- if . }} + host: {{ . | quote }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/console-service.yaml b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/console-service.yaml new file mode 100644 index 00000000000..f4b1294e5db --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/console-service.yaml @@ -0,0 +1,48 @@ +{{ $scheme := "http" }} +{{- if .Values.tls.enabled }} +{{ $scheme = "https" }} +{{ end }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "minio.fullname" . }}-console + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- if .Values.consoleService.annotations }} + annotations: +{{ toYaml .Values.consoleService.annotations | indent 4 }} +{{- end }} +spec: +{{- if (or (eq .Values.consoleService.type "ClusterIP" "") (empty .Values.consoleService.type)) }} + type: ClusterIP + {{- if not (empty .Values.consoleService.clusterIP) }} + clusterIP: {{ .Values.consoleService.clusterIP }} + {{end}} +{{- else if eq .Values.consoleService.type "LoadBalancer" }} + type: {{ .Values.consoleService.type }} + loadBalancerIP: {{ default "" .Values.consoleService.loadBalancerIP }} +{{- else }} + type: {{ .Values.consoleService.type }} +{{- end }} + ports: + - name: {{ $scheme }} + port: {{ .Values.consoleService.port }} + protocol: TCP +{{- if (and (eq .Values.consoleService.type "NodePort") ( .Values.consoleService.nodePort)) }} + nodePort: {{ .Values.consoleService.nodePort }} +{{- else }} + targetPort: {{ .Values.consoleService.port }} +{{- end}} +{{- if .Values.consoleService.externalIPs }} + externalIPs: +{{- range $i , $ip := .Values.consoleService.externalIPs }} + - {{ $ip }} +{{- end }} +{{- end }} + selector: + app: {{ template "minio.name" . }} + release: {{ .Release.Name }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/deployment.yaml b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/deployment.yaml new file mode 100644 index 00000000000..dfd590fe10e --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/deployment.yaml @@ -0,0 +1,173 @@ +{{- if eq .Values.mode "standalone" }} +{{ $scheme := "http" }} +{{- if .Values.tls.enabled }} +{{ $scheme = "https" }} +{{ end }} +{{ $bucketRoot := or ($.Values.bucketRoot) ($.Values.mountPath) }} +apiVersion: {{ template "minio.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ template "minio.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | trimSuffix "\n" | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | trimSuffix "\n" | indent 4 }} +{{- end }} +spec: + strategy: + type: {{ .Values.DeploymentUpdate.type }} + {{- if eq .Values.DeploymentUpdate.type "RollingUpdate" }} + rollingUpdate: + maxSurge: {{ .Values.DeploymentUpdate.maxSurge }} + maxUnavailable: {{ .Values.DeploymentUpdate.maxUnavailable }} + {{- end}} + replicas: 1 + selector: + matchLabels: + app: {{ template "minio.name" . }} + release: {{ .Release.Name }} + template: + metadata: + name: {{ template "minio.fullname" . }} + labels: + app: {{ template "minio.name" . }} + release: {{ .Release.Name }} +{{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 8 }} +{{- end }} + annotations: +{{- if not .Values.ignoreChartChecksums }} + checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | trimSuffix "\n" | indent 8 }} +{{- end }} + spec: + {{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" + {{- end }} +{{- if and .Values.securityContext.enabled .Values.persistence.enabled }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + runAsGroup: {{ .Values.securityContext.runAsGroup }} + fsGroup: {{ .Values.securityContext.fsGroup }} + {{- if and (ge .Capabilities.KubeVersion.Major "1") (ge .Capabilities.KubeVersion.Minor "20") }} + fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }} + {{- end }} +{{- end }} +{{ if .Values.serviceAccount.create }} + serviceAccountName: {{ .Values.serviceAccount.name }} +{{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ default .Values.image.registry (include "registry-url" .) }}{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - "/bin/sh" + - "-ce" + - "/usr/bin/docker-entrypoint.sh minio server {{ $bucketRoot }} -S {{ .Values.certsPath }} --address :{{ .Values.minioAPIPort }} --console-address :{{ .Values.minioConsolePort }} {{- template "minio.extraArgs" . }}" + volumeMounts: + - name: minio-user + mountPath: "/tmp/credentials" + readOnly: true + {{- if .Values.persistence.enabled }} + - name: export + mountPath: {{ .Values.mountPath }} + {{- if .Values.persistence.subPath }} + subPath: "{{ .Values.persistence.subPath }}" + {{- end }} + {{- end }} + {{- if .Values.extraSecret }} + - name: extra-secret + mountPath: "/tmp/minio-config-env" + {{- end }} + {{- include "minio.tlsKeysVolumeMount" . | indent 12 }} + ports: + - name: {{ $scheme }} + containerPort: {{ .Values.minioAPIPort }} + - name: {{ $scheme }}-console + containerPort: {{ .Values.minioConsolePort }} + env: + - name: MINIO_ROOT_USER + valueFrom: + secretKeyRef: + name: {{ template "minio.secretName" . }} + key: rootUser + - name: MINIO_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "minio.secretName" . }} + key: rootPassword + {{- if .Values.extraSecret }} + - name: MINIO_CONFIG_ENV_FILE + value: "/tmp/minio-config-env/config.env" + {{- end}} + {{- if .Values.metrics.serviceMonitor.public }} + - name: MINIO_PROMETHEUS_AUTH_TYPE + value: "public" + {{- end}} + {{- if .Values.etcd.endpoints }} + - name: MINIO_ETCD_ENDPOINTS + value: {{ join "," .Values.etcd.endpoints | quote }} + {{- if .Values.etcd.clientCert }} + - name: MINIO_ETCD_CLIENT_CERT + value: "/tmp/credentials/etcd_client_cert.pem" + {{- end }} + {{- if .Values.etcd.clientCertKey }} + - name: MINIO_ETCD_CLIENT_CERT_KEY + value: "/tmp/credentials/etcd_client_cert_key.pem" + {{- end }} + {{- if .Values.etcd.pathPrefix }} + - name: MINIO_ETCD_PATH_PREFIX + value: {{ .Values.etcd.pathPrefix }} + {{- end }} + {{- if .Values.etcd.corednsPathPrefix }} + - name: MINIO_ETCD_COREDNS_PATH + value: {{ .Values.etcd.corednsPathPrefix }} + {{- end }} + {{- end }} + {{- range $key, $val := .Values.environment }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end}} + resources: +{{ toYaml .Values.resources | indent 12 }} + nodeSelector: + {{- include "linux-node-selector" . | nindent 8 -}} +{{- include "minio.imagePullSecrets" . | indent 6 }} +{{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + tolerations: + {{- include "linux-node-tolerations" . | nindent 8 -}} + {{- with .Values.tolerations }} + {{ toYaml . | indent 8 }} + {{- end }} + volumes: + - name: export + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim | default (include "minio.fullname" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.extraSecret }} + - name: extra-secret + secret: + secretName: {{ .Values.extraSecret }} + {{- end }} + - name: minio-user + secret: + secretName: {{ template "minio.secretName" . }} + {{- include "minio.tlsKeysVolume" . | indent 8 }} +{{- end }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/gateway-deployment.yaml b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/gateway-deployment.yaml new file mode 100644 index 00000000000..beb3f85d112 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/gateway-deployment.yaml @@ -0,0 +1,179 @@ +{{- if eq .Values.mode "gateway" }} +{{ $scheme := "http" }} +{{- if .Values.tls.enabled }} +{{ $scheme = "https" }} +{{ end }} +{{ $bucketRoot := or ($.Values.bucketRoot) ($.Values.mountPath) }} +apiVersion: {{ template "minio.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ template "minio.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | trimSuffix "\n" | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | trimSuffix "\n" | indent 4 }} +{{- end }} +spec: + strategy: + type: {{ .Values.DeploymentUpdate.type }} + {{- if eq .Values.DeploymentUpdate.type "RollingUpdate" }} + rollingUpdate: + maxSurge: {{ .Values.DeploymentUpdate.maxSurge }} + maxUnavailable: {{ .Values.DeploymentUpdate.maxUnavailable }} + {{- end}} + replicas: {{ .Values.gateway.replicas }} + selector: + matchLabels: + app: {{ template "minio.name" . }} + release: {{ .Release.Name }} + template: + metadata: + name: {{ template "minio.fullname" . }} + labels: + app: {{ template "minio.name" . }} + release: {{ .Release.Name }} +{{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 8 }} +{{- end }} + annotations: +{{- if not .Values.ignoreChartChecksums }} + checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | trimSuffix "\n" | indent 8 }} +{{- end }} + spec: + {{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" + {{- end }} +{{- if and .Values.securityContext.enabled .Values.persistence.enabled }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + runAsGroup: {{ .Values.securityContext.runAsGroup }} + fsGroup: {{ .Values.securityContext.fsGroup }} +{{- end }} +{{ if .Values.serviceAccount.create }} + serviceAccountName: {{ .Values.serviceAccount.name }} +{{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ default .Values.image.registry (include "registry-url" .) }}{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - "/bin/sh" + - "-ce" + {{- if eq .Values.gateway.type "nas" }} + - "/usr/bin/docker-entrypoint.sh minio gateway nas {{ $bucketRoot }} -S {{ .Values.certsPath }} --address :{{ .Values.minioAPIPort }} --console-address :{{ .Values.minioConsolePort }} {{- template "minio.extraArgs" . }} " + {{- end }} + {{- if eq .Values.gateway.type "gcs" }} + - "/usr/bin/docker-entrypoint.sh minio gateway gcs {{ .Values.gateway.gcs.projectId }} -S {{ .Values.certsPath }} --address :{{ .Values.minioAPIPort }} --console-address :{{ .Values.minioConsolePort }} {{- template "minio.extraArgs" . }} " + {{- end }} + volumeMounts: + - name: minio-user + mountPath: "/tmp/credentials" + readOnly: true + {{- if .Values.persistence.enabled }} + - name: export + mountPath: {{ .Values.mountPath }} + {{- if .Values.persistence.subPath }} + subPath: "{{ .Values.persistence.subPath }}" + {{- end }} + {{- end }} + {{- if .Values.extraSecret }} + - name: extra-secret + mountPath: "/tmp/minio-config-env" + {{- end }} + {{- include "minio.tlsKeysVolumeMount" . | indent 12 }} + ports: + - name: {{ $scheme }} + containerPort: {{ .Values.minioAPIPort }} + - name: {{ $scheme }}-console + containerPort: {{ .Values.minioConsolePort }} + env: + - name: MINIO_ROOT_USER + valueFrom: + secretKeyRef: + name: {{ template "minio.secretName" . }} + key: rootUser + - name: MINIO_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "minio.secretName" . }} + key: rootPassword + {{- if .Values.extraSecret }} + - name: MINIO_CONFIG_ENV_FILE + value: "/tmp/minio-config-env/config.env" + {{- end}} + {{- if eq .Values.gateway.type "gcs" }} + - name: GOOGLE_APPLICATION_CREDENTIALS + value: "/tmp/credentials/service-account-file.json" + {{- end }} + {{- if .Values.metrics.serviceMonitor.public }} + - name: MINIO_PROMETHEUS_AUTH_TYPE + value: "public" + {{- end}} + {{- if .Values.etcd.endpoints }} + - name: MINIO_ETCD_ENDPOINTS + value: {{ join "," .Values.etcd.endpoints | quote }} + {{- if .Values.etcd.clientCert }} + - name: MINIO_ETCD_CLIENT_CERT + value: "/tmp/credentials/etcd_client.crt" + {{- end }} + {{- if .Values.etcd.clientCertKey }} + - name: MINIO_ETCD_CLIENT_CERT_KEY + value: "/tmp/credentials/etcd_client.key" + {{- end }} + {{- if .Values.etcd.pathPrefix }} + - name: MINIO_ETCD_PATH_PREFIX + value: {{ .Values.etcd.pathPrefix }} + {{- end }} + {{- if .Values.etcd.corednsPathPrefix }} + - name: MINIO_ETCD_COREDNS_PATH + value: {{ .Values.etcd.corednsPathPrefix }} + {{- end }} + {{- end }} + {{- range $key, $val := .Values.environment }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end}} + resources: +{{ toYaml .Values.resources | indent 12 }} + nodeSelector: + {{- include "linux-node-selector" . | nindent 8 -}} +{{- include "minio.imagePullSecrets" . | indent 6 }} +{{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + tolerations: + {{- include "linux-node-tolerations" . | nindent 8 -}} + {{- with .Values.tolerations }} + {{ toYaml . | indent 8 }} + {{- end }} + volumes: + - name: export + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim | default (include "minio.fullname" .) }} + {{- else }} + emptyDir: {} + {{- end }} + - name: minio-user + secret: + secretName: {{ template "minio.secretName" . }} + {{- if .Values.extraSecret }} + - name: extra-secret + secret: + secretName: {{ .Values.extraSecret }} + {{- end }} + {{- include "minio.tlsKeysVolume" . | indent 8 }} +{{- end }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/ingress.yaml b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/ingress.yaml new file mode 100644 index 00000000000..8d9a837dc88 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/ingress.yaml @@ -0,0 +1,58 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "minio.fullname" . -}} +{{- $servicePort := .Values.service.port -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: {{ template "minio.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- with .Values.ingress.labels }} +{{ toYaml . | indent 4 }} +{{- end }} + +{{- with .Values.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.ingressClassName }} + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- end }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + - http: + paths: + - path: {{ $ingressPath }} + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + pathType: Prefix + backend: + service: + name: {{ $fullName }} + port: + number: {{ $servicePort }} + {{- else }} + backend: + serviceName: {{ $fullName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- if . }} + host: {{ . | quote }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/networkpolicy.yaml b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/networkpolicy.yaml new file mode 100644 index 00000000000..68a2599571d --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/networkpolicy.yaml @@ -0,0 +1,27 @@ +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ template "minio.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "minio.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "minio.name" . }} + release: {{ .Release.Name }} + ingress: + - ports: + - port: {{ .Values.service.port }} + - port: {{ .Values.consoleService.port }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "minio.name" . }}-client: "true" + {{- end }} +{{- end }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/poddisruptionbudget.yaml b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/poddisruptionbudget.yaml new file mode 100644 index 00000000000..8037eb74300 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/poddisruptionbudget.yaml @@ -0,0 +1,14 @@ +{{- if .Values.podDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: minio + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "minio.name" . }} +spec: + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + app: {{ template "minio.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/post-install-create-bucket-job.yaml b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/post-install-create-bucket-job.yaml new file mode 100644 index 00000000000..5a42f96f048 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/post-install-create-bucket-job.yaml @@ -0,0 +1,86 @@ +{{- if .Values.buckets }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "minio.fullname" . }}-make-bucket-job + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "minio.name" . }}-make-bucket-job + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +{{- with .Values.makeBucketJob.annotations }} +{{ toYaml . | indent 4 }} +{{- end }} +spec: + template: + metadata: + labels: + app: {{ template "minio.name" . }}-job + release: {{ .Release.Name }} +{{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 8 }} +{{- end }} +{{- if .Values.makeBucketJob.podAnnotations }} + annotations: +{{ toYaml .Values.makeBucketJob.podAnnotations | indent 8 }} +{{- end }} + spec: + restartPolicy: OnFailure +{{- include "minio.imagePullSecrets" . | indent 6 }} + nodeSelector: + {{- include "linux-node-selector" . | nindent 8 -}} +{{- with .Values.makeBucketJob.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + tolerations: + {{- include "linux-node-tolerations" . | nindent 8 -}} + {{- with .Values.makeBucketJob.tolerations }} + {{ toYaml . | indent 8 }} + {{- end }} +{{- if .Values.makeBucketJob.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.makeBucketJob.securityContext.runAsUser }} + runAsGroup: {{ .Values.makeBucketJob.securityContext.runAsGroup }} + fsGroup: {{ .Values.makeBucketJob.securityContext.fsGroup }} +{{- end }} + volumes: + - name: minio-configuration + projected: + sources: + - configMap: + name: {{ template "minio.fullname" . }} + - secret: + name: {{ template "minio.secretName" . }} + {{- if .Values.tls.enabled }} + - name: cert-secret-volume-mc + secret: + secretName: {{ .Values.tls.certSecret }} + items: + - key: {{ .Values.tls.publicCrt }} + path: CAs/public.crt + {{ end }} + containers: + - name: minio-mc + image: "{{ default .Values.mcImage.registry (include "registry-url" .) }}{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}" + imagePullPolicy: {{ .Values.mcImage.pullPolicy }} + command: ["/bin/sh", "/config/initialize"] + env: + - name: MINIO_ENDPOINT + value: {{ template "minio.fullname" . }} + - name: MINIO_PORT + value: {{ .Values.service.port | quote }} + volumeMounts: + - name: minio-configuration + mountPath: /config + {{- if .Values.tls.enabled }} + - name: cert-secret-volume-mc + mountPath: {{ .Values.configPathmc }}certs + {{ end }} + resources: +{{ toYaml .Values.makeBucketJob.resources | indent 10 }} +{{- end }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/post-install-create-policy-job.yaml b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/post-install-create-policy-job.yaml new file mode 100644 index 00000000000..87d0ad2e7ef --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/post-install-create-policy-job.yaml @@ -0,0 +1,86 @@ +{{- if .Values.policies }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "minio.fullname" . }}-make-policies-job + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "minio.name" . }}-make-policies-job + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +{{- with .Values.makePolicyJob.annotations }} +{{ toYaml . | indent 4 }} +{{- end }} +spec: + template: + metadata: + labels: + app: {{ template "minio.name" . }}-job + release: {{ .Release.Name }} +{{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 8 }} +{{- end }} +{{- if .Values.makePolicyJob.podAnnotations }} + annotations: +{{ toYaml .Values.makePolicyJob.podAnnotations | indent 8 }} +{{- end }} + spec: + restartPolicy: OnFailure +{{- include "minio.imagePullSecrets" . | indent 6 }} + nodeSelector: + {{- include "linux-node-selector" . | nindent 8 -}} +{{- with .Values.makePolicyJob.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + tolerations: + {{- include "linux-node-tolerations" . | nindent 8 -}} + {{- with .Values.makePolicyJob.tolerations }} + {{ toYaml . | indent 8 }} + {{- end }} +{{- if .Values.makePolicyJob.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.makePolicyJob.securityContext.runAsUser }} + runAsGroup: {{ .Values.makePolicyJob.securityContext.runAsGroup }} + fsGroup: {{ .Values.makePolicyJob.securityContext.fsGroup }} +{{- end }} + volumes: + - name: minio-configuration + projected: + sources: + - configMap: + name: {{ template "minio.fullname" . }} + - secret: + name: {{ template "minio.secretName" . }} + {{- if .Values.tls.enabled }} + - name: cert-secret-volume-mc + secret: + secretName: {{ .Values.tls.certSecret }} + items: + - key: {{ .Values.tls.publicCrt }} + path: CAs/public.crt + {{ end }} + containers: + - name: minio-mc + image: "{{ default .Values.mcImage.registry (include "registry-url" .) }}{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}" + imagePullPolicy: {{ .Values.mcImage.pullPolicy }} + command: ["/bin/sh", "/config/add-policy"] + env: + - name: MINIO_ENDPOINT + value: {{ template "minio.fullname" . }} + - name: MINIO_PORT + value: {{ .Values.service.port | quote }} + volumeMounts: + - name: minio-configuration + mountPath: /config + {{- if .Values.tls.enabled }} + - name: cert-secret-volume-mc + mountPath: {{ .Values.configPathmc }}certs + {{ end }} + resources: +{{ toYaml .Values.makePolicyJob.resources | indent 10 }} +{{- end }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/post-install-create-user-job.yaml b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/post-install-create-user-job.yaml new file mode 100644 index 00000000000..1972661dfe9 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/post-install-create-user-job.yaml @@ -0,0 +1,95 @@ +{{- if .Values.users }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "minio.fullname" . }}-make-user-job + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "minio.name" . }}-make-user-job + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +{{- with .Values.makeUserJob.annotations }} +{{ toYaml . | indent 4 }} +{{- end }} +spec: + template: + metadata: + labels: + app: {{ template "minio.name" . }}-job + release: {{ .Release.Name }} +{{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 8 }} +{{- end }} +{{- if .Values.makeUserJob.podAnnotations }} + annotations: +{{ toYaml .Values.makeUserJob.podAnnotations | indent 8 }} +{{- end }} + spec: + restartPolicy: OnFailure +{{- include "minio.imagePullSecrets" . | indent 6 }} + nodeSelector: + {{- include "linux-node-selector" . | nindent 8 -}} +{{- with .Values.makeUserJob.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + tolerations: + {{- include "linux-node-tolerations" . | nindent 8 -}} + {{- with .Values.makeUserJob.tolerations }} + {{ toYaml . | indent 8 }} + {{- end }} +{{- if .Values.makeUserJob.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.makeUserJob.securityContext.runAsUser }} + runAsGroup: {{ .Values.makeUserJob.securityContext.runAsGroup }} + fsGroup: {{ .Values.makeUserJob.securityContext.fsGroup }} +{{- end }} + volumes: + - name: minio-configuration + projected: + sources: + - configMap: + name: {{ template "minio.fullname" . }} + - secret: + name: {{ template "minio.secretName" . }} + {{- range .Values.users }} + {{- if .existingSecret }} + - secret: + name: {{ .existingSecret }} + items: + - key: {{ .existingSecretKey }} + path: secrets/{{ .accessKey }} + {{- end }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: cert-secret-volume-mc + secret: + secretName: {{ .Values.tls.certSecret }} + items: + - key: {{ .Values.tls.publicCrt }} + path: CAs/public.crt + {{ end }} + containers: + - name: minio-mc + image: "{{ default .Values.mcImage.registry (include "registry-url" .) }}{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}" + imagePullPolicy: {{ .Values.mcImage.pullPolicy }} + command: ["/bin/sh", "/config/add-user"] + env: + - name: MINIO_ENDPOINT + value: {{ template "minio.fullname" . }} + - name: MINIO_PORT + value: {{ .Values.service.port | quote }} + volumeMounts: + - name: minio-configuration + mountPath: /config + {{- if .Values.tls.enabled }} + - name: cert-secret-volume-mc + mountPath: {{ .Values.configPathmc }}certs + {{ end }} + resources: +{{ toYaml .Values.makeUserJob.resources | indent 10 }} +{{- end }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/post-install-custom-command.yaml b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/post-install-custom-command.yaml new file mode 100644 index 00000000000..40b798a874a --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/post-install-custom-command.yaml @@ -0,0 +1,86 @@ +{{- if .Values.customCommands }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "minio.fullname" . }}-custom-command-job + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "minio.name" . }}-custom-command-job + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +{{- with .Values.customCommandJob.annotations }} +{{ toYaml . | indent 4 }} +{{- end }} +spec: + template: + metadata: + labels: + app: {{ template "minio.name" . }}-job + release: {{ .Release.Name }} +{{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 8 }} +{{- end }} +{{- if .Values.customCommandJob.podAnnotations }} + annotations: +{{ toYaml .Values.customCommandJob.podAnnotations | indent 8 }} +{{- end }} + spec: + restartPolicy: OnFailure +{{- include "minio.imagePullSecrets" . | indent 6 }} + nodeSelector: + {{- include "linux-node-selector" . | nindent 8 -}} +{{- with .Values.customCommandJob.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + tolerations: + {{- include "linux-node-tolerations" . | nindent 8 -}} + {{- with .Values.customCommandJob.tolerations }} + {{ toYaml . | indent 8 }} + {{- end }} +{{- if .Values.customCommandJob.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.customCommandJob.securityContext.runAsUser }} + runAsGroup: {{ .Values.customCommandJob.securityContext.runAsGroup }} + fsGroup: {{ .Values.customCommandJob.securityContext.fsGroup }} +{{- end }} + volumes: + - name: minio-configuration + projected: + sources: + - configMap: + name: {{ template "minio.fullname" . }} + - secret: + name: {{ template "minio.secretName" . }} + {{- if .Values.tls.enabled }} + - name: cert-secret-volume-mc + secret: + secretName: {{ .Values.tls.certSecret }} + items: + - key: {{ .Values.tls.publicCrt }} + path: CAs/public.crt + {{ end }} + containers: + - name: minio-mc + image: "{{ default .Values.mcImage.registry (include "registry-url" .) }}{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}" + imagePullPolicy: {{ .Values.mcImage.pullPolicy }} + command: ["/bin/sh", "/config/custom-command"] + env: + - name: MINIO_ENDPOINT + value: {{ template "minio.fullname" . }} + - name: MINIO_PORT + value: {{ .Values.service.port | quote }} + volumeMounts: + - name: minio-configuration + mountPath: /config + {{- if .Values.tls.enabled }} + - name: cert-secret-volume-mc + mountPath: {{ .Values.configPathmc }}certs + {{ end }} + resources: +{{ toYaml .Values.customCommandJob.resources | indent 10 }} +{{- end }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/pvc.yaml b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/pvc.yaml new file mode 100644 index 00000000000..84568e76fb1 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/pvc.yaml @@ -0,0 +1,31 @@ +{{- if eq .Values.mode "standalone" }} +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ template "minio.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + accessModes: + - {{ .Values.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + +{{- if .Values.persistence.storageClass }} +{{- if (eq "-" .Values.persistence.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.persistence.storageClass }}" +{{- end }} +{{- end }} +{{- if .Values.persistence.VolumeName }} + volumeName: "{{ .Values.persistence.VolumeName }}" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/secrets.yaml b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/secrets.yaml new file mode 100644 index 00000000000..81c257d32b5 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/secrets.yaml @@ -0,0 +1,27 @@ +{{- if not .Values.existingSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "minio.secretName" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +type: Opaque +data: + rootUser: {{ if .Values.rootUser }}{{ .Values.rootUser | toString | b64enc | quote }}{{ else }}{{ randAlphaNum 20 | b64enc | quote }}{{ end }} + rootPassword: {{ if .Values.rootPassword }}{{ .Values.rootPassword | toString | b64enc | quote }}{{ else }}{{ randAlphaNum 40 | b64enc | quote }}{{ end }} + {{- if eq .Values.gateway.type "gcs" }} + {{- if .Values.gateway.gcs.serviceAccountFile }} + service-account-file.json: {{ .Values.gateway.gcs.serviceAccountFile | b64enc }} + {{- end }} + {{- end }} + {{- if .Values.etcd.clientCert }} + etcd_client.crt: {{ .Values.etcd.clientCert | toString | b64enc | quote }} + {{- end }} + {{- if .Values.etcd.clientCertKey }} + etcd_client.key: {{ .Values.etcd.clientCertKey | toString | b64enc | quote }} + {{- end }} +{{- end }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/securitycontextconstraints.yaml b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/securitycontextconstraints.yaml new file mode 100644 index 00000000000..4bac7e3728f --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/securitycontextconstraints.yaml @@ -0,0 +1,45 @@ +{{- if and .Values.securityContext.enabled .Values.persistence.enabled (.Capabilities.APIVersions.Has "security.openshift.io/v1") }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "minio.fullname" . }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: [] +readOnlyRootFilesystem: false +defaultAddCapabilities: [] +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +fsGroup: + type: MustRunAs + ranges: + - max: {{ .Values.securityContext.fsGroup }} + min: {{ .Values.securityContext.fsGroup }} +runAsUser: + type: MustRunAs + uid: {{ .Values.securityContext.runAsUser }} +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- end }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/service.yaml b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/service.yaml new file mode 100644 index 00000000000..64aa990bd34 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/service.yaml @@ -0,0 +1,49 @@ +{{ $scheme := "http" }} +{{- if .Values.tls.enabled }} +{{ $scheme = "https" }} +{{ end }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "minio.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + monitoring: "true" +{{- if .Values.service.annotations }} + annotations: +{{ toYaml .Values.service.annotations | indent 4 }} +{{- end }} +spec: +{{- if (or (eq .Values.service.type "ClusterIP" "") (empty .Values.service.type)) }} + type: ClusterIP + {{- if not (empty .Values.service.clusterIP) }} + clusterIP: {{ .Values.service.clusterIP }} + {{end}} +{{- else if eq .Values.service.type "LoadBalancer" }} + type: {{ .Values.service.type }} + loadBalancerIP: {{ default "" .Values.service.loadBalancerIP }} +{{- else }} + type: {{ .Values.service.type }} +{{- end }} + ports: + - name: {{ $scheme }} + port: {{ .Values.service.port }} + protocol: TCP +{{- if (and (eq .Values.service.type "NodePort") ( .Values.service.nodePort)) }} + nodePort: {{ .Values.service.nodePort }} +{{- else }} + targetPort: 9000 +{{- end}} +{{- if .Values.service.externalIPs }} + externalIPs: +{{- range $i , $ip := .Values.service.externalIPs }} + - {{ $ip }} +{{- end }} +{{- end }} + selector: + app: {{ template "minio.name" . }} + release: {{ .Release.Name }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/serviceaccount.yaml b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/serviceaccount.yaml new file mode 100644 index 00000000000..6a4bd94b3dc --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/serviceaccount.yaml @@ -0,0 +1,7 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.name | quote }} + namespace: {{ .Release.Namespace | quote }} +{{- end -}} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/servicemonitor.yaml b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/servicemonitor.yaml new file mode 100644 index 00000000000..809848f1674 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/servicemonitor.yaml @@ -0,0 +1,51 @@ +{{- if .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "minio.fullname" . }} + {{- if .Values.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.metrics.serviceMonitor.namespace }} + {{ else }} + namespace: {{ .Release.Namespace | quote }} + {{- end }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- if .Values.metrics.serviceMonitor.additionalLabels }} +{{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }} + {{- end }} +spec: + endpoints: + {{- if .Values.tls.enabled }} + - port: https + scheme: https + {{ else }} + - port: http + scheme: http + {{- end }} + path: /minio/v2/metrics/cluster + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelConfigs }} +{{ toYaml .Values.metrics.serviceMonitor.relabelConfigs | indent 6 }} + {{- end }} + {{- if not .Values.metrics.serviceMonitor.public }} + bearerTokenSecret: + name: {{ template "minio.fullname" . }}-prometheus + key: token + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace | quote }} + selector: + matchLabels: + app: {{ include "minio.name" . }} + release: {{ .Release.Name }} + monitoring: "true" +{{- end }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/statefulset.yaml b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/statefulset.yaml new file mode 100644 index 00000000000..d023715cf1e --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/templates/statefulset.yaml @@ -0,0 +1,208 @@ +{{- if eq .Values.mode "distributed" }} +{{ $poolCount := .Values.pools | int }} +{{ $nodeCount := .Values.replicas | int }} +{{ $drivesPerNode := .Values.drivesPerNode | int }} +{{ $scheme := "http" }} +{{- if .Values.tls.enabled }} +{{ $scheme = "https" }} +{{ end }} +{{ $mountPath := .Values.mountPath }} +{{ $bucketRoot := or ($.Values.bucketRoot) ($.Values.mountPath) }} +{{ $subPath := .Values.persistence.subPath }} +{{ $penabled := .Values.persistence.enabled }} +{{ $accessMode := .Values.persistence.accessMode }} +{{ $storageClass := .Values.persistence.storageClass }} +{{ $psize := .Values.persistence.size }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "minio.fullname" . }}-svc + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + publishNotReadyAddresses: true + clusterIP: None + ports: + - name: {{ $scheme }} + port: {{ .Values.service.port }} + protocol: TCP + selector: + app: {{ template "minio.name" . }} + release: {{ .Release.Name }} +--- +apiVersion: {{ template "minio.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ template "minio.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "minio.name" . }} + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | trimSuffix "\n" | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | trimSuffix "\n" | indent 4 }} +{{- end }} +spec: + updateStrategy: + type: {{ .Values.StatefulSetUpdate.updateStrategy }} + podManagementPolicy: "Parallel" + serviceName: {{ template "minio.fullname" . }}-svc + replicas: {{ mul $poolCount $nodeCount }} + selector: + matchLabels: + app: {{ template "minio.name" . }} + release: {{ .Release.Name }} + template: + metadata: + name: {{ template "minio.fullname" . }} + labels: + app: {{ template "minio.name" . }} + release: {{ .Release.Name }} +{{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 8 }} +{{- end }} + annotations: +{{- if not .Values.ignoreChartChecksums }} + checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | trimSuffix "\n" | indent 8 }} +{{- end }} + spec: + {{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" + {{- end }} +{{- if and .Values.securityContext.enabled .Values.persistence.enabled }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + runAsGroup: {{ .Values.securityContext.runAsGroup }} + fsGroup: {{ .Values.securityContext.fsGroup }} + {{- if and (ge .Capabilities.KubeVersion.Major "1") (ge .Capabilities.KubeVersion.Minor "20") }} + fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }} + {{- end }} +{{- end }} +{{ if .Values.serviceAccount.create }} + serviceAccountName: {{ .Values.serviceAccount.name }} +{{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ default .Values.image.registry (include "registry-url" .) }}{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + + command: [ "/bin/sh", + "-ce", + "/usr/bin/docker-entrypoint.sh minio server {{- range $i := until $poolCount }}{{ $factor := mul $i $nodeCount }}{{ $endIndex := add $factor $nodeCount }}{{ $beginIndex := mul $i $nodeCount }} {{ $scheme }}://{{ template `minio.fullname` $ }}-{{ `{` }}{{ $beginIndex }}...{{ sub $endIndex 1 }}{{ `}`}}.{{ template `minio.fullname` $ }}-svc.{{ $.Release.Namespace }}.svc.{{ $.Values.clusterDomain }}{{if (gt $drivesPerNode 1)}}{{ $bucketRoot }}-{{ `{` }}0...{{ sub $drivesPerNode 1 }}{{ `}` }}{{else}}{{ $bucketRoot }}{{end}}{{- end}} -S {{ .Values.certsPath }} --address :{{ .Values.minioAPIPort }} --console-address :{{ .Values.minioConsolePort }} {{- template `minio.extraArgs` . }}" ] + volumeMounts: + {{- if $penabled }} + {{- if (gt $drivesPerNode 1) }} + {{- range $i := until $drivesPerNode }} + - name: export-{{ $i }} + mountPath: {{ $mountPath }}-{{ $i }} + {{- if and $penabled $subPath }} + subPath: {{ $subPath }} + {{- end }} + {{- end }} + {{- else }} + - name: export + mountPath: {{ $mountPath }} + {{- if and $penabled $subPath }} + subPath: {{ $subPath }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.extraSecret }} + - name: extra-secret + mountPath: "/tmp/minio-config-env" + {{- end }} + {{- include "minio.tlsKeysVolumeMount" . | indent 12 }} + ports: + - name: {{ $scheme }} + containerPort: {{ .Values.minioAPIPort }} + - name: {{ $scheme }}-console + containerPort: {{ .Values.minioConsolePort }} + env: + - name: MINIO_ROOT_USER + valueFrom: + secretKeyRef: + name: {{ template "minio.secretName" . }} + key: rootUser + - name: MINIO_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "minio.secretName" . }} + key: rootPassword + {{- if .Values.extraSecret }} + - name: MINIO_CONFIG_ENV_FILE + value: "/tmp/minio-config-env/config.env" + {{- end}} + {{- if .Values.metrics.serviceMonitor.public }} + - name: MINIO_PROMETHEUS_AUTH_TYPE + value: "public" + {{- end}} + {{- range $key, $val := .Values.environment }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end}} + resources: +{{ toYaml .Values.resources | indent 12 }} + nodeSelector: + {{- include "linux-node-selector" . | nindent 8 -}} +{{- include "minio.imagePullSecrets" . | indent 6 }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + tolerations: + {{- include "linux-node-tolerations" . | nindent 8 -}} + {{- with .Values.tolerations }} + {{ toYaml . | indent 8 }} + {{- end }} + volumes: + - name: minio-user + secret: + secretName: {{ template "minio.secretName" . }} + {{- if .Values.extraSecret }} + - name: extra-secret + secret: + secretName: {{ .Values.extraSecret }} + {{- end }} + {{- include "minio.tlsKeysVolume" . | indent 8 }} +{{- if .Values.persistence.enabled }} + volumeClaimTemplates: + {{- if gt $drivesPerNode 1 }} + {{- range $diskId := until $drivesPerNode}} + - metadata: + name: export-{{ $diskId }} + spec: + accessModes: [ {{ $accessMode | quote }} ] + {{- if $storageClass }} + storageClassName: {{ $storageClass }} + {{- end }} + resources: + requests: + storage: {{ $psize }} + {{- end }} + {{- else }} + - metadata: + name: export + spec: + accessModes: [ {{ $accessMode | quote }} ] + {{- if $storageClass }} + storageClassName: {{ $storageClass }} + {{- end }} + resources: + requests: + storage: {{ $psize }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/epinio/100.0.0+up0.9.1/charts/minio/values.yaml b/charts/epinio/100.0.0+up0.9.1/charts/minio/values.yaml new file mode 100644 index 00000000000..c0b2994b386 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/charts/minio/values.yaml @@ -0,0 +1,449 @@ +## Provide a name in place of minio for `app:` labels +## +nameOverride: "" + +## Provide a name to substitute for the full names of resources +## +fullnameOverride: "" + +## set kubernetes cluster domain where minio is running +## +clusterDomain: cluster.local + +## Set default image, imageTag, and imagePullPolicy. mode is used to indicate the +## +image: + repository: rancher/mirrored-minio-minio + tag: RELEASE.2022-03-24T00-43-44Z + pullPolicy: IfNotPresent + +imagePullSecrets: [] +# - name: "image-pull-secret" + +## Set default image, imageTag, and imagePullPolicy for the `mc` (the minio +## client used to create a default bucket). +## +mcImage: + repository: rancher/mirrored-minio-mc + tag: RELEASE.2022-03-17T20-25-06Z + pullPolicy: IfNotPresent + +## minio mode, i.e. standalone or distributed or gateway. +mode: distributed ## other supported values are "standalone", "gateway" + +## Additional labels to include with deployment or statefulset +additionalLabels: [] + +## Additional annotations to include with deployment or statefulset +additionalAnnotations: [] + +## Typically the deployment/statefulset includes checksums of secrets/config, +## So that when these change on a subsequent helm install, the deployment/statefulset +## is restarted. This can result in unnecessary restarts under GitOps tooling such as +## flux, so set to "true" to disable this behaviour. +ignoreChartChecksums: false + +## Additional arguments to pass to minio binary +extraArgs: [] + +## Port number for MinIO S3 API Access +minioAPIPort: "9000" + +## Port number for MinIO Browser COnsole Access +minioConsolePort: "9001" + +## Update strategy for Deployments +DeploymentUpdate: + type: RollingUpdate + maxUnavailable: 0 + maxSurge: 100% + +## Update strategy for StatefulSets +StatefulSetUpdate: + updateStrategy: RollingUpdate + +## Pod priority settings +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +## +priorityClassName: "" + +## Set default rootUser, rootPassword +## AccessKey and secretKey is generated when not set +## Distributed MinIO ref: https://docs.minio.io/docs/distributed-minio-quickstart-guide +## +rootUser: "" +rootPassword: "" + +## Use existing Secret that store following variables: +## +## | Chart var | .data. in Secret | +## |:----------------------|:-------------------------| +## | rootUser | rootUser | +## | rootPassword | rootPassword | +## +## All mentioned variables will be ignored in values file. +## .data.rootUser and .data.rootPassword are mandatory, +## others depend on enabled status of corresponding sections. +existingSecret: "" + +## Directory on the MinIO pof +certsPath: "/etc/minio/certs/" +configPathmc: "/etc/minio/mc/" + +## Path where PV would be mounted on the MinIO Pod +mountPath: "/export" +## Override the root directory which the minio server should serve from. +## If left empty, it defaults to the value of {{ .Values.mountPath }} +## If defined, it must be a sub-directory of the path specified in {{ .Values.mountPath }} +## +bucketRoot: "" + +# Number of drives attached to a node +drivesPerNode: 1 +# Number of MinIO containers running +replicas: 16 +# Number of expanded MinIO clusters +pools: 1 + +# Deploy if 'mode == gateway' - 4 replicas. +gateway: + type: "nas" # currently only "nas,gcs" are supported. + replicas: 4 + gcs: + serviceAccountFile: "" # credential JSON file of service account key (not required if using existing secret) + projectId: "" # Google cloud project id required + +## TLS Settings for MinIO +tls: + enabled: false + ## Create a secret with private.key and public.crt files and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret + certSecret: "" + publicCrt: public.crt + privateKey: private.key + +## Trusted Certificates Settings for MinIO. Ref: https://docs.minio.io/docs/how-to-secure-access-to-minio-server-with-tls#install-certificates-from-third-party-cas +## Bundle multiple trusted certificates into one secret and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret +## When using self-signed certificates, remember to include MinIO's own certificate in the bundle with key public.crt. +## If certSecret is left empty and tls is enabled, this chart installs the public certificate from .Values.tls.certSecret. +trustedCertsSecret: "" + +## Enable persistence using Persistent Volume Claims +## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +## +persistence: + enabled: true + annotations: {} + + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: "" + + ## minio data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + ## Storage class of PV to bind. By default it looks for standard storage class. + ## If the PV uses a different storage class, specify that here. + storageClass: "" + VolumeName: "" + accessMode: ReadWriteOnce + size: 500Gi + + ## If subPath is set mount a sub folder of a volume instead of the root of the volume. + ## This is especially handy for volume plugins that don't natively support sub mounting (like glusterfs). + ## + subPath: "" + +## Expose the MinIO service to be accessed from outside the cluster (LoadBalancer service). +## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it. +## ref: http://kubernetes.io/docs/user-guide/services/ +## +service: + type: ClusterIP + clusterIP: ~ + ## Make sure to match it to minioAPIPort + port: "9000" + nodePort: 32000 + +## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/ +## + +ingress: + enabled: false + # ingressClassName: "" + labels: {} + # node-role.kubernetes.io/ingress: platform + + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # kubernetes.io/ingress.allow-http: "false" + # kubernetes.io/ingress.global-static-ip-name: "" + # nginx.ingress.kubernetes.io/secure-backends: "true" + # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0 + path: / + hosts: + - minio-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +consoleService: + type: ClusterIP + clusterIP: ~ + ## Make sure to match it to minioConsolePort + port: "9001" + nodePort: 32001 + +consoleIngress: + enabled: false + # ingressClassName: "" + labels: {} + # node-role.kubernetes.io/ingress: platform + + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # kubernetes.io/ingress.allow-http: "false" + # kubernetes.io/ingress.global-static-ip-name: "" + # nginx.ingress.kubernetes.io/secure-backends: "true" + # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0 + path: / + hosts: + - console.minio-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +tolerations: [] +affinity: {} + +## Add stateful containers to have security context, if enabled MinIO will run as this +## user and group NOTE: securityContext is only enabled if persistence.enabled=true +securityContext: + enabled: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + fsGroupChangePolicy: "OnRootMismatch" + +# Additational pod annotations +podAnnotations: {} + +# Additional pod labels +podLabels: {} + +## Configure resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: + requests: + memory: 16Gi + +## List of policies to be created after minio install +## +## In addition to default policies [readonly|readwrite|writeonly|consoleAdmin|diagnostics] +## you can define additional policies with custom supported actions and resources +policies: [] +## writeexamplepolicy policy grants creation or deletion of buckets with name +## starting with example. In addition, grants objects write permissions on buckets starting with +## example. +# - name: writeexamplepolicy +# statements: +# - resources: +# - 'arn:aws:s3:::example*/*' +# actions: +# - "s3:AbortMultipartUpload" +# - "s3:GetObject" +# - "s3:DeleteObject" +# - "s3:PutObject" +# - "s3:ListMultipartUploadParts" +# - resources: +# - 'arn:aws:s3:::example*' +# actions: +# - "s3:CreateBucket" +# - "s3:DeleteBucket" +# - "s3:GetBucketLocation" +# - "s3:ListBucket" +# - "s3:ListBucketMultipartUploads" +## readonlyexamplepolicy policy grants access to buckets with name starting with example. +## In addition, grants objects read permissions on buckets starting with example. +# - name: readonlyexamplepolicy +# statements: +# - resources: +# - 'arn:aws:s3:::example*/*' +# actions: +# - "s3:GetObject" +# - resources: +# - 'arn:aws:s3:::example*' +# actions: +# - "s3:GetBucketLocation" +# - "s3:ListBucket" +# - "s3:ListBucketMultipartUploads" +## Additional Annotations for the Kubernetes Job makePolicyJob +makePolicyJob: + podAnnotations: + annotations: + securityContext: + enabled: false + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + resources: + requests: + memory: 128Mi + nodeSelector: {} + tolerations: [] + affinity: {} + +## List of users to be created after minio install +## +users: + ## Username, password and policy to be assigned to the user + ## Default policies are [readonly|readwrite|writeonly|consoleAdmin|diagnostics] + ## Add new policies as explained here https://docs.min.io/docs/minio-multi-user-quickstart-guide.html + ## NOTE: this will fail if LDAP is enabled in your MinIO deployment + ## make sure to disable this if you are using LDAP. + - accessKey: console + secretKey: console123 + policy: consoleAdmin + # Or you can refer to specific secret + #- accessKey: externalSecret + # existingSecret: my-secret + # existingSecretKey: password + # policy: readonly + + +## Additional Annotations for the Kubernetes Job makeUserJob +makeUserJob: + podAnnotations: + annotations: + securityContext: + enabled: false + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + resources: + requests: + memory: 128Mi + nodeSelector: {} + tolerations: [] + affinity: {} + +## List of buckets to be created after minio install +## +buckets: + # # Name of the bucket + # - name: bucket1 + # # Policy to be set on the + # # bucket [none|download|upload|public] + # policy: none + # # Purge if bucket exists already + # purge: false + # # set versioning for + # # bucket [true|false] + # versioning: false + # - name: bucket2 + # policy: none + # purge: false + # versioning: true + +## Additional Annotations for the Kubernetes Job makeBucketJob +makeBucketJob: + podAnnotations: + annotations: + securityContext: + enabled: false + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + resources: + requests: + memory: 128Mi + nodeSelector: {} + tolerations: [] + affinity: {} + +## List of command to run after minio install +## NOTE: the mc command TARGET is always "myminio" +customCommands: + # - command: "admin policy set myminio consoleAdmin group='cn=ops,cn=groups,dc=example,dc=com'" + +## Additional Annotations for the Kubernetes Job customCommandJob +customCommandJob: + podAnnotations: + annotations: + securityContext: + enabled: false + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + resources: + requests: + memory: 128Mi + nodeSelector: {} + tolerations: [] + affinity: {} + +## Use this field to add environment variables relevant to MinIO server. These fields will be passed on to MinIO container(s) +## when Chart is deployed +environment: + ## Please refer for comprehensive list https://docs.min.io/minio/baremetal/reference/minio-server/minio-server.html + ## MINIO_SUBNET_LICENSE: "License key obtained from https://subnet.min.io" + ## MINIO_BROWSER: "off" + +## The name of a secret in the same kubernetes namespace which contain secret values +## This can be useful for LDAP password, etc +## The key in the secret must be 'config.env' +## +# extraSecret: minio-extraenv + +networkPolicy: + enabled: false + allowExternal: true + +## PodDisruptionBudget settings +## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ +## +podDisruptionBudget: + enabled: false + maxUnavailable: 1 + +## Specify the service account to use for the MinIO pods. If 'create' is set to 'false' +## and 'name' is left unspecified, the account 'default' will be used. +serviceAccount: + create: true + ## The name of the service account to use. If 'create' is 'true', a service account with that name + ## will be created. + name: "minio-sa" + +metrics: + serviceMonitor: + enabled: false + public: true + additionalLabels: {} + relabelConfigs: {} + # namespace: monitoring + # interval: 30s + # scrapeTimeout: 10s + +## ETCD settings: https://github.com/minio/minio/blob/master/docs/sts/etcd.md +## Define endpoints to enable this section. +etcd: + endpoints: [] + pathPrefix: "" + corednsPathPrefix: "" + clientCert: "" + clientCertKey: "" diff --git a/charts/epinio/100.0.0+up0.9.1/questions.yml b/charts/epinio/100.0.0+up0.9.1/questions.yml new file mode 100644 index 00000000000..db1ebf2d6ab --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/questions.yml @@ -0,0 +1,160 @@ +questions: +- variable: email + label: Email + description: "Email to use for getting notifications about your certificates" + type: strings + required: false + group: "General settings" +- variable: certManagerNamespace + label: Cert-manager namespace + description: "Namespace where cert-manager is installed in" + type: strings + required: false + group: "Advanced settings" +- variable: ingress.ingressClassName + label: Ingress class name for the server + description: "Set a class name to select the ingress controller you want to use for the server" + type: strings + group: "Advanced settings" +- variable: server.ingressClassName + label: Ingress class name for apps + description: "Set a class name to select the ingress controller you want to use for your apps" + type: strings + group: "Advanced settings" +- variable: serviceCatalog.enableDevServices + label: Enable catalog services for development + default: "true" + description: "Enables services in the Epinio service catalog, meant to be used in development (because they are running in-cluster)" + type: boolean + group: "Advanced settings" +- variable: useCustomTlsIssuer + label: Use your own TLS issuer + default: "false" + description: "Use your own TLS issuer" + type: boolean + group: "General settings" + show_subquestion_if: true + subquestions: + - variable: customTlsIssuer + label: TLS issuer + description: "Name of the cluster issuer to use" + type: strings + required: false +- variable: global.tlsIssuer + show_if: "useCustomTlsIssuer=false" + label: TLS issuer + description: "Name of the predefined cluster issuer to use" + type: enum + required: false + group: "General settings" + options: + - "epinio-ca" + - "selfsigned-issuer" + - "letsencrypt-production" +- variable: api.username + label: API username + description: "The user name for authenticating all API requests" + type: strings + required: false + group: "General settings" +- variable: api.password + label: API password + description: "The password for authenticating all API requests" + type: password + required: false + group: "General settings" +- variable: global.domain + label: Domain + description: "Domain for the application" + type: strings + required: true + group: "General settings" +- variable: server.accessControlAllowOrigin + label: Access control allow origin + description: "Domain which serves the Rancher UI (to access the API)" + type: strings + required: false + group: "General settings" +- variable: kubed.enabled + label: Install kubed + description: "Deploy kubed or skip it if you get it installed already" + type: boolean + group: "Advanced settings" +- variable: containerregistry.enabled + description: "Disable local container registry to configure an external registry." + label: Install local container registry + type: boolean + show_subquestion_if: false + group: "External registry" + subquestions: + - variable: global.registryURL + label: External registry url + description: "URL of your external registry" + type: strings + required: false + - variable: global.registryUsername + label: External registry username + description: "Username to authenticate to the external registry" + type: strings + required: false + - variable: global.registryPassword + label: External registry password + description: "Password to authenticate to the external registry" + type: password + required: false + - variable: global.registryNamespace + label: External registry namespace + description: "The organization part of the registry path for an external registry where you have push access" + type: strings + required: false +- variable: minio.enabled + label: Install Minio + description: "Disable Minio to configure an external s3 storage." + type: boolean + show_subquestion_if: false + group: "External S3 storage" + subquestions: + - variable: s3.endpoint + label: S3 endpoint + description: "Endpoint of your S3 storage" + type: strings + required: false + - variable: s3.accessKeyID + label: S3 access key id + description: "Access key id to authenticate to your S3 storage" + type: strings + required: false + - variable: s3.secretAccessKey + label: S3 access key secret + description: "Secret access key to authenticate to your S3 storage" + type: password + required: false + - variable: s3.bucket + label: S3 bucket + description: "Bucket of your S3 storage" + type: strings + required: false + - variable: s3.region + label: S3 region + description: "Region of your S3 storage" + type: strings + required: false + - variable: s3.useSSL + label: S3 use SSL + type: boolean + required: false + - variable: s3.certificateSecret + label: Self signed certificate for S3 + description: Set it to an existing secret if s3 is using a self signed certificate + type: strings + required: false +- variable: server.traceLevel + label: Epinio API Log Level + required: false + type: strings + group: "Debugging" +- variable: server.timeoutMultiplier + label: Timeout Multiplier + required: false + type: strings + group: "Debugging" diff --git a/charts/epinio/100.0.0+up0.9.1/templates/NOTES.txt b/charts/epinio/100.0.0+up0.9.1/templates/NOTES.txt new file mode 100644 index 00000000000..b27439890f7 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/templates/NOTES.txt @@ -0,0 +1,9 @@ +To interract with your Epinio installation download the latest epinio binary from https://github.com/epinio/epinio/releases/latest. + +Update the api location and credentials with: + + `epinio settings update` + +or go to the dashboard at: https://epinio.{{ .Values.global.domain }} + +For more information about Epinio, feel free to checkout https://epinio.io/ and https://docs.epinio.io/. diff --git a/charts/epinio/100.0.0+up0.9.1/templates/_helpers.tpl b/charts/epinio/100.0.0+up0.9.1/templates/_helpers.tpl new file mode 100644 index 00000000000..69d517dcb10 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/templates/_helpers.tpl @@ -0,0 +1,56 @@ +{{/* +URL prefix for container images to be compatible with Rancher +*/}} +{{- define "registry-url" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{ trimSuffix "/" .Values.global.cattle.systemDefaultRegistry }}/ +{{- end -}} +{{- end -}} + +{{/* +URL of the registry epinio uses to store workload images +*/}} +{{- define "epinio.registry-url" -}} +{{- if .Values.containerregistry.enabled -}} +{{- printf "registry.%s.svc.cluster.local:5000" .Release.Namespace }} +{{- else -}} +{{- print .Values.global.registryURL }} +{{- end -}} +{{- end -}} + +{{/* +URL of the minio epinio installed +*/}} +{{- define "epinio.minio-url" -}} +{{- if .Values.minio.enabled -}} +{{- printf "%s.%s.svc.cluster.local:9000" .Values.minio.fullnameOverride .Release.Namespace }} +{{- else -}} +{{- print .Values.s3.endpoint }} +{{- end -}} +{{- end -}} + +{{/* +Host name of the minio epinio installed +*/}} +{{- define "epinio.minio-hostname" -}} +{{- printf "%s.%s.svc.cluster.local" .Values.minio.fullnameOverride .Release.Namespace }} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, add below linux tolerations to +workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +beta.kubernetes.io/os: linux +{{- else -}} +kubernetes.io/os: linux +{{- end -}} +{{- end -}} diff --git a/charts/epinio/100.0.0+up0.9.1/templates/certificate.yaml b/charts/epinio/100.0.0+up0.9.1/templates/certificate.yaml new file mode 100644 index 00000000000..02564153314 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/templates/certificate.yaml @@ -0,0 +1,50 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: epinio + namespace: {{ .Release.Namespace }} +spec: + dnsNames: + - epinio.{{ .Values.global.domain }} + issuerRef: + kind: ClusterIssuer + name: {{ default .Values.global.tlsIssuer .Values.global.customTlsIssuer | quote }} + secretName: epinio-tls + +{{- if .Values.minio.enabled }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: minio-cert + namespace: {{ .Release.Namespace }} +spec: + dnsNames: + - {{ include "epinio.minio-hostname" . }} + issuerRef: + kind: ClusterIssuer + # We always trust the CA for minio so we can always use selfsigned certs + # Because Letsencrypt doesn't create certs for non public domains + name: epinio-ca + secretName: minio-tls + secretTemplate: + annotations: + kubed.appscode.com/sync: "kubed-s3-tls-from={{ .Release.Namespace }}" +{{- end }} + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: epinio-ca + namespace: {{ .Values.certManagerNamespace }} +spec: + commonName: epinio-ca + isCA: true + issuerRef: + kind: ClusterIssuer + name: selfsigned-issuer + privateKey: + algorithm: ECDSA + size: 256 + secretName: epinio-ca-root diff --git a/charts/epinio/100.0.0+up0.9.1/templates/cluster-issuers.yaml b/charts/epinio/100.0.0+up0.9.1/templates/cluster-issuers.yaml new file mode 100644 index 00000000000..319f81b537f --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/templates/cluster-issuers.yaml @@ -0,0 +1,44 @@ +--- +# Self-signed issuer +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: selfsigned-issuer +spec: + selfSigned: {} + +--- +# Let's encrypt production issuer +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + email: {{ .Values.email }} + preferredChain: "" + privateKeySecretRef: + name: letsencrypt-production + server: https://acme-v02.api.letsencrypt.org/directory + solvers: + - http01: + ingress: + {{- if .Values.ingress.ingressClassName }} + class: "{{ .Values.ingress.ingressClassName }}" + {{- end }} + ingressTemplate: + metadata: + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" + +--- +# Private CA (epinio-ca) issuer +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: epinio-ca +spec: + ca: + secretName: epinio-ca-root + diff --git a/charts/epinio/100.0.0+up0.9.1/templates/container-registry.yaml b/charts/epinio/100.0.0+up0.9.1/templates/container-registry.yaml new file mode 100644 index 00000000000..c1099284bf3 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/templates/container-registry.yaml @@ -0,0 +1,191 @@ +{{- if .Values.containerregistry.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: auth + namespace: {{ .Release.Namespace }} +stringData: + # The only supported password format is bcrypt + htpasswd: {{ htpasswd .Values.global.registryUsername .Values.global.registryPassword | quote }} + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: epinio-registry + namespace: {{ .Release.Namespace }} +spec: + dnsNames: + - registry.{{ .Release.Namespace }}.svc.cluster.local + ipAddresses: + - 127.0.0.1 + issuerRef: + kind: ClusterIssuer + name: epinio-ca + secretName: epinio-registry-tls + +--- +apiVersion: v1 +kind: Service +metadata: + name: registry + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "epinio-registry" + app.kubernetes.io/instance: "epinio-registry" +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: "epinio-registry" + app.kubernetes.io/instance: "epinio-registry" + ports: + - name: registry + port: 5000 + targetPort: 5000 + +{{ if .Values.containerregistry.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: registry-node + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "epinio-registry" + app.kubernetes.io/instance: "epinio-registry" +spec: + type: NodePort + selector: + app.kubernetes.io/name: "epinio-registry" + app.kubernetes.io/instance: "epinio-registry" + ports: + - name: registry-sidecar + port: 30500 + targetPort: 30500 + nodePort: 30500 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: nginx-conf + namespace: {{ .Release.Namespace }} +data: + nginx.conf: | + server { + listen 30500 default_server; + server_name 127.0.0.1; + + location / { + proxy_pass https://localhost:5000/; + } + } +{{- end }} + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: registry + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "epinio-registry" + app.kubernetes.io/instance: "epinio-registry" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: "epinio-registry" + app.kubernetes.io/instance: "epinio-registry" + template: + metadata: + labels: + app.kubernetes.io/name: "epinio-registry" + app.kubernetes.io/instance: "epinio-registry" + spec: + containers: +{{ if .Values.containerregistry.enabled }} + - name: nginx + image: "{{ template "registry-url" . }}{{ .Values.containerregistry.image.nginx.repository}}:{{ .Values.containerregistry.image.nginx.tag }}" + imagePullPolicy: IfNotPresent + securityContext: + runAsUser: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + livenessProbe: + tcpSocket: + port: 5000 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + tcpSocket: + port: 5000 + volumeMounts: + - mountPath: /etc/nginx/conf.d + name: nginx-conf + - mountPath: /var/cache/nginx/ + name: nginx-run + - mountPath: /var/run/ + name: nginx-run +{{- end }} + - name: registry + image: "{{ template "registry-url" . }}{{ .Values.containerregistry.image.registry.repository}}:{{ .Values.containerregistry.image.registry.tag }}" + imagePullPolicy: {{ .Values.containerregistry.imagePullPolicy }} + env: + - name: REGISTRY_AUTH + value: htpasswd + - name: REGISTRY_AUTH_HTPASSWD_REALM + value: Registry Realm + - name: REGISTRY_AUTH_HTPASSWD_PATH + value: /etc/registry/auth/htpasswd + - name: REGISTRY_HTTP_TLS_CERTIFICATE + value: "/certs/tls.crt" + - name: REGISTRY_HTTP_TLS_KEY + value: "/certs/tls.key" + volumeMounts: + - name: registry + mountPath: /var/lib/registry + readOnly: false + - name: auth + mountPath: /etc/registry/auth + readOnly: true + - name: certs + mountPath: /certs + readOnly: true + securityContext: + runAsUser: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + livenessProbe: + httpGet: + port: 5000 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + port: 5000 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 5 + volumes: + - name: registry + emptyDir: {} + - name: auth + secret: + secretName: auth + - name: certs + secret: + secretName: epinio-registry-tls +{{ if .Values.containerregistry.enabled }} + - name: nginx-conf + configMap: + name: nginx-conf + - name: nginx-cache + emptyDir: {} + - name: nginx-run + emptyDir: {} +{{- end }} +{{- end }} diff --git a/charts/epinio/100.0.0+up0.9.1/templates/default-app-chart.yaml b/charts/epinio/100.0.0+up0.9.1/templates/default-app-chart.yaml new file mode 100644 index 00000000000..a21db5be54c --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/templates/default-app-chart.yaml @@ -0,0 +1,15 @@ +apiVersion: application.epinio.io/v1 +kind: AppChart +metadata: + namespace: {{ .Release.Namespace }} + name: standard + labels: + app.kubernetes.io/component: epinio + app.kubernetes.io/instance: default + app.kubernetes.io/name: epinio-standard-app-chart + app.kubernetes.io/part-of: epinio + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + shortDescription: Epinio standard deployment + description: Epinio standard support chart for application deployment + helmChart: https://github.com/epinio/helm-charts/releases/download/epinio-application-0.1.15/epinio-application-0.1.15.tgz diff --git a/charts/epinio/100.0.0+up0.9.1/templates/default-app-namespace.yaml b/charts/epinio/100.0.0+up0.9.1/templates/default-app-namespace.yaml new file mode 100644 index 00000000000..07b84249abb --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/templates/default-app-namespace.yaml @@ -0,0 +1,22 @@ +--- +# Default namespace +apiVersion: v1 +kind: Namespace +metadata: + name: workspace + annotations: + linkerd.io/inject: enabled + labels: + # Instruct kubed to copy image pull secrets over. + kubed-sync: "registry-creds" + app.kubernetes.io/component: "epinio-namespace" + +--- +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: true +metadata: + name: workspace + namespace: workspace +imagePullSecrets: +- name: registry-creds diff --git a/charts/epinio/100.0.0+up0.9.1/templates/default-user.yaml b/charts/epinio/100.0.0+up0.9.1/templates/default-user.yaml new file mode 100644 index 00000000000..df12553f907 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/templates/default-user.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +type: BasicAuth +metadata: + labels: + epinio.suse.org/api-user-credentials: "true" + name: default-epinio-user + namespace: {{ .Release.Namespace }} +stringData: + password: {{ .Values.api.password }} + username: {{ .Values.api.username }} diff --git a/charts/epinio/100.0.0+up0.9.1/templates/ingress.yaml b/charts/epinio/100.0.0+up0.9.1/templates/ingress.yaml new file mode 100644 index 00000000000..f57c57115aa --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/templates/ingress.yaml @@ -0,0 +1,57 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" + nginx.ingress.kubernetes.io/ssl-redirect: {{ .Values.ingress.nginxSSLRedirect | quote }} + nginx.ingress.kubernetes.io/proxy-body-size: 100m + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + labels: + app.kubernetes.io/name: epinio + name: epinio + namespace: {{ .Release.Namespace }} +spec: + {{- if .Values.ingress.ingressClassName }} + ingressClassName: "{{ .Values.ingress.ingressClassName }}" + {{- end }} + rules: + - host: "epinio.{{ .Values.global.domain }}" + http: + paths: + {{- if ".Values.epinio-ui.enabled" }} + - backend: + service: + name: epinio-ui + port: + number: 80 + path: / + pathType: ImplementationSpecific + {{- end }} + - backend: + service: + name: epinio-server + port: + number: 80 + path: /api + pathType: ImplementationSpecific + - backend: + service: + name: epinio-server + port: + number: 80 + path: /wapi + pathType: ImplementationSpecific + - backend: + service: + name: epinio-server + port: + number: 80 + path: /ready + pathType: ImplementationSpecific + tls: + - hosts: + - "epinio.{{ .Values.global.domain }}" + secretName: epinio-tls diff --git a/charts/epinio/100.0.0+up0.9.1/templates/registry-secret.yaml b/charts/epinio/100.0.0+up0.9.1/templates/registry-secret.yaml new file mode 100644 index 00000000000..5de3c94dd43 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/templates/registry-secret.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + annotations: + epinio.suse.org/registry-namespace: {{ .Values.global.registryNamespace }} + kubed.appscode.com/sync: kubed-sync=registry-creds + name: registry-creds + namespace: {{ .Release.Namespace }} +stringData: + .dockerconfigjson: |- + { + "auths": { + "{{ template "epinio.registry-url" . }}": { + "auth":"{{ printf "%s:%s" .Values.global.registryUsername .Values.global.registryPassword | b64enc }}", + "username":"{{ .Values.global.registryUsername }}", + "password":"{{ .Values.global.registryPassword }}" + } {{- if .Values.containerregistry.enabled }} , + "127.0.0.1:30500": { + "auth":"{{ printf "%s:%s" .Values.global.registryUsername .Values.global.registryPassword | b64enc }}", + "username":"{{ .Values.global.registryUsername }}", + "password":"{{ .Values.global.registryPassword }}" + } + {{- end -}} + } + } diff --git a/charts/epinio/100.0.0+up0.9.1/templates/s3-secret.yaml b/charts/epinio/100.0.0+up0.9.1/templates/s3-secret.yaml new file mode 100644 index 00000000000..294735447fa --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/templates/s3-secret.yaml @@ -0,0 +1,49 @@ +# Generated credentials for minio. Used only if minio is enabled. +{{- $oldkeys := (lookup "v1" "Secret" .Release.Namespace "minio-creds").data -}} +{{- $accessKey := empty $oldkeys | ternary (randAlphaNum 16) (b64dec (default "" $oldkeys.accesskey)) -}} +{{- $secretKey := empty $oldkeys | ternary (randAlphaNum 16) (b64dec (default "" $oldkeys.secretkey)) -}} + +# Minio values if minio is enabled, otherwise the user provided values +{{- $s3Endpoint := include "epinio.minio-url" . -}} +{{- $s3AccessKey := .Values.minio.enabled | ternary $accessKey .Values.s3.accessKeyID -}} +{{- $s3SecretKey := .Values.minio.enabled | ternary $secretKey .Values.s3.secretAccessKey -}} +{{- $s3Bucket := .Values.minio.enabled | ternary "epinio" .Values.s3.bucket -}} +{{- $s3UseSSL := .Values.minio.enabled | ternary true .Values.s3.useSSL -}} +{{- $s3Region := .Values.minio.enabled | ternary "" .Values.s3.region -}} + +--- +# The S3 connection details as required by the staging Job (in "ini" format) +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: epinio-s3-connection-details + namespace: {{ .Release.Namespace }} +stringData: + bucket: {{ $s3Bucket }} + config: |- + [default] + region={{ $s3Region }} + credentials: |- + [default] + aws_access_key_id={{ $s3AccessKey }} + aws_secret_access_key={{ $s3SecretKey }} + endpoint: {{ $s3Endpoint | quote }} + useSSL: {{ $s3UseSSL | quote }} + +# The S3 connection details as required by minio deployment +# https://github.com/minio/minio/blob/8ae46bce937567e682d14f7fe845b8ff67e549d2/helm/minio/values.yaml#L81 +# Secrets get created first so Minio should find it there when it needs it. +# https://github.com/helm/helm/blob/release-3.0/pkg/releaseutil/kind_sorter.go +--- +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: minio-creds + namespace: {{ .Release.Namespace }} +stringData: + rootUser: {{ $s3AccessKey | quote }} + rootPassword: {{ $s3SecretKey | quote }} + accesskey: {{ $s3AccessKey | quote }} + secretkey: {{ $s3SecretKey | quote }} diff --git a/charts/epinio/100.0.0+up0.9.1/templates/server.yaml b/charts/epinio/100.0.0+up0.9.1/templates/server.yaml new file mode 100644 index 00000000000..f5fa57e59ff --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/templates/server.yaml @@ -0,0 +1,333 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: epinio-server + namespace: {{ .Release.Namespace }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: epinio-server-cluster-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: epinio-server + namespace: {{ .Release.Namespace }} + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: epinio-server +rules: +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - create + - delete + - list +- apiGroups: + - "" + resources: + - nodes + verbs: + - list +- apiGroups: + - "" + resources: + - services + verbs: + - create + - get + - update + - delete +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - get + - post +- apiGroups: + - "" + resources: + - pods/portforward + verbs: + - get +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - create + - update + - delete + - get + - list +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - update + - patch +- apiGroups: + - servicecatalog.k8s.io + resources: + - servicebindings + verbs: + - create + - get + - delete + - list +- apiGroups: + - servicecatalog.k8s.io + resources: + - serviceinstances + verbs: + - create + - delete + - get + - list +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - create + - delete +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - delete +- apiGroups: + - "cert-manager.io" + resources: + - certificates + verbs: + - create +- apiGroups: + - application.epinio.io + resources: + - apps + verbs: + - get + - list + - create + - delete + - patch + - update +- apiGroups: + - "metrics.k8s.io" + resources: + - pods + verbs: + - list +- apiGroups: + - apps + resources: + - replicasets + verbs: + - list + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: epinio-server-cluster-role +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: epinio-server +subjects: +- kind: ServiceAccount + name: epinio-server + namespace: {{ .Release.Namespace }} + +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: epinio-server + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - batch + resources: + - jobs + verbs: + - get + - create + - delete + - list +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: epinio-server-role + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: epinio-server +subjects: +- kind: ServiceAccount + name: epinio-server + namespace: {{ .Release.Namespace }} + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: epinio + app.kubernetes.io/instance: default + app.kubernetes.io/name: epinio-server + app.kubernetes.io/part-of: epinio + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: epinio-server + namespace: {{ .Release.Namespace }} +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: epinio-server + app.kubernetes.io/instance: default + app.kubernetes.io/name: epinio-server + app.kubernetes.io/part-of: epinio + template: + metadata: + labels: + app.kubernetes.io/component: epinio-server + app.kubernetes.io/instance: default + app.kubernetes.io/name: epinio-server + app.kubernetes.io/part-of: epinio + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: epinio-server + spec: + tolerations: + {{- include "linux-node-tolerations" . | nindent 8 -}} + nodeSelector: + {{- include "linux-node-selector" . | nindent 8 -}} + serviceAccountName: epinio-server + volumes: + - name: tmp-volume + emptyDir: {} + containers: + - command: ["/epinio", "server"] + args: ["--port", "8030"] + env: + - name: NAMESPACE + value: "{{ .Release.Namespace }}" + - name: ACCESS_CONTROL_ALLOW_ORIGIN + value: "{{ .Values.server.accessControlAllowOrigin }}" + - name: EPINIO_TIMEOUT_MULTIPLIER + value: "{{ .Values.server.timeoutMultiplier }}" + - name: SESSION_KEY + value: "{{ .Values.server.sessionKey }}" + - name: TLS_ISSUER + value: "{{ .Values.global.tlsIssuer }}" + - name: TRACE_LEVEL + value: "{{ .Values.server.traceLevel }}" + {{- if or .Values.s3.certificateSecret .Values.minio.enabled }} + - name: S3_CERTIFICATE_SECRET + value: {{ default "minio-tls" .Values.s3.certificateSecret }} + {{- end }} + {{- if .Values.containerregistry.enabled }} + - name: REGISTRY_CERTIFICATE_SECRET + value: "epinio-registry-tls" + {{- end }} + {{- if .Values.ingress.ingressClassName }} + - name: INGRESS_CLASS_NAME + value: "{{ .Values.ingress.ingressClassName }}" + {{- end }} + image: "{{ default .Values.image.epinio.registry (include "registry-url" .) }}{{ .Values.image.epinio.repository }}:{{ default .Chart.AppVersion .Values.image.epinio.tag }}" + livenessProbe: + httpGet: + path: /ready + port: 8030 + name: epinio-server + ports: + - containerPort: 8030 + volumeMounts: + - name: tmp-volume + mountPath: /tmp + readinessProbe: + httpGet: + path: /ready + port: 8030 + securityContext: + runAsNonRoot: true + runAsUser: 1000 + +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: epinio + app.kubernetes.io/instance: default + app.kubernetes.io/name: epinio-server + app.kubernetes.io/part-of: epinio + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: epinio-server + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 8030 + selector: + app.kubernetes.io/name: epinio-server diff --git a/charts/epinio/100.0.0+up0.9.1/templates/service-catalog.yaml b/charts/epinio/100.0.0+up0.9.1/templates/service-catalog.yaml new file mode 100644 index 00000000000..478b380ca8a --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/templates/service-catalog.yaml @@ -0,0 +1,79 @@ +# These are three simple Services to fill the Service Catalog +{{ if .Values.serviceCatalog.enableDevServices }} +--- +apiVersion: application.epinio.io/v1 +kind: Service +metadata: + name: postgresql-dev + namespace: {{ .Release.Namespace }} +spec: + name: postgresql-dev + shortDescription: A PostgreSQL service that can be used during development + description: | + This service is going to deploy a simple default Bitnami PostreSQL db instance. + You can find more info at https://github.com/bitnami/charts/tree/master/bitnami/postgresql/. + This database is running inside the cluster so it's probably not a good choice for production + environments, at least with this default configuration. + chart: postgresql + helmRepo: + name: bitnami + url: "https://charts.bitnami.com/bitnami" + values: "" +--- +apiVersion: application.epinio.io/v1 +kind: Service +metadata: + name: mysql-dev + namespace: {{ .Release.Namespace }} +spec: + name: mysql-dev + shortDescription: A MySQL service that can be used during development + description: | + This service is going to deploy a simple default Bitnami MySQL db instance. + You can find more info at https://github.com/bitnami/charts/tree/master/bitnami/mysql/. + This database is running inside the cluster so it's probably not a good choice for production + environments, at least with this default configuration. + chart: mysql + helmRepo: + name: bitnami + url: "https://charts.bitnami.com/bitnami" + values: "" +--- +apiVersion: application.epinio.io/v1 +kind: Service +metadata: + name: redis-dev + namespace: {{ .Release.Namespace }} +spec: + name: redis-dev + shortDescription: A Redis service that can be used during development + description: | + This service is going to deploy a simple default Bitnami Redis instance. + You can find more info at https://github.com/bitnami/charts/tree/master/bitnami/redis/. + This database is running inside the cluster so it's probably not a good choice for production + environments, at least with this default configuration. + chart: redis + helmRepo: + name: bitnami + url: "https://charts.bitnami.com/bitnami" + values: "" +--- +apiVersion: application.epinio.io/v1 +kind: Service +metadata: + name: rabbitmq-dev + namespace: {{ .Release.Namespace }} +spec: + name: rabbitmq-dev + shortDescription: A RabbitMQ service that can be used during development + description: | + This service is going to deploy a simple default Bitnami RabbitMQ instance. + You can find more info at https://github.com/bitnami/charts/tree/master/bitnami/rabbitmq/. + This instance is running inside the cluster so it's probably not a good choice for production + environments, at least with this default configuration. + chart: rabbitmq + helmRepo: + name: bitnami + url: https://charts.bitnami.com/bitnami + values: "" +{{- end }} diff --git a/charts/epinio/100.0.0+up0.9.1/templates/stage-scripts.yaml b/charts/epinio/100.0.0+up0.9.1/templates/stage-scripts.yaml new file mode 100644 index 00000000000..adc26f1de0b --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/templates/stage-scripts.yaml @@ -0,0 +1,95 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: epinio-stage-scripts + namespace: {{ .Release.Namespace }} +data: + builderImage: "{{ template "registry-url" . }}{{ .Values.image.builder.repository}}:{{ .Values.image.builder.tag }}" + downloadImage: "{{ template "registry-url" . }}{{ .Values.image.awscli.repository}}:{{ .Values.image.awscli.tag }}" + unpackImage: "{{ template "registry-url" . }}{{ .Values.image.bash.repository}}:{{ .Values.image.bash.tag }}" + download: |- + # Parameters + # - PROTOCOL # s3 protocol + # - ENDPOINT # s3 endpoint + # - BUCKET # s3 bucket + # - BLOBID # blob id / file name for source archive + # + # This data is set in the chart only for an external s3. For + # internal s3 the chart has no information. Therefore we cannot + # use helm templating to insert these. + echo By _ _ __ ___ _____ $(whoami) $(pwd) + cat /etc/ssl/certs/ca-bundle.crt > /tmp/ca-bundle.pem + test -f /certs/ca.crt && cat /certs/ca.crt >> /tmp/ca-bundle.pem + test -f /certs/tls.crt && cat /certs/tls.crt >> /tmp/ca-bundle.pem + aws --ca-bundle /tmp/ca-bundle.pem --endpoint-url "${PROTOCOL}://${ENDPOINT}" s3 cp "s3://${BUCKET}/${BLOBID}" "/workspace/source/${BLOBID}" + echo _ _ __ ___ _____ Done + unpack: |- + # Parameters + # - BLOBID # blob id / file name for source archive + # + # Attempting to unpack the sources as, in order: + # .tar - epinio cli + # .zip - epinio UI + # -z .tar.gz + # -j .tar.bz2 + # -J .tar.xz + # + # __Note__: While it would have been nicer, IMNSHO, to use `file` to determine the + # type of the file and then directly dispatch to the proper unpacker, the `file` + # command is not available in the `bash` image. The code as written now relies on each + # unpacker to recognize/reject input properly. + # + echo By _ _ __ ___ _____ $(whoami) $(pwd) + if test ! -f "/workspace/source/${BLOBID}" ; then + echo Nothing to unpack + exit + fi + mkdir /workspace/source/app + ( cd /workspace/source/app + ( echo Tar? ; tar -xvf "../${BLOBID}" ) || \ + ( echo Zip? ; unzip "../${BLOBID}" ) || \ + ( echo Tgz? ; tar -xvzf "../${BLOBID}" ) || \ + ( echo Tbz? ; tar -xvjf "../${BLOBID}" ) || \ + ( echo Txz? ; tar -xvJf "../${BLOBID}" ) || \ + ( echo "Unable to unpack. No supported archive file format found" ; exit 1 ) + echo OK + ) + rm "/workspace/source/${BLOBID}" + mkdir -p /workspace/source/env + cp -vL /workspace/source/appenv/* /workspace/source/env + chown -R 1000:1000 /workspace 2> /dev/null + find /workspace + echo _ _ __ ___ _____ Done + build: |- + # Parameters + # - PREIMAGE # url of previous image + # - APPIMAGE # url of application image + # + # ATTENTION: The `curl localhost:4191` command is used to stop the linkerd proxy + # container gracefully. We use `|| true` in case linkerd is not deployed. Further, it + # is placed into a trap to ensure that it will always run, even for a staging failure. + # Error output generated when linkerd is not present/up is squashed (dev/null). + # These messages are irrelevant, the situation is not an error, and allowing them through + # would confuse users (readers of app staging logs). + set -e + trap "curl -X POST http://localhost:4191/shutdown 2> /dev/null || true" EXIT + echo By _ _ __ ___ _____ $(whoami) $(pwd) + if test ! -d "/workspace/source/app" ; then + echo Nothing to build + sleep 60 # linkerd is a pain - If we exit to quickly, with the sidecar not ready our curl to shut it down does nothing, and then the sidecar comes up and prevents the pod from ending + exit 1 + fi + find /workspace + /cnb/lifecycle/creator \ + -app=/workspace/source/app \ + -cache-dir=/workspace/cache \ + -uid=1000 \ + -gid=1000 \ + -layers=/layers \ + -platform=/workspace/source \ + -report=/layers/report.toml \ + -process-type=web \ + -skip-restore=false \ + "-previous-image=${PREIMAGE}" \ + "${APPIMAGE}" + echo _ _ __ ___ _____ Done diff --git a/charts/epinio/100.0.0+up0.9.1/templates/validate-install-crd.yaml b/charts/epinio/100.0.0+up0.9.1/templates/validate-install-crd.yaml new file mode 100644 index 00000000000..afa6e4fb4d9 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/templates/validate-install-crd.yaml @@ -0,0 +1,16 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "application.epinio.io/v1/App" false -}} +# {{- set $found "application.epinio.io/v1/AppChart" false -}} +# {{- set $found "application.epinio.io/v1/Service" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/epinio/100.0.0+up0.9.1/values.schema.json b/charts/epinio/100.0.0+up0.9.1/values.schema.json new file mode 100644 index 00000000000..dc05d06b3b1 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/values.schema.json @@ -0,0 +1,373 @@ +{ + "$schema": "https://json-schema.org/draft-07/schema#", + "title": "Values", + "type": "object", + "properties": { + "image": { + "type": "object", + "properties": { + "epinio": { + "type": "object", + "properties": { + "registry": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "bash": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "awscli": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "kubectl": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + } + } + }, + "server": { + "description": "server configuration", + "type": "object", + "properties": { + "accessControlAllowOrigin": { + "type": "string" + }, + "timeoutMultiplier": { + "type": "integer" + }, + "sessionKey": { + "type": "string" + }, + "traceLevel": { + "type": "integer" + }, + "registryCertificateSecret": { + "type": "string" + }, + "ingressClassName": { + "type": "string" + } + } + }, + "ingress": { + "ingressClassName": { + "type": "string" + }, + "annotations": { + "type": "object" + }, + "nginxSSLRedirect": { + "type": "string" + } + }, + "s3": { + "description": "s3 connection details", + "type": "object", + "properties": { + "endpoint": { + "type": "string" + }, + "bucket": { + "type": "string" + }, + "region": { + "type": "string" + }, + "accessKeyID": { + "type": "string" + }, + "secretAccessKey": { + "type": "string" + }, + "certificateSecret": { + "type": "string" + }, + "useSSL": { + "type": "boolean" + } + }, + "required": [ + "endpoint", + "bucket", + "accessKeyID", + "secretAccessKey" + ] + }, + "api": { + "description": "default api user credentials", + "type": "object", + "properties": { + "username": { + "type": "string" + }, + "password": { + "type": "string" + } + } + }, + "certManagerNamespace": { + "description": "the namespace there cert-manager controller is deployed", + "type": "string" + }, + "domain": { + "description": "the domain that will be used to access the Epinio API", + "type": "string" + }, + "global": { + "type": "object", + "properties": { + "cattle": { + "type": "object", + "properties": { + "systemDefaultRegistry": { + "type": "string" + } + } + }, + "domain": { + "type": "string" + }, + "tlsIssuer": { + "type": "string" + }, + "registryURL": { + "type": "string" + }, + "registryUsername": { + "type": "string" + }, + "registryPassword": { + "type": "string" + }, + "registryNamespace": { + "type": "string" + } + }, + "required": [ + "domain" + ] + }, + "containerregistry": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "image": { + "type": "object", + "properties": { + "nginx": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "registry": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + } + }, + "required": [ + "nginx", + "registry" + ] + }, + "imagePullPolicy": { + "type": "string" + }, + "ingressClassName": { + "type": "string" + } + }, + "required": [ + "enabled", + "image", + "imagePullPolicy", + "ingressClassName" + ] + }, + "epinio-ui": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "ingress": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled" + ] + } + }, + "required": [ + "enabled", + "ingress" + ] + }, + "kubed": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "enableAnalytics": { + "type": "boolean" + }, + "fullnameOverride": { + "type": "string" + } + }, + "required": [ + "enabled", + "enableAnalytics", + "fullnameOverride" + ] + }, + "minio": { + "type": "object", + "properties": { + "drivesPerNode": { + "type": "integer" + }, + "enabled": { + "type": "boolean" + }, + "existingSecret": { + "type": "string" + }, + "fullnameOverride": { + "type": "string" + }, + "makeUserJob": { + "type": "object", + "properties": { + "podAnnotations": { + "type": "object" + } + }, + "required": [ + "podAnnotations" + ] + }, + "persistence": { + "type": "object", + "properties": { + "size": { + "type": "string" + } + }, + "required": [ + "size" + ] + }, + "replicas": { + "type": "integer" + }, + "resources": { + "type": "object", + "properties": { + "requests": { + "type": "object", + "properties": { + "memory": { + "type": "string" + } + }, + "required": [ + "memory" + ] + } + }, + "required": [ + "requests" + ] + }, + "tls": { + "type": "object", + "properties": { + "certSecret": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "privateKey": { + "type": "string" + }, + "publicCrt": { + "type": "string" + } + }, + "required": [ + "certSecret", + "enabled", + "privateKey", + "publicCrt" + ] + } + }, + "required": [ + "drivesPerNode", + "enabled", + "existingSecret", + "fullnameOverride", + "makeUserJob", + "persistence", + "replicas", + "resources", + "tls" + ] + } + }, + "required": [ + "certManagerNamespace", + "s3" + ] +} diff --git a/charts/epinio/100.0.0+up0.9.1/values.yaml b/charts/epinio/100.0.0+up0.9.1/values.yaml new file mode 100644 index 00000000000..fe22bd33cc1 --- /dev/null +++ b/charts/epinio/100.0.0+up0.9.1/values.yaml @@ -0,0 +1,136 @@ +## Default values for Epinio Helm Chart. +## This is a YAML-formatted file. +## Declare variables to be passed into your templates. + +# The email address you are planning to use for getting notifications about your certificates. +email: "epinio@suse.com" + +image: + epinio: + repository: rancher/mirrored-epinio-server + tag: "0.7.1" + bash: + repository: rancher/mirrored-library-bash + tag: 5.1.4 + awscli: + repository: rancher/mirrored-amazon-aws-cli + tag: 2.0.52 + kubectl: + repository: rancher/mirrored-lachlanevenson-k8s-kubectl + tag: v1.22.2 + builder: + repository: rancher/mirrored-paketobuildpacks-builder + tag: full + +server: + # Domain which serves the Rancher UI (to access the API) + accessControlAllowOrigin: "" + # increase this value to increase all timeouts by the same factor + timeoutMultiplier: 1 + # Change this to a random string. Used for session cookies by the API server. + sessionKey: "12345" + # Increase this value to instruct the API server to produce more debug output + traceLevel: 0 + # The ingressClassName is used to select the ingress controller for apps. If empty no class will be added to their ingresseses. + ingressClassName: "" + +ingress: + # The ingressClassName is used to select the ingress controller for the server. If empty no class will be added to the ingresses. + ingressClassName: "" + # Annotations to add to the API ingress + # e.g.: --set 'ingress.annotations.nginx\.ingress\.kubernetes\.io/ssl-redirect=false' + annotations: {} + # nginxSSLRedirect to controll https->http redirects + nginxSSLRedirect: "true" + +certManagerNamespace: cert-manager + +# Connection details for the S3 storage +s3: + endpoint: s3.amazonaws.com + bucket: "" + region: "" + accessKeyID: "" + secretAccessKey: "" + useSSL: true + # Set it to an existing secret if S3 is using a self signed cert + certificateSecret: "" + +api: + # Default user username + username: admin + # Default user password + password: password + +# Minio subchart values +minio: + enabled: true + # hardcode this, to avoid problems with release name + fullnameOverride: minio + existingSecret: minio-creds + tls: + enabled: true + certSecret: minio-tls + publicCrt: tls.crt + privateKey: tls.key + persistence: + size: 2Gi + drivesPerNode: 4 + replicas: 1 + resources: + requests: + memory: 1Gi + makeUserJob: + podAnnotations: + linkerd.io/inject: disabled + +epinio-ui: + enabled: true + epinioVersion: "0.7.1" + ingress: + enabled: false + +kubed: + enabled: true + fullnameOverride: kubed + enableAnalytics: false + +containerregistry: + enabled: true + + image: + registry: + repository: rancher/mirrored-registry + tag: 2.7.1 + nginx: + repository: rancher/mirrored-nginx + tag: 1.21.6 + imagePullPolicy: IfNotPresent + + # The ingressClassName is used to select the ingress controller. If + # empty no class will be added to the ingresses. + ingressClassName: "" + +serviceCatalog: + # Enable service catalog service for development + enableDevServices: true + +global: + # The domain that will be used to access the epinio API server and the registry + domain: "" + + # Connection details for the container registry. + registryURL: "" # Skip if containerregistry.enabled is true + registryUsername: "admin" + registryPassword: "changeme" + registryNamespace: "apps" # Used in registry path when pushing -> "external.tld/apps/APPNAME" + + # The name of the cluster issuer to use. + # Epinio creates three options: 'epinio-ca', 'letsencrypt-production', and 'selfsigned-issuer'. + tlsIssuer: "epinio-ca" + + # The URL of the container registry from where to pull container images for the various + # created Pods. Don't confuse this registry with the "Epinio registry" which is the one + # where Epinio stores the application images. + cattle: + systemDefaultRegistry: "" diff --git a/index.yaml b/index.yaml index e3c7f05e804..dc84fd95382 100755 --- a/index.yaml +++ b/index.yaml @@ -1,5 +1,69 @@ apiVersion: v1 entries: + epinio: + - annotations: + artifacthub.io/license: Apache-2.0 + catalog.cattle.io/auto-install: epinio-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Epinio + catalog.cattle.io/experimental: "true" + catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.24.0-0' + catalog.cattle.io/namespace: cattle-epinio-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.6.0-0 <= 2.6.100-0' + catalog.cattle.io/release-name: epinio + catalog.cattle.io/type: cluster-tool + apiVersion: v2 + appVersion: v0.7.1 + created: "2022-05-25T15:37:09.563367734+02:00" + dependencies: + - condition: epinio-ui.enabled + name: epinio-ui + repository: file://./charts/epinio-ui + tags: + - epinio-ui + - condition: kubed.enabled, global.kubed.enabled + name: kubed + repository: file://./charts/kubed + tags: + - kubed + - condition: minio.enabled, global.minio.enabled + name: minio + repository: file://./charts/minio + tags: + - minio + description: The official way to install Epinio + digest: f8f912bfc6d6fa24bc2e1cf3a54269f86858a2cc0c3fe37d6d5442abf949cb7b + home: https://github.com/epinio/epinio + icon: https://charts.rancher.io/assets/logos/epinio.svg + keywords: + - epinio + - paas + maintainers: + - email: team@epinio.io + name: SUSE + name: epinio + sources: + - https://github.com/epinio/epinio + urls: + - assets/epinio/epinio-100.0.0+up0.9.1.tgz + version: 100.0.0+up0.9.1 + epinio-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: epinio-system + catalog.cattle.io/release-name: epinio-crd + apiVersion: v1 + created: "2022-05-25T15:37:09.563615027+02:00" + description: Installs the CRDs for epinio. + digest: e4197cf607cb2b79e0e73c11ef74016f4df3c017a2cb8c7841e65fa60786d6c6 + name: epinio-crd + type: application + urls: + - assets/epinio-crd/epinio-crd-100.0.0+up0.9.1.tgz + version: 100.0.0+up0.9.1 fleet: - annotations: catalog.cattle.io/auto-install: fleet-crd=match