scottk/cozystack
1
0
Fork 0
mirror of https://github.com/outbackdingo/cozystack.git synced 2026-03-22 07:41:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Sync 0.10.1 to proxmox integration (#242)

Browse Source 
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
Co-authored-by: Mr Khachaturov <105451445+mrkhachaturov@users.noreply.github.com>
Co-authored-by: Andrei Kvapil <kvapss@gmail.com>
This commit is contained in:
Marian Koreniuk
2024-07-30 16:33:51 +03:00
committed by GitHub
parent 931d71890c
commit 0222e417df
200 changed files with 8261 additions and 371 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
manifests/cozystack-installer.yaml
View File

@@ -68,7 +68,7 @@ spec:
serviceAccountName: cozystack
containers:
- name: cozystack
image: "ghcr.io/aenix-io/cozystack/cozystack:v0.9.0"
image: "ghcr.io/aenix-io/cozystack/cozystack:v0.10.1"
env:
- name: KUBERNETES_SERVICE_HOST
value: localhost
@@ -87,7 +87,7 @@ spec:
fieldRef:
fieldPath: metadata.name
- name: darkhttpd
image: "ghcr.io/aenix-io/cozystack/cozystack:v0.9.0"
image: "ghcr.io/aenix-io/cozystack/cozystack:v0.10.1"
command:
- /usr/bin/darkhttpd
- /cozystack/assets

56
packages/apps/ferretdb/values2.yaml Normal file
View File

@@ -0,0 +1,56 @@
## @section Common parameters
## @param external Enable external access from outside the cluster
## @param size Persistent Volume size
## @param replicas Number of Postgres replicas
##
external: false
size: 10Gi
replicas: 1
## Configuration for the quorum-based synchronous replication
## @param quorum.minSyncReplicas Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.
## @param quorum.maxSyncReplicas Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).
quorum:
minSyncReplicas: 0
maxSyncReplicas: 0
## @section Configuration parameters
## @param users [object] Users configuration
## Example:
## users:
## user1:
## password: strongpassword
## user2:
## password: hackme
##
users:
foo:
password: asd
bar:
password: asd
baz:
password: asd
boo:
password: asd
## @section Backup parameters
## @param backup.enabled Enable pereiodic backups
## @param backup.s3Region The AWS S3 region where backups are stored
## @param backup.s3Bucket The S3 bucket used for storing backups
## @param backup.schedule Cron schedule for automated backups
## @param backup.cleanupStrategy The strategy for cleaning up old backups
## @param backup.s3AccessKey The access key for S3, used for authentication
## @param backup.s3SecretKey The secret key for S3, used for authentication
## @param backup.resticPassword The password for Restic backup encryption
backup:
enabled: false
s3Region: us-east-1
s3Bucket: s3.example.org/postgres-backups
schedule: "0 2 * * *"
cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
resticPassword: ChaXoveekoh6eigh4siesheeda2quai0

16
packages/apps/http-cache/images/nginx-cache.json
View File

@@ -32,7 +32,17 @@
}
}
},
"buildx.build.ref": "amd64/amd64/gaibgudlqaxqxufa236q5ffdk",
"containerimage.config.digest": "sha256:677b0b84d7a11a31971857863a6a83b5bb863583eca86a2c2b1b89c61659e549",
"containerimage.digest": "sha256:7f864e2c9c86b77e08953258521117503309f84783ea11c617db8c2534f8b545"
"buildx.build.ref": "cozystack/cozystack0/7j4plhjjn8onm0o8q0omik63x",
"containerimage.config.digest": "sha256:f30f57d817c596f7a7d0ecfe734b7b41994eca9d36d43307206314ee37bdb286",
"containerimage.descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"digest": "sha256:f7d86b1a72a12b60434a12a604e9ddd3779d9fa605205c7968fe9495e764c94c",
"size": 1094,
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
"containerimage.digest": "sha256:f7d86b1a72a12b60434a12a604e9ddd3779d9fa605205c7968fe9495e764c94c",
"image.name": "ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0,ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0-v0.10.1"
}

2
packages/apps/kafka/Chart.yaml
View File

@@ -16,7 +16,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.2.1
version: 0.2.2
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to

14
packages/apps/kafka/templates/kafka.yaml
View File

@@ -26,11 +26,25 @@ spec:
{{- end }}
tls: false
config:
{{- if eq (int .Values.kafka.replicas) 1 }}
offsets.topic.replication.factor: 1
transaction.state.log.replication.factor: 1
transaction.state.log.min.isr: 1
default.replication.factor: 1
min.insync.replicas: 1
{{- else if eq (int .Values.kafka.replicas) 2 }}
offsets.topic.replication.factor: 2
transaction.state.log.replication.factor: 2
transaction.state.log.min.isr: 2
default.replication.factor: 2
min.insync.replicas: 2
{{- else }}
offsets.topic.replication.factor: 3
transaction.state.log.replication.factor: 3
transaction.state.log.min.isr: 2
default.replication.factor: 3
min.insync.replicas: 2
{{- end }}
storage:
type: jbod
volumes:

4
packages/apps/kafka/templates/topics.yaml
View File

@@ -9,10 +9,10 @@ metadata:
spec:
topicName: "{{ $topic.name }}"
{{- with $topic.partitions }}
partitions: "{{ . }}"
partitions: {{ . }}
{{- end }}
{{- with $topic.replicas }}
replicas: "{{ . }}"
replicas: {{ . }}
{{- end }}
{{- with $topic.config }}
config:

2
packages/apps/kubernetes/Chart.yaml
View File

@@ -16,7 +16,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.6.0
version: 0.8.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to

16
packages/apps/kubernetes/images/ubuntu-container-disk.json
View File

@@ -32,7 +32,17 @@
}
}
},
"buildx.build.ref": "amd64/amd64/kk2drcq44gorgb3xwa8908pfc",
"containerimage.config.digest": "sha256:363589eb47379eb7548f047aae24045278f14db0b2026022b6bec33a04370f15",
"containerimage.digest": "sha256:f242fd77903f5f5a94ed157e98b0c4532e5ba91734d9653eaf26cfe4b23b017b"
"buildx.build.ref": "cozystack/cozystack0/xkanpm0dojuj7v0lo951qocfb",
"containerimage.config.digest": "sha256:c144c5f12a47af7880ee5f056b14177c07b585b8ab1e68b7e7900e1c923083cf",
"containerimage.descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"digest": "sha256:81caf89efe252ae2ca1990d08a3a314552d70ff36bcd4022b173c7150fbec805",
"size": 506,
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
"containerimage.digest": "sha256:81caf89efe252ae2ca1990d08a3a314552d70ff36bcd4022b173c7150fbec805",
"image.name": "ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1,ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1-v0.10.1"
}

1
packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml
View File

@@ -14,6 +14,7 @@ spec:
metadata:
labels:
app: {{ .Release.Name }}-cluster-autoscaler
policy.cozystack.io/allow-to-apiserver: "true"
spec:
tolerations:
- key: CriticalAddonsOnly

39
packages/apps/kubernetes/templates/cluster.yaml
View File

@@ -17,6 +17,11 @@ spec:
spec:
runStrategy: Always
template:
metadata:
labels:
{{- range .group.roles }}
node-role.kubernetes.io/{{ . }}: ""
{{- end }}
spec:
domain:
cpu:
@@ -29,14 +34,10 @@ spec:
disk:
bus: virtio
pciAddress: 0000:07:00.0
- name: containerd
- name: ephemeral
disk:
bus: virtio
pciAddress: 0000:08:00.0
- name: kubelet
disk:
bus: virtio
pciAddress: 0000:09:00.0
networkInterfaceMultiqueue: true
memory:
guest: {{ .group.resources.memory }}
@@ -45,15 +46,10 @@ spec:
- name: system
containerDisk:
image: "{{ $.Files.Get "images/ubuntu-container-disk.tag" | trim }}@{{ index ($.Files.Get "images/ubuntu-container-disk.json" | fromJson) "containerimage.digest" }}"
- name: containerd
- name: ephemeral
emptyDisk:
capacity: 20Gi
- name: kubelet
emptyDisk:
capacity: 20Gi
capacity: {{ .group.ephemeralStorage | default "20Gi" }}
{{- end }}
---
apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
@@ -108,6 +104,9 @@ spec:
hostname: {{ .Values.host | default (printf "%s.%s" .Release.Name $host) }}:443
className: "{{ $ingress }}"
deployment:
podAdditionalMetadata:
labels:
policy.cozystack.io/allow-to-etcd: "true"
replicas: 2
version: 1.30.1
---
@@ -132,17 +131,19 @@ spec:
filesystems:
- device: /dev/vdb
filesystem: xfs
label: containerd
partition: "none"
- device: /dev/vdc
filesystem: xfs
label: kubelet
label: ephemeral
partition: "none"
mounts:
- ["LABEL=containerd", "/var/lib/containerd"]
- ["LABEL=kubelet", "/var/lib/kubelet"]
- ["LABEL=ephemeral", "/ephemeral"]
- ["/ephemeral/kubelet", "/var/lib/kubelet", "none", "bind,nofail"]
- ["/ephemeral/containerd", "/var/lib/containerd", "none", "bind,nofail"]
preKubeadmCommands:
- sed -i 's|root:x:|root::|' /etc/passwd
- systemctl stop containerd.service
- mkdir -p /ephemeral/kubelet /ephemeral/containerd
- mount -o bind /ephemeral/kubelet /var/lib/kubelet
- mount -o bind /ephemeral/containerd /var/lib/containerd
- systemctl start containerd.service
joinConfiguration:
nodeRegistration:
kubeletExtraArgs: {}

1
packages/apps/kubernetes/templates/csi/deploy.yaml
View File

@@ -13,6 +13,7 @@ spec:
metadata:
labels:
app: {{ .Release.Name }}-kcsi-driver
policy.cozystack.io/allow-to-apiserver: "true"
spec:
serviceAccountName: {{ .Release.Name }}-kcsi
priorityClassName: system-cluster-critical

15
packages/apps/kubernetes/templates/ingress.yaml
View File

@@ -9,6 +9,14 @@ metadata:
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/backend-protocol: "AUTO_HTTP"
nginx.ingress.kubernetes.io/configuration-snippet: |
set $proxy_upstream_name "{{ .Release.Namespace }}-{{ .Release.Name }}-ingress-nginx-80";
if ($scheme = https) {
set $proxy_upstream_name "{{ .Release.Namespace }}-{{ .Release.Name }}-ingress-nginx-443";
set $service_port 443;
}
set $proxy_host $proxy_upstream_name;
spec:
ingressClassName: "{{ $ingress }}"
rules:
@@ -16,6 +24,13 @@ spec:
- host: {{ . | quote }}
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: {{ $.Release.Name }}-ingress-nginx
port:
number: 80
- path: /
pathType: ImplementationSpecific
backend:

1
packages/apps/kubernetes/templates/kccm/manager.yaml
View File

@@ -13,6 +13,7 @@ spec:
metadata:
labels:
k8s-app: {{ .Release.Name }}-kccm
policy.cozystack.io/allow-to-apiserver: "true"
spec:
tolerations:
- key: CriticalAddonsOnly

1
packages/apps/kubernetes/values.yaml
View File

@@ -16,6 +16,7 @@ nodeGroups:
resources:
cpu: 2
memory: 1024Mi
ephemeralStorage: 20Gi
roles:
- ingress-nginx

3
packages/apps/nats/.helmignore Normal file
View File

@@ -0,0 +1,3 @@
.helmignore
/logos
/Makefile

25
packages/apps/nats/Chart.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v2
name: nats
description: Managed NATS service
icon: /logos/nats.svg
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.4.1"

2
packages/apps/nats/Makefile Normal file
View File

@@ -0,0 +1,2 @@
generate:
readme-generator -v values.yaml -s values.schema.json -r README.md

11
packages/apps/nats/README.md Normal file
View File

@@ -0,0 +1,11 @@
# Managed NATS Service
## Parameters
### Common parameters
| Name | Description | Value |
| ---------- | ----------------------------------------------- | ------- |
| `external` | Enable external access from outside the cluster | `false` |
| `replicas` | Persistent Volume size for NATS | `3` |

76
packages/apps/nats/logos/nats.svg Normal file
View File

@@ -0,0 +1,76 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Generator: Adobe Illustrator 24.3.0, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
<svg
version="1.0"
id="katman_1"
x="0px"
y="0px"
viewBox="0 0 440.79001 456.32996"
xml:space="preserve"
sodipodi:docname="NATS.io.svg"
width="440.79001"
height="456.32999"
inkscape:version="1.1.1 (c3084ef, 2021-09-22)"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns="http://www.w3.org/2000/svg"
xmlns:svg="http://www.w3.org/2000/svg"><defs
id="defs843" /><sodipodi:namedview
id="namedview841"
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1.0"
inkscape:pageshadow="2"
inkscape:pageopacity="0.0"
inkscape:pagecheckerboard="0"
showgrid="false"
width="440.79px"
height="456.32999px"
inkscape:zoom="0.27371294"
inkscape:cx="524.2719"
inkscape:cy="823.85584"
inkscape:window-width="1312"
inkscape:window-height="969"
inkscape:window-x="0"
inkscape:window-y="25"
inkscape:window-maximized="0"
inkscape:current-layer="katman_1" />
<style
type="text/css"
id="style824">
.st0{fill:#32A574;}
.st1{fill:#2AAAE1;}
.st2{fill:#8EC044;}
.st3{fill:#385C93;}
.st4{fill:#FFFFFF;}
</style>
<path
class="st0"
d="M 220.4,0 H 440.79 V 178.67 H 220.4 Z"
id="path826" />
<path
class="st1"
d="M 0,0 H 220.39 V 178.67 H 0 Z"
id="path828" />
<path
class="st2"
d="M 220.4,178.83 H 440.79 V 357.5 H 220.4 Z"
id="path830" />
<path
class="st3"
d="M 0,178.83 H 220.39 V 357.5 H 0 Z"
id="path832" />
<path
class="st2"
d="m 188,356.52 107.82,99.81 v -99.81 z"
id="path834" />
<path
class="st3"
d="m 220.4,356.52 1.15,31.41 -34.52,-32.23 z"
id="path836" />
<path
class="st4"
d="M 311.7,231.03 V 83.12 h 52.69 V 274.39 H 284.54 L 123.37,123.86 V 274.55 H 70.52 V 83.12 h 82.63 z"
id="path838" />
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.9 KiB

43
packages/apps/nats/templates/nats.yaml Normal file
View File

@@ -0,0 +1,43 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: {{ .Release.Name }}-system
spec:
chart:
spec:
chart: cozy-nats
reconcileStrategy: Revision
sourceRef:
kind: HelmRepository
name: cozystack-system
namespace: cozy-system
version: '*'
interval: 1m0s
timeout: 5m0s
values:
nats:
fullnameOverride: {{ .Release.Name }}
config:
cluster:
enabled: true
replicas: {{ .Values.replicas }}
monitor:
enabled: true
jetstream:
enabled: true
fileStore:
enabled: true
pvc:
enabled: true
size: 10Gi
storageClassName: local
promExporter:
enabled: true
podMonitor:
enabled: true
{{- if .Values.external }}
service:
merge:
spec:
type: LoadBalancer
{{- end }}

16
packages/apps/nats/values.schema.json Normal file
View File

@@ -0,0 +1,16 @@
{
"title": "Chart Values",
"type": "object",
"properties": {
"external": {
"type": "boolean",
"description": "Enable external access from outside the cluster",
"default": false
},
"replicas": {
"type": "number",
"description": "Persistent Volume size for NATS",
"default": 3
}
}
}

8
packages/apps/nats/values.yaml Normal file
View File

@@ -0,0 +1,8 @@
## @section Common parameters
## @param external Enable external access from outside the cluster
## @param replicas Persistent Volume size for NATS
##
external: false
replicas: 2

2
packages/apps/postgres/Chart.yaml
View File

@@ -16,7 +16,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.3.0
version: 0.4.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to

99
packages/apps/postgres/templates/init-script.yaml
View File

@@ -53,47 +53,80 @@ stringData:
echo "== grant privileges on databases to roles"
{{- range $database, $d := .Values.databases }}
# admin
psql -v ON_ERROR_STOP=1 --echo-all -d "{{ $database }}" <<\EOT
DO $$DECLARE r record;
ALTER DATABASE {{ $database }} OWNER TO {{ $database }}_admin;
GRANT CONNECT ON DATABASE {{ $database }} TO {{ $database }}_readonly;
DO $$
DECLARE
v_schema varchar := 'public';
v_new_owner varchar := '{{ $database }}_admin';
schema_record record;
BEGIN
FOR r IN
select 'ALTER TABLE "' || table_schema || '"."' || table_name || '" OWNER TO ' || v_new_owner || ';' as a from information_schema.tables where table_schema = v_schema
union all
select 'ALTER TABLE "' || sequence_schema || '"."' || sequence_name || '" OWNER TO ' || v_new_owner || ';' as a from information_schema.sequences where sequence_schema = v_schema
union all
select 'ALTER TABLE "' || table_schema || '"."' || table_name || '" OWNER TO ' || v_new_owner || ';' as a from information_schema.views where table_schema = v_schema
union all
select 'ALTER FUNCTION "'||nsp.nspname||'"."'||p.proname||'"('||pg_get_function_identity_arguments(p.oid)||') OWNER TO ' || v_new_owner || ';' as a from pg_proc p join pg_namespace nsp ON p.pronamespace = nsp.oid where nsp.nspname = v_schema
LOOP
EXECUTE r.a;
-- Loop over all schemas
FOR schema_record IN SELECT schema_name FROM information_schema.schemata WHERE schema_name NOT IN ('pg_catalog', 'information_schema') LOOP
-- Changing Schema Ownership
EXECUTE format('ALTER SCHEMA %I OWNER TO %I', schema_record.schema_name, '{{ $database }}_admin');
-- Add rights for the admin role
EXECUTE format('GRANT ALL ON SCHEMA %I TO %I', schema_record.schema_name, '{{ $database }}_admin');
EXECUTE format('GRANT ALL ON ALL TABLES IN SCHEMA %I TO %I', schema_record.schema_name, '{{ $database }}_admin');
EXECUTE format('GRANT ALL ON ALL SEQUENCES IN SCHEMA %I TO %I', schema_record.schema_name, '{{ $database }}_admin');
EXECUTE format('GRANT ALL ON ALL FUNCTIONS IN SCHEMA %I TO %I', schema_record.schema_name, '{{ $database }}_admin');
EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON TABLES TO %I', schema_record.schema_name, '{{ $database }}_admin');
EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON SEQUENCES TO %I', schema_record.schema_name, '{{ $database }}_admin');
EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON FUNCTIONS TO %I', schema_record.schema_name, '{{ $database }}_admin');
-- Add rights for the readonly role
EXECUTE format('GRANT USAGE ON SCHEMA %I TO %I', schema_record.schema_name, '{{ $database }}_readonly');
EXECUTE format('GRANT SELECT ON ALL TABLES IN SCHEMA %I TO %I', schema_record.schema_name, '{{ $database }}_readonly');
EXECUTE format('GRANT USAGE ON ALL SEQUENCES IN SCHEMA %I TO %I', schema_record.schema_name, '{{ $database }}_readonly');
EXECUTE format('GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA %I TO %I', schema_record.schema_name, '{{ $database }}_readonly');
EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT SELECT ON TABLES TO %I', schema_record.schema_name, '{{ $database }}_readonly');
EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT USAGE ON SEQUENCES TO %I', schema_record.schema_name, '{{ $database }}_readonly');
EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT EXECUTE ON FUNCTIONS TO %I', schema_record.schema_name, '{{ $database }}_readonly');
END LOOP;
END$$;
ALTER DATABASE {{ $database }} OWNER TO {{ $database }}_admin;
ALTER SCHEMA public OWNER TO {{ $database }}_admin;
GRANT ALL ON SCHEMA public TO {{ $database }}_admin;
GRANT ALL ON ALL TABLES IN SCHEMA public TO {{ $database }}_admin;
GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO {{ $database }}_admin;
GRANT ALL ON ALL FUNCTIONS IN SCHEMA public TO {{ $database }}_admin;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO {{ $database }}_admin;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO {{ $database }}_admin;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON FUNCTIONS TO {{ $database }}_admin;
EOT
# readonly
echo "== setup event trigger for schema creation"
psql -v ON_ERROR_STOP=1 --echo-all -d "{{ $database }}" <<\EOT
GRANT CONNECT ON DATABASE {{ $database }} TO {{ $database }}_readonly;
GRANT USAGE ON SCHEMA public TO {{ $database }}_readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO {{ $database }}_readonly;
GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO {{ $database }}_readonly;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO {{ $database }}_readonly;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO {{ $database }}_readonly;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE ON SEQUENCES TO {{ $database }}_readonly;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO {{ $database }}_readonly;
CREATE OR REPLACE FUNCTION auto_grant_schema_privileges()
RETURNS event_trigger LANGUAGE plpgsql AS $$
DECLARE
obj record;
BEGIN
FOR obj IN SELECT * FROM pg_event_trigger_ddl_commands() WHERE command_tag = 'CREATE SCHEMA' LOOP
EXECUTE format('ALTER SCHEMA %I OWNER TO %I', obj.object_identity, '{{ $database }}_admin');
EXECUTE format('GRANT ALL ON SCHEMA %I TO %I', obj.object_identity, '{{ $database }}_admin');
EXECUTE format('GRANT USAGE ON SCHEMA %I TO %I', obj.object_identity, '{{ $database }}_readonly');
EXECUTE format('GRANT SELECT ON ALL TABLES IN SCHEMA %I TO %I', obj.object_identity, '{{ $database }}_readonly');
EXECUTE format('GRANT USAGE ON ALL SEQUENCES IN SCHEMA %I TO %I', obj.object_identity, '{{ $database }}_readonly');
EXECUTE format('GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA %I TO %I', obj.object_identity, '{{ $database }}_readonly');
-- Set owner for schema
EXECUTE format('ALTER SCHEMA %I OWNER TO %I', obj.object_identity, '{{ $database }}_admin');
-- Set privileges for admin role
EXECUTE format('GRANT ALL ON SCHEMA %I TO %I', obj.object_identity, '{{ $database }}_admin');
EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON TABLES TO %I', obj.object_identity, '{{ $database }}_admin');
EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON SEQUENCES TO %I', obj.object_identity, '{{ $database }}_admin');
EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON FUNCTIONS TO %I', obj.object_identity, '{{ $database }}_admin');
-- Set privileges for readonly role
EXECUTE format('GRANT USAGE ON SCHEMA %I TO %I', obj.object_identity, '{{ $database }}_readonly');
EXECUTE format('GRANT SELECT ON ALL TABLES IN SCHEMA %I TO %I', obj.object_identity, '{{ $database }}_readonly');
EXECUTE format('GRANT USAGE ON ALL SEQUENCES IN SCHEMA %I TO %I', obj.object_identity, '{{ $database }}_readonly');
EXECUTE format('GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA %I TO %I', obj.object_identity, '{{ $database }}_readonly');
EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT SELECT ON TABLES TO %I', obj.object_identity, '{{ $database }}_readonly');
EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT USAGE ON SEQUENCES TO %I', obj.object_identity, '{{ $database }}_readonly');
EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT EXECUTE ON FUNCTIONS TO %I', obj.object_identity, '{{ $database }}_readonly');
END LOOP;
END;
$$;
DROP EVENT TRIGGER IF EXISTS trigger_auto_grant;
CREATE EVENT TRIGGER trigger_auto_grant ON ddl_command_end
WHEN TAG IN ('CREATE SCHEMA')
EXECUTE PROCEDURE auto_grant_schema_privileges();
EOT
{{- end }}

2
packages/apps/tenant/Chart.yaml
View File

@@ -4,4 +4,4 @@ description: Separated tenant namespace
icon: /logos/tenant.svg
type: application
version: 1.2.0
version: 1.3.0

1
packages/apps/tenant/README.md
View File

@@ -56,3 +56,4 @@ tenant-u1
| `etcd` | Deploy own Etcd cluster | `false` |
| `monitoring` | Deploy own Monitoring Stack | `false` |
| `ingress` | Deploy own Ingress Controller | `false` |
| `isolated` | Enforce tenant namespace with network policies | `false` |

136
packages/apps/tenant/templates/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,136 @@
{{- if .Values.isolated }}
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-internal-communication
namespace: {{ include "tenant.name" . }}
spec:
endpointSelector: {}
ingress:
- fromEndpoints:
- {}
egress:
- toEndpoints:
- {}
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-external-communication
namespace: {{ include "tenant.name" . }}
spec:
endpointSelector: {}
ingress:
- fromEntities:
- world
egress:
- toEntities:
- world
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-from-system
namespace: {{ include "tenant.name" . }}
spec:
endpointSelector: {}
ingress:
- fromEntities:
- cluster
---
{{- if ne (include "tenant.name" .) "tenant-root" }}
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-from-upper-tenants
namespace: {{ include "tenant.name" . }}
spec:
endpointSelector: {}
ingress:
- fromEndpoints:
- matchLabels:
"kubernetes.io/metadata.name": "tenant-root"
{{- if hasPrefix "tenant-" .Release.Namespace }}
{{- $parts := splitList "-" .Release.Namespace }}
{{- range $i, $v := $parts }}
{{- if ne $i 0 }}
- matchLabels:
"kubernetes.io/metadata.name": {{ join "-" (slice $parts 0 (add $i 1)) }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
---
{{- if not .Values.etcd }}
{{- $existingNS := lookup "v1" "Namespace" "" .Release.Namespace }}
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-to-etcd
namespace: {{ include "tenant.name" . }}
spec:
endpointSelector:
matchLabels:
policy.cozystack.io/allow-to-etcd: "true"
egress:
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: "{{ index $existingNS.metadata.annotations "namespace.cozystack.io/etcd" }}"
cozystack.io/service: etcd
{{- end }}
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-to-apiserver
namespace: {{ include "tenant.name" . }}
spec:
endpointSelector:
matchLabels:
policy.cozystack.io/allow-to-apiserver: "true"
egress:
- toEntities:
- kube-apiserver
- toPorts:
- ports:
- port: "6443"
protocol: TCP
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-to-dns
namespace: {{ include "tenant.name" . }}
spec:
endpointSelector: {}
egress:
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-to-dashboard
namespace: {{ include "tenant.name" . }}
spec:
endpointSelector: {}
egress:
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: cozy-dashboard
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-to-ingress
namespace: {{ include "tenant.name" . }}
spec:
endpointSelector: {}
egress:
- toEndpoints:
- matchLabels:
cozystack.io/service: ingress
{{- end }}

5
packages/apps/tenant/values.schema.json
View File

@@ -21,6 +21,11 @@
"type": "boolean",
"description": "Deploy own Ingress Controller",
"default": false
},
"isolated": {
"type": "boolean",
"description": "Enforce tenant namespace with network policies",
"default": false
}
}
}

2
packages/apps/tenant/values.yaml
View File

@@ -4,7 +4,9 @@
## @param etcd Deploy own Etcd cluster
## @param monitoring Deploy own Monitoring Stack
## @param ingress Deploy own Ingress Controller
## @param isolated Enforce tenant namespace with network policies
host: ""
etcd: false
monitoring: false
ingress: false
isolated: false

14
packages/apps/versions_map
View File

@@ -6,20 +6,25 @@ http-cache 0.1.0 a956713
http-cache 0.2.0 HEAD
kafka 0.1.0 760f86d2
kafka 0.2.0 a2cc83d
kafka 0.2.1 HEAD
kafka 0.2.1 3ac17018
kafka 0.2.2 HEAD
kubernetes 0.1.0 f642698
kubernetes 0.2.0 7cd7de73
kubernetes 0.3.0 7caccec1
kubernetes 0.4.0 6cae6ce8
kubernetes 0.5.0 6bd2d455
kubernetes 0.6.0 HEAD
kubernetes 0.6.0 4cbc8a2c
kubernetes 0.7.0 ceefae03
kubernetes 0.8.0 HEAD
mysql 0.1.0 f642698
mysql 0.2.0 8b975ff0
mysql 0.3.0 HEAD
nats 0.1.0 HEAD
postgres 0.1.0 f642698
postgres 0.2.0 7cd7de73
postgres 0.2.1 4a97e297
postgres 0.3.0 HEAD
postgres 0.3.0 995dea6f
postgres 0.4.0 HEAD
rabbitmq 0.1.0 f642698
rabbitmq 0.2.0 HEAD
redis 0.1.1 f642698
@@ -31,7 +36,8 @@ tenant 0.1.4 d200480
tenant 0.1.5 e3ab858
tenant 1.0.0 7cd7de7
tenant 1.1.0 4da8ac3b
tenant 1.2.0 HEAD
tenant 1.2.0 15478a88
tenant 1.3.0 HEAD
virtual-machine 0.1.4 f2015d6
virtual-machine 0.1.5 7cd7de7
virtual-machine 0.2.0 HEAD

8
packages/core/installer/images/cozystack.json
View File

@@ -1,10 +1,10 @@
{
"buildx.build.ref": "priceless_leavitt/priceless_leavitt0/ta5cc9q3mqtwjyuvg8fviqhe6",
"buildx.build.ref": "cozystack/cozystack0/zk58yqp4vkrfgx3gdjumn9k70",
"containerimage.descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"digest": "sha256:bcaef325861d91b955f536bdd57ae3a6099d8657f081054a6dee3c027cfce97f",
"digest": "sha256:b92988122fa68adc85751384170a46895b5761cc5bf27e80b0b53b12b89b6d6c",
"size": 685
},
"containerimage.digest": "sha256:bcaef325861d91b955f536bdd57ae3a6099d8657f081054a6dee3c027cfce97f",
"image.name": "ghcr.io/aenix-io/cozystack/cozystack:v0.9.0"
"containerimage.digest": "sha256:b92988122fa68adc85751384170a46895b5761cc5bf27e80b0b53b12b89b6d6c",
"image.name": "ghcr.io/aenix-io/cozystack/cozystack:latest"
}

2
packages/core/installer/images/cozystack.tag
View File

@@ -1 +1 @@
ghcr.io/aenix-io/cozystack/cozystack:v0.9.0
ghcr.io/aenix-io/cozystack/cozystack:latest

10
packages/core/installer/images/matchbox.json
View File

@@ -29,17 +29,17 @@
}
}
},
"buildx.build.ref": "priceless_leavitt/priceless_leavitt0/k5n5is33n6zu6an3nmlnylejx",
"containerimage.config.digest": "sha256:4676a205eae74f1b16a9065921c612ee85e123ab6566a238edb4bbaf79b2e148",
"buildx.build.ref": "cozystack/cozystack0/qu2ygr61roizh7ga2l4kkmdx6",
"containerimage.config.digest": "sha256:94aa5abc006ac672ccdd91b8d9361fd14de6e0b286299f4e44dd09002becc3b7",
"containerimage.descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"digest": "sha256:7aa044756c40c2a222668f735ad9490b52341b57dca27e57b98f5de235d87ad7",
"digest": "sha256:b1e6084402619dde9dcdc8251cd581cbfc3940c885e938547b7b7306376a411e",
"size": 1488,
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
"containerimage.digest": "sha256:7aa044756c40c2a222668f735ad9490b52341b57dca27e57b98f5de235d87ad7",
"image.name": "ghcr.io/aenix-io/cozystack/matchbox:v0.9.0,ghcr.io/aenix-io/cozystack/matchbox:v1.7.1-v0.9.0"
"containerimage.digest": "sha256:b1e6084402619dde9dcdc8251cd581cbfc3940c885e938547b7b7306376a411e",
"image.name": "ghcr.io/aenix-io/cozystack/matchbox:v0.10.1,ghcr.io/aenix-io/cozystack/matchbox:v1.7.1-v0.10.1"
}

10
packages/core/platform/bundles/distro-full.yaml
View File

@@ -93,13 +93,13 @@ releases:
releaseName: kafka-operator
chart: cozy-kafka-operator
namespace: cozy-kafka-operator
dependsOn: [cilium,kubeovn]
dependsOn: [cilium]
- name: clickhouse-operator
releaseName: clickhouse-operator
chart: cozy-clickhouse-operator
namespace: cozy-clickhouse-operator
dependsOn: [cilium,kubeovn]
dependsOn: [cilium]
- name: rabbitmq-operator
releaseName: rabbitmq-operator
@@ -119,6 +119,12 @@ releases:
namespace: cozy-linstor
dependsOn: [cilium,cert-manager]
- name: snapshot-controller
releaseName: snapshot-controller
chart: cozy-snapshot-controller
namespace: cozy-snapshot-controller
dependsOn: [cilium,cert-manager-issuers]
- name: linstor
releaseName: linstor
chart: cozy-linstor

6
packages/core/platform/bundles/paas-full.yaml
View File

@@ -155,6 +155,12 @@ releases:
privileged: true
dependsOn: [piraeus-operator,cilium,kubeovn,cert-manager]
- name: snapshot-controller
releaseName: snapshot-controller
chart: cozy-snapshot-controller
namespace: cozy-snapshot-controller
dependsOn: [cilium,kubeovn,cert-manager-issuers]
- name: telepresence
releaseName: traffic-manager
chart: cozy-telepresence

6
packages/core/platform/templates/namespaces.yaml
View File

@@ -15,6 +15,7 @@
{{- end }}
{{/* Add extra namespaces */}}
{{- $_ := set $namespaces "cozy-system" true }}
{{- $_ := set $namespaces "cozy-public" false }}
{{- range $namespace, $privileged := $namespaces }}
@@ -24,9 +25,10 @@ kind: Namespace
metadata:
annotations:
"helm.sh/resource-policy": keep
{{- if $privileged }}
labels:
cozystack.io/system: "true"
{{- if $privileged }}
pod-security.kubernetes.io/enforce: privileged
{{- end }}
{{- end }}
name: {{ $namespace }}
{{- end }}

2
packages/extra/etcd/Chart.yaml
View File

@@ -3,4 +3,4 @@ name: etcd
description: Storage for Kubernetes clusters
icon: /logos/etcd.svg
type: application
version: 2.1.0
version: 2.2.0

4
packages/extra/etcd/templates/etcd-cluster.yaml
View File

@@ -33,6 +33,9 @@ spec:
clientTrustedCASecret: etcd-ca-tls
clientSecret: etcd-client-tls
podTemplate:
metadata:
labels:
cozystack.io/service: etcd
spec:
topologySpreadConstraints:
- maxSkew: 1
@@ -41,6 +44,7 @@ spec:
labelSelector:
matchLabels:
app.kubernetes.io/instance: etcd
podDisruptionBudgetTemplate: {}
---
apiVersion: cert-manager.io/v1
kind: Issuer

2
packages/extra/ingress/Chart.yaml
View File

@@ -3,4 +3,4 @@ name: ingress
description: NGINX Ingress Controller
icon: /logos/ingress-nginx.svg
type: application
version: 1.3.0
version: 1.2.0

5
packages/extra/ingress/Makefile
View File

@@ -1,2 +1,7 @@
update: get-cloudflare-ips
get-cloudflare-ips:
printf '{{- define "ingress.cloudflare-ips" -}}\n%s,%s\n{{- end }}\n' "$$(curl -s https://www.cloudflare.com/ips-v4/ | tr '\n' ,)" "$$(curl -s https://www.cloudflare.com/ips-v6/ | tr '\n' ,)" > templates/_cloudflare-ips.tpl
generate:
readme-generator -v values.yaml -s values.schema.json -r README.md

12
packages/extra/ingress/README.md
View File

@@ -4,7 +4,11 @@
### Common parameters
| Name | Description | Value |
| ------------- | -------------------------------- | ----- |
| `replicas` | Number of ingress-nginx replicas | `2` |
| `externalIPs` | List of externalIPs for service. | `[]` |
| Name | Description | Value |
| ---------------- | ----------------------------------------------------------------- | ------- |
| `replicas` | Number of ingress-nginx replicas | `2` |
| `externalIPs` | List of externalIPs for service. | `[]` |
| `whitelist` | List of client networks | `[]` |
| `clouflareProxy` | Restoring original visitor IPs when Cloudflare proxied is enabled | `false` |
| `dashboard` | Should ingress serve Cozystack service dashboard | `false` |

3
packages/extra/ingress/templates/_cloudflare-ips.tpl Normal file
View File

@@ -0,0 +1,3 @@
{{- define "ingress.cloudflare-ips" -}}
173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32
{{- end }}

29
packages/extra/ingress/templates/dashboard.yaml Normal file
View File

@@ -0,0 +1,29 @@
{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
{{- if .Values.dashboard }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
acme.cert-manager.io/http01-ingress-class: tenant-root
name: dashboard-{{ .Release.Namespace }}
namespace: cozy-dashboard
spec:
ingressClassName: {{ .Release.Namespace }}
rules:
- host: dashboard.{{ $host }}
http:
paths:
- backend:
service:
name: dashboard
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- dashboard.{{ $host }}
secretName: dashboard-{{ .Release.Namespace }}-tls
{{- end }}

14
packages/extra/ingress/templates/nginx-ingress.yaml
View File

@@ -23,6 +23,9 @@ spec:
ingressClassResource:
name: {{ .Release.Namespace }}
controllerValue: k8s.io/ingress-nginx-{{ .Release.Namespace }}
podLabels:
cozystack.io/service: ingress
policy.cozystack.io/allow-to-apiserver: "true"
{{- if not (eq .Release.Namespace "tenant-root") }}
admissionWebhooks:
enabled: false
@@ -37,3 +40,14 @@ spec:
type: LoadBalancer
externalTrafficPolicy: Local
{{- end }}
{{- if or .Values.whitelist .Values.clouflareProxy }}
config:
{{- with .Values.whitelist }}
whitelist-source-range: "{{ join "," . }}"
{{- end }}
{{- if .Values.clouflareProxy }}
set_real_ip_from: "{{ include "ingress.cloudflare-ips" . }}"
use-forwarded-headers: "true"
server-snippet: "real_ip_header CF-Connecting-IP;"
{{- end }}
{{- end }}

16
packages/extra/ingress/values.schema.json
View File

@@ -14,6 +14,22 @@
"items": {
"type": "string"
}
},
"whitelist": {
"type": "array",
"description": "List of client networks",
"default": [],
"items": {}
},
"clouflareProxy": {
"type": "boolean",
"description": "Restoring original visitor IPs when Cloudflare proxied is enabled",
"default": false
},
"dashboard": {
"type": "boolean",
"description": "Should ingress serve Cozystack service dashboard",
"default": false
}
}
}

13
packages/extra/ingress/values.yaml
View File

@@ -14,3 +14,16 @@ replicas: 2
## - "11.22.33.46"
##
externalIPs: []
## @param whitelist List of client networks
## Example:
## whitelist:
## - "1.2.3.4"
## - "10.100.0.0/16"
whitelist: []
## @param clouflareProxy Restoring original visitor IPs when Cloudflare proxied is enabled
clouflareProxy: false
## @param dashboard Should ingress serve Cozystack service dashboard
dashboard: false

6
packages/extra/versions_map
View File

@@ -1,11 +1,11 @@
etcd 1.0.0 f7eaab0
etcd 2.0.0 a6d0f7cf
etcd 2.0.1 6fc1cc7d
etcd 2.1.0 HEAD
etcd 2.1.0 2b00fcf8
etcd 2.2.0 HEAD
ingress 1.0.0 f642698
ingress 1.1.0 838bee5d
ingress 1.2.0 07d666c0
ingress 1.3.0 HEAD
ingress 1.2.0 HEAD
monitoring 1.0.0 f642698
monitoring 1.1.0 15478a88
monitoring 1.2.0 HEAD

7
packages/system/cert-manager-issuers/templates/cluster-issuers.yaml
View File

@@ -26,3 +26,10 @@ spec:
- http01:
ingress:
class: nginx
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-cluster-issuer
spec:
selfSigned: {}

18
packages/system/cilium/images/cilium.json
View File

@@ -11,7 +11,7 @@
{
"uri": "pkg:docker/golang@1.22-bookworm?platform=linux%2Famd64",
"digest": {
"sha256": "6c2780255bb7b881e904e303be0d7a079054160b2ce1efde446693c0850a39ad"
"sha256": "af9b40f2b1851be993763b85288f8434af87b5678af04355b1e33ff530b5765f"
}
},
{
@@ -45,7 +45,17 @@
}
}
},
"buildx.build.ref": "amd64/amd64/ydz7c2pwlqaadvlo84t1spegq",
"containerimage.config.digest": "sha256:1f918c5f4bd8a1c90596b7d4256c8a208482141ae3363ab0b4627203b3fa3b32",
"containerimage.digest": "sha256:90e2235e75febcac777c0338fa93d5e7522d82d029facb0c318305ed178a42ac"
"buildx.build.ref": "cozystack/cozystack0/3a5uyqqyj3lnwkgdniwjp341a",
"containerimage.config.digest": "sha256:db99b8b1e565f406af5b240b1ef76b5cc3ba1b510c6e035e1497c5089d65ee12",
"containerimage.descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"digest": "sha256:0e9fa8f6f5194b84227ea7e7b93ef77244b5550ec62671e04d398818dccfb282",
"size": 2083,
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
"containerimage.digest": "sha256:0e9fa8f6f5194b84227ea7e7b93ef77244b5550ec62671e04d398818dccfb282",
"image.name": "ghcr.io/aenix-io/cozystack/cilium:1.15.5,ghcr.io/aenix-io/cozystack/cilium:1.15.5-v0.10.1"
}

16
packages/system/dashboard/images/dashboard.json
View File

@@ -35,7 +35,17 @@
}
}
},
"buildx.build.ref": "amd64/amd64/vvxs4dbzlno0vtdl1zudk54fj",
"containerimage.config.digest": "sha256:52a7ac58f30de8bec104f3fa9b3dcc674f37edfee184c5d4229e24f69f4ddcb2",
"containerimage.digest": "sha256:8906436ebd6452549f0634c6db693c7c3248c123f0c882bb8b1bde34ec05aeb6"
"buildx.build.ref": "cozystack/cozystack0/puq8k1x2nsc986l15a2vanb8s",
"containerimage.config.digest": "sha256:2c68c6ce6620a8c8afd84fed1c2265738d661a47ded0be21b2517b0309ed7307",
"containerimage.descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"digest": "sha256:fdabfe2caa3fe2d92ca4a07b60a55c91163d7db25aa12cc4c6034c32ac1dcb17",
"size": 703,
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
"containerimage.digest": "sha256:fdabfe2caa3fe2d92ca4a07b60a55c91163d7db25aa12cc4c6034c32ac1dcb17",
"image.name": "ghcr.io/aenix-io/cozystack/dashboard:v0.10.1"
}

2
packages/system/dashboard/images/dashboard.tag
View File

@@ -1 +1 @@
ghcr.io/aenix-io/cozystack/dashboard:v0.9.0
ghcr.io/aenix-io/cozystack/dashboard:v0.10.1

20
packages/system/dashboard/images/kubeapps-apis.json
View File

@@ -11,13 +11,13 @@
{
"uri": "pkg:docker/bitnami/minideb@bookworm?platform=linux%2Famd64",
"digest": {
"sha256": "29b77c65b015126298b9b5d6c20a389f538145c619c8e049ccf2e7cd436e023a"
"sha256": "b13cb4b41be91e22858e9b050a51137b636a34694a92ff17c27cb010e5f93f04"
}
},
{
"uri": "pkg:docker/alpine@latest?platform=linux%2Famd64",
"digest": {
"sha256": "b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0"
"sha256": "0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5"
}
}
],
@@ -41,7 +41,17 @@
}
}
},
"buildx.build.ref": "amd64/amd64/p2w3cwt8rnd7ivkbmg86ugjj0",
"containerimage.config.digest": "sha256:28621d87b70bc82caf060b33313051703456a2915e95371bcbe5c0e1e5b9daa3",
"containerimage.digest": "sha256:1b6826f030c6d288f9d91476b636300e544bbf55687e59f6de1765d1320faf7b"
"buildx.build.ref": "cozystack/cozystack0/nk99hhpt81cl5xu6eecdk86qs",
"containerimage.config.digest": "sha256:662ea8b8642d1c6662e5eef79ea8329863f5178a80457e1faf983506efe7a611",
"containerimage.descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"digest": "sha256:eaedcb64abd1c245bd2959c66df430d0fcbbb5968334501f484231707de7ed7d",
"size": 1890,
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
"containerimage.digest": "sha256:eaedcb64abd1c245bd2959c66df430d0fcbbb5968334501f484231707de7ed7d",
"image.name": "ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.10.1"
}

2
packages/system/dashboard/images/kubeapps-apis.tag
View File

@@ -1 +1 @@
ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.9.0
ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.10.1

4
packages/system/etcd-operator/charts/etcd-operator/Chart.yaml
View File

@@ -1,5 +1,5 @@
apiVersion: v2
appVersion: v0.3.1
appVersion: v0.4.0
name: etcd-operator
type: application
version: 0.3.1
version: 0.4.0

16
packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrole-manager-role.yml
View File

@@ -57,6 +57,22 @@ rules:
- patch
- update
- watch
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- list
- patch
- watch
- apiGroups:
- "storage.k8s.io"
resources:
- storageclasses
verbs:
- get
- list
- apiGroups:
- etcd.aenix.io
resources:

12
packages/system/ingress-nginx/charts/ingress-nginx/Chart.yaml
View File

@@ -1,8 +1,9 @@
annotations:
artifacthub.io/changes: '- "Update Ingress-Nginx version controller-v1.9.4"'
artifacthub.io/changes: |
- Update Ingress-Nginx version controller-v1.11.1
artifacthub.io/prerelease: "false"
apiVersion: v2
appVersion: 1.9.4
appVersion: 1.11.1
description: Ingress controller for Kubernetes using NGINX as a reverse proxy and
load balancer
home: https://github.com/kubernetes/ingress-nginx
@@ -10,12 +11,15 @@ icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/5
keywords:
- ingress
- nginx
kubeVersion: '>=1.20.0-0'
kubeVersion: '>=1.21.0-0'
maintainers:
- name: cpanato
- name: Gacko
- name: puerco
- name: rikatz
- name: strongjz
- name: tao12345666333
name: ingress-nginx
sources:
- https://github.com/kubernetes/ingress-nginx
version: 4.8.4
version: 4.11.1

2
packages/system/ingress-nginx/charts/ingress-nginx/OWNERS
View File

@@ -1,4 +1,4 @@
# See the OWNERS docs: https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md
# See the OWNERS docs: https://www.kubernetes.dev/docs/guide/owners
approvers:
- ingress-nginx-helm-maintainers

120
packages/system/ingress-nginx/charts/ingress-nginx/README.md
View File

@@ -2,7 +2,7 @@
[ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
![Version: 4.8.4](https://img.shields.io/badge/Version-4.8.4-informational?style=flat-square) ![AppVersion: 1.9.4](https://img.shields.io/badge/AppVersion-1.9.4-informational?style=flat-square)
![Version: 4.11.1](https://img.shields.io/badge/Version-4.11.1-informational?style=flat-square) ![AppVersion: 1.11.1](https://img.shields.io/badge/AppVersion-1.11.1-informational?style=flat-square)
To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
@@ -10,7 +10,7 @@ This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kuber
## Requirements
Kubernetes: `>=1.20.0-0`
Kubernetes: `>=1.21.0-0`
## Get Repo Info
@@ -253,17 +253,23 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.admissionWebhooks.namespaceSelector | object | `{}` | |
| controller.admissionWebhooks.objectSelector | object | `{}` | |
| controller.admissionWebhooks.patch.enabled | bool | `true` | |
| controller.admissionWebhooks.patch.image.digest | string | `"sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80"` | |
| controller.admissionWebhooks.patch.image.digest | string | `"sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366"` | |
| controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | |
| controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | |
| controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | |
| controller.admissionWebhooks.patch.image.tag | string | `"v20231011-8b53cabe0"` | |
| controller.admissionWebhooks.patch.image.tag | string | `"v1.4.1"` | |
| controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
| controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
| controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | |
| controller.admissionWebhooks.patch.podAnnotations | object | `{}` | |
| controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # |
| controller.admissionWebhooks.patch.rbac | object | `{"create":true}` | Admission webhook patch job RBAC |
| controller.admissionWebhooks.patch.rbac.create | bool | `true` | Create RBAC or not |
| controller.admissionWebhooks.patch.securityContext | object | `{}` | Security context for secret creation & webhook patch pods |
| controller.admissionWebhooks.patch.serviceAccount | object | `{"automountServiceAccountToken":true,"create":true,"name":""}` | Admission webhook patch job service account |
| controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken | bool | `true` | Auto-mount service account token or not |
| controller.admissionWebhooks.patch.serviceAccount.create | bool | `true` | Create a service account or not |
| controller.admissionWebhooks.patch.serviceAccount.name | string | `""` | Custom service account name |
| controller.admissionWebhooks.patch.tolerations | list | `[]` | |
| controller.admissionWebhooks.patchWebhookJob.name | string | `"patch"` | |
| controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` | |
@@ -285,7 +291,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.autoscaling.targetCPUUtilizationPercentage | int | `50` | |
| controller.autoscaling.targetMemoryUtilizationPercentage | int | `50` | |
| controller.autoscalingTemplate | list | `[]` | |
| controller.config | object | `{}` | Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ |
| controller.config | object | `{}` | Global configuration passed to the ConfigMap consumed by the controller. Values may contain Helm templates. Ref.: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ |
| controller.configAnnotations | object | `{}` | Annotations to be added to the controller config configuration configmap. |
| controller.configMapNamespace | string | `""` | Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) |
| controller.containerName | string | `"controller"` | Configures the controller container name |
@@ -293,9 +299,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.containerSecurityContext | object | `{}` | Security context for controller containers |
| controller.customTemplate.configMapKey | string | `""` | |
| controller.customTemplate.configMapName | string | `""` | |
| controller.disableLeaderElection | bool | `false` | This configuration disable Nginx Controller Leader Election |
| controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. |
| controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. |
| controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' |
| controller.electionTTL | string | `""` | Duration a leader election is valid before it's getting re-elected, e.g. `15s`, `10m` or `1h`. (Default: 30s) |
| controller.enableAnnotationValidations | bool | `false` | |
| controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # |
| controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false |
@@ -317,8 +325,8 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.hostname | object | `{}` | Optionally customize the pod hostname. |
| controller.image.allowPrivilegeEscalation | bool | `false` | |
| controller.image.chroot | bool | `false` | |
| controller.image.digest | string | `"sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3"` | |
| controller.image.digestChroot | string | `"sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26"` | |
| controller.image.digest | string | `"sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a"` | |
| controller.image.digestChroot | string | `"sha256:7cabe4bd7558bfdf5b707976d7be56fd15ffece735d7c90fc238b6eda290fd8d"` | |
| controller.image.image | string | `"ingress-nginx/controller"` | |
| controller.image.pullPolicy | string | `"IfNotPresent"` | |
| controller.image.readOnlyRootFilesystem | bool | `false` | |
@@ -326,14 +334,17 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.image.runAsNonRoot | bool | `true` | |
| controller.image.runAsUser | int | `101` | |
| controller.image.seccompProfile.type | string | `"RuntimeDefault"` | |
| controller.image.tag | string | `"v1.9.4"` | |
| controller.image.tag | string | `"v1.11.1"` | |
| controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
| controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
| controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass |
| controller.ingressClassResource.default | bool | `false` | Is this the default ingressClass for the cluster |
| controller.ingressClassResource.enabled | bool | `true` | Is this ingressClass enabled or not |
| controller.ingressClassResource.name | string | `"nginx"` | Name of the ingressClass |
| controller.ingressClassResource.parameters | object | `{}` | Parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters. |
| controller.ingressClassResource | object | `{"aliases":[],"annotations":{},"controllerValue":"k8s.io/ingress-nginx","default":false,"enabled":true,"name":"nginx","parameters":{}}` | This section refers to the creation of the IngressClass resource. IngressClasses are immutable and cannot be changed after creation. We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required. |
| controller.ingressClassResource.aliases | list | `[]` | Aliases of this IngressClass. Creates copies with identical settings but the respective alias as name. Useful for development environments with only one Ingress Controller but production-like Ingress resources. `default` gets enabled on the original IngressClass only. |
| controller.ingressClassResource.annotations | object | `{}` | Annotations to be added to the IngressClass resource. |
| controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller of the IngressClass. An Ingress Controller looks for IngressClasses it should reconcile by this value. This value is also being set as the `--controller-class` argument of this Ingress Controller. Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class |
| controller.ingressClassResource.default | bool | `false` | If true, Ingresses without `ingressClassName` get assigned to this IngressClass on creation. Ingress creation gets rejected if there are multiple default IngressClasses. Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class |
| controller.ingressClassResource.enabled | bool | `true` | Create the IngressClass or not |
| controller.ingressClassResource.name | string | `"nginx"` | Name of the IngressClass |
| controller.ingressClassResource.parameters | object | `{}` | A link to a custom resource containing additional configuration for the controller. This is optional if the controller consuming this IngressClass does not require additional parameters. Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class |
| controller.keda.apiVersion | string | `"keda.sh/v1alpha1"` | |
| controller.keda.behavior | object | `{}` | |
| controller.keda.cooldownPeriod | int | `300` | |
@@ -369,6 +380,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.metrics.service.servicePort | int | `10254` | |
| controller.metrics.service.type | string | `"ClusterIP"` | |
| controller.metrics.serviceMonitor.additionalLabels | object | `{}` | |
| controller.metrics.serviceMonitor.annotations | object | `{}` | |
| controller.metrics.serviceMonitor.enabled | bool | `false` | |
| controller.metrics.serviceMonitor.metricRelabelings | list | `[]` | |
| controller.metrics.serviceMonitor.namespace | string | `""` | |
@@ -387,9 +399,12 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.opentelemetry.containerSecurityContext.runAsNonRoot | bool | `true` | |
| controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. |
| controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| controller.opentelemetry.distroless | bool | `true` | |
| controller.opentelemetry.enabled | bool | `false` | |
| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` | |
| controller.opentelemetry.image.digest | string | `"sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` | |
| controller.opentelemetry.image.distroless | bool | `true` | |
| controller.opentelemetry.image.image | string | `"ingress-nginx/opentelemetry"` | |
| controller.opentelemetry.image.registry | string | `"registry.k8s.io"` | |
| controller.opentelemetry.image.tag | string | `"v20230721-3e2062ee5"` | |
| controller.opentelemetry.name | string | `"opentelemetry"` | |
| controller.opentelemetry.resources | object | `{}` | |
| controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # |
@@ -415,34 +430,50 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.scope.enabled | bool | `false` | Enable 'scope' or not |
| controller.scope.namespace | string | `""` | Namespace to limit the controller to; defaults to $(POD_NAMESPACE) |
| controller.scope.namespaceSelector | string | `""` | When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. |
| controller.service.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine. |
| controller.service.appProtocol | bool | `true` | If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http It allows choosing the protocol for each backend specified in the Kubernetes service. See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 Will be ignored for Kubernetes versions older than 1.20 # |
| controller.service.enableHttp | bool | `true` | |
| controller.service.enableHttps | bool | `true` | |
| controller.service.enabled | bool | `true` | |
| controller.service.external.enabled | bool | `true` | |
| controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
| controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine. |
| controller.service.internal.enabled | bool | `false` | Enables an additional internal load balancer (besides the external one). |
| controller.service.internal.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS. |
| controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. |
| controller.service.internal.ports | object | `{}` | Custom port mapping for internal service |
| controller.service.internal.targetPorts | object | `{}` | Custom target port mapping for internal service |
| controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ |
| controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack-ness requested or required by this Service. Possible values are SingleStack, PreferDualStack or RequireDualStack. The ipFamilies and clusterIPs fields depend on the value of this field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ |
| controller.service.labels | object | `{}` | |
| controller.service.loadBalancerClass | string | `""` | Used by cloud providers to select a load balancer implementation other than the cloud provider default. https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class |
| controller.service.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer |
| controller.service.loadBalancerSourceRanges | list | `[]` | |
| controller.service.nodePorts.http | string | `""` | |
| controller.service.nodePorts.https | string | `""` | |
| controller.service.nodePorts.tcp | object | `{}` | |
| controller.service.nodePorts.udp | object | `{}` | |
| controller.service.ports.http | int | `80` | |
| controller.service.ports.https | int | `443` | |
| controller.service.targetPorts.http | string | `"http"` | |
| controller.service.targetPorts.https | string | `"https"` | |
| controller.service.type | string | `"LoadBalancer"` | |
| controller.service.annotations | object | `{}` | Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service. |
| controller.service.appProtocol | bool | `true` | Declare the app protocol of the external HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol |
| controller.service.clusterIP | string | `""` | Pre-defined cluster internal IP address of the external controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
| controller.service.enableHttp | bool | `true` | Enable the HTTP listener on both controller services or not. |
| controller.service.enableHttps | bool | `true` | Enable the HTTPS listener on both controller services or not. |
| controller.service.enabled | bool | `true` | Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service. |
| controller.service.external.enabled | bool | `true` | Enable the external controller service or not. Useful for internal-only deployments. |
| controller.service.externalIPs | list | `[]` | List of node IP addresses at which the external controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips |
| controller.service.externalTrafficPolicy | string | `""` | External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip |
| controller.service.internal.annotations | object | `{}` | Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer |
| controller.service.internal.appProtocol | bool | `true` | Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol |
| controller.service.internal.clusterIP | string | `""` | Pre-defined cluster internal IP address of the internal controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
| controller.service.internal.enabled | bool | `false` | Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this. |
| controller.service.internal.externalIPs | list | `[]` | List of node IP addresses at which the internal controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips |
| controller.service.internal.externalTrafficPolicy | string | `""` | External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip |
| controller.service.internal.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
| controller.service.internal.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
| controller.service.internal.loadBalancerClass | string | `""` | Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class |
| controller.service.internal.loadBalancerIP | string | `""` | Deprecated: Pre-defined IP address of the internal controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer |
| controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access to the internal controller service. Values must be CIDRs. Allows any source address by default. |
| controller.service.internal.nodePorts.http | string | `""` | Node port allocated for the internal HTTP listener. If left empty, the service controller allocates one from the configured node port range. |
| controller.service.internal.nodePorts.https | string | `""` | Node port allocated for the internal HTTPS listener. If left empty, the service controller allocates one from the configured node port range. |
| controller.service.internal.nodePorts.tcp | object | `{}` | Node port mapping for internal TCP listeners. If left empty, the service controller allocates them from the configured node port range. Example: tcp: 8080: 30080 |
| controller.service.internal.nodePorts.udp | object | `{}` | Node port mapping for internal UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp: 53: 30053 |
| controller.service.internal.ports | object | `{}` | |
| controller.service.internal.sessionAffinity | string | `""` | Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity |
| controller.service.internal.targetPorts | object | `{}` | |
| controller.service.internal.type | string | `""` | Type of the internal controller service. Defaults to the value of `controller.service.type`. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
| controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
| controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
| controller.service.labels | object | `{}` | Labels to be added to both controller services. |
| controller.service.loadBalancerClass | string | `""` | Load balancer class of the external controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class |
| controller.service.loadBalancerIP | string | `""` | Deprecated: Pre-defined IP address of the external controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer |
| controller.service.loadBalancerSourceRanges | list | `[]` | Restrict access to the external controller service. Values must be CIDRs. Allows any source address by default. |
| controller.service.nodePorts.http | string | `""` | Node port allocated for the external HTTP listener. If left empty, the service controller allocates one from the configured node port range. |
| controller.service.nodePorts.https | string | `""` | Node port allocated for the external HTTPS listener. If left empty, the service controller allocates one from the configured node port range. |
| controller.service.nodePorts.tcp | object | `{}` | Node port mapping for external TCP listeners. If left empty, the service controller allocates them from the configured node port range. Example: tcp: 8080: 30080 |
| controller.service.nodePorts.udp | object | `{}` | Node port mapping for external UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp: 53: 30053 |
| controller.service.ports.http | int | `80` | Port the external HTTP listener is published with. |
| controller.service.ports.https | int | `443` | Port the external HTTPS listener is published with. |
| controller.service.sessionAffinity | string | `""` | Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity |
| controller.service.targetPorts.http | string | `"http"` | Port of the ingress controller the external HTTP listener is mapped to. |
| controller.service.targetPorts.https | string | `"https"` | Port of the ingress controller the external HTTPS listener is mapped to. |
| controller.service.type | string | `"LoadBalancer"` | Type of the external controller service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
| controller.shareProcessNamespace | bool | `false` | |
| controller.sysctls | object | `{}` | sysctls for controller pods # Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ |
| controller.tcp.annotations | object | `{}` | Annotations to be added to the tcp config configmap |
@@ -454,7 +485,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.udp.configMapNamespace | string | `""` | Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) |
| controller.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
| controller.watchIngressWithoutClass | bool | `false` | Process Ingress objects without ingressClass annotation/ingressClassName field Overrides value for --watch-ingress-without-class flag of the controller binary Defaults to false |
| defaultBackend.affinity | object | `{}` | |
| defaultBackend.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity |
| defaultBackend.autoscaling.annotations | object | `{}` | |
| defaultBackend.autoscaling.enabled | bool | `false` | |
| defaultBackend.autoscaling.maxReplicas | int | `2` | |
@@ -510,6 +541,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.serviceAccount.create | bool | `true` | |
| defaultBackend.serviceAccount.name | string | `""` | |
| defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # |
| defaultBackend.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. Ref.: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ |
| defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
| dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param |
| imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |

5
packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-extra-modules.yaml
View File

@@ -7,4 +7,7 @@ controller:
type: ClusterIP
extraModules:
- name: opentelemetry
image: busybox
image:
registry: registry.k8s.io
image: busybox
tag: latest

5
packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml
View File

@@ -9,4 +9,7 @@ controller:
allowPrivilegeEscalation: false
extraModules:
- name: opentelemetry
image: busybox
image:
registry: registry.k8s.io
image: busybox
tag: latest

5
packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml
View File

@@ -7,6 +7,9 @@ controller:
type: ClusterIP
extraModules:
- name: opentelemetry
image: busybox
image:
registry: registry.k8s.io
image: busybox
tag: latest
containerSecurityContext:
allowPrivilegeEscalation: false

5
packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules.yaml
View File

@@ -7,4 +7,7 @@ controller:
type: ClusterIP
extraModules:
- name: opentelemetry
image: busybox
image:
registry: registry.k8s.io
image: busybox
tag: latest

9
packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml Normal file
View File

@@ -0,0 +1,9 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
opentelemetry:
enabled: true

25
packages/system/ingress-nginx/charts/ingress-nginx/templates/_helpers.tpl
View File

@@ -167,6 +167,17 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.controller.admissionWebhooks.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the admission webhook patch job service account to use
*/}}
{{- define "ingress-nginx.admissionWebhooks.patch.serviceAccountName" -}}
{{- if .Values.controller.admissionWebhooks.patch.serviceAccount.create -}}
{{ default (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.patch.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.controller.admissionWebhooks.patch.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified admission webhook secret creation job name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
@@ -242,22 +253,13 @@ Check the ingress controller version tag is at most three versions behind the la
{{- end -}}
{{- end -}}
{{/*
IngressClass parameters.
*/}}
{{- define "ingressClass.parameters" -}}
{{- if .Values.controller.ingressClassResource.parameters -}}
parameters:
{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4}}
{{ end }}
{{- end -}}
{{/*
Extra modules.
*/}}
{{- define "extraModules" -}}
- name: {{ .name }}
image: {{ .image }}
{{- with .image }}
image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }}
command:
{{- if .distroless }}
- /init_module
@@ -266,6 +268,7 @@ Extra modules.
- -c
- /usr/local/bin/init_module.sh
{{- end }}
{{- end }}
{{- if .containerSecurityContext }}
securityContext: {{ toYaml .containerSecurityContext | nindent 4 }}
{{- end }}

11
packages/system/ingress-nginx/charts/ingress-nginx/templates/_params.tpl
View File

@@ -29,7 +29,7 @@
- --watch-namespace={{ default "$(POD_NAMESPACE)" .Values.controller.scope.namespace }}
{{- end }}
{{- if and (not .Values.controller.scope.enabled) .Values.controller.scope.namespaceSelector }}
- --watch-namespace-selector={{ default "" .Values.controller.scope.namespaceSelector }}
- --watch-namespace-selector={{ .Values.controller.scope.namespaceSelector }}
{{- end }}
{{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }}
- --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }}
@@ -54,9 +54,18 @@
{{- if .Values.controller.watchIngressWithoutClass }}
- --watch-ingress-without-class=true
{{- end }}
{{- if not .Values.controller.metrics.enabled }}
- --enable-metrics={{ .Values.controller.metrics.enabled }}
{{- end }}
{{- if .Values.controller.enableTopologyAwareRouting }}
- --enable-topology-aware-routing=true
{{- end }}
{{- if .Values.controller.disableLeaderElection }}
- --disable-leader-election=true
{{- end }}
{{- if .Values.controller.electionTTL }}
- --election-ttl={{ .Values.controller.electionTTL }}
{{- end }}
{{- range $key, $value := .Values.controller.extraArgs }}
{{- /* Accept keys without values or with false as value */}}
{{- if eq ($value | quote | len) 2 }}

2
packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
View File

@@ -1,4 +1,4 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:

4
packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
View File

@@ -1,4 +1,4 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
@@ -18,6 +18,6 @@ roleRef:
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
name: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }}

4
packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
View File

@@ -43,7 +43,7 @@ spec:
containers:
- name: create
{{- with .Values.controller.admissionWebhooks.patch.image }}
image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }}
{{- end }}
imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
args:
@@ -66,7 +66,7 @@ spec:
resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }}
{{- end }}
restartPolicy: OnFailure
serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }}
{{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
{{- end }}

4
packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
View File

@@ -43,7 +43,7 @@ spec:
containers:
- name: patch
{{- with .Values.controller.admissionWebhooks.patch.image }}
image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }}
{{- end }}
imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
args:
@@ -68,7 +68,7 @@ spec:
resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }}
{{- end }}
restartPolicy: OnFailure
serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }}
{{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
{{- end }}

2
packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
View File

@@ -1,4 +1,4 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:

4
packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
View File

@@ -1,4 +1,4 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
@@ -19,6 +19,6 @@ roleRef:
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
name: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }}

5
packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
View File

@@ -1,8 +1,8 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.serviceAccount.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
name: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
@@ -13,4 +13,5 @@ metadata:
{{- with .Values.controller.admissionWebhooks.patch.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken }}
{{- end }}

2
packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-configmap.yaml
View File

@@ -24,5 +24,5 @@ data:
ssl-dh-param: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.controller.fullname" . }}
{{- end }}
{{- range $key, $value := .Values.controller.config }}
{{- $key | nindent 2 }}: {{ $value | quote }}
{{- $key | nindent 2 }}: {{ tpl (toString $value) $ | quote }}
{{- end }}

8
packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml
View File

@@ -77,7 +77,7 @@ spec:
containers:
- name: {{ .Values.controller.containerName }}
{{- with .Values.controller.image }}
image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{- end -}}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}"
image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}
{{- end }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
{{- if .Values.controller.lifecycle }}
@@ -186,13 +186,13 @@ spec:
{{- if .Values.controller.extraModules }}
{{- range .Values.controller.extraModules }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.controller.opentelemetry.enabled }}
{{- with .Values.controller.opentelemetry }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}
@@ -206,7 +206,7 @@ spec:
tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.controller.affinity }}
affinity: {{ toYaml .Values.controller.affinity | nindent 8 }}
affinity: {{ tpl (toYaml .Values.controller.affinity) $ | nindent 8 }}
{{- end }}
{{- if .Values.controller.topologySpreadConstraints }}
topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }}

10
packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-deployment.yaml
View File

@@ -19,7 +19,7 @@ spec:
matchLabels:
{{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: controller
{{- if not (or .Values.controller.autoscaling.enabled .Values.controller.keda.enabled) }}
{{- if eq .Values.controller.autoscaling.enabled .Values.controller.keda.enabled }}
replicas: {{ .Values.controller.replicaCount }}
{{- end }}
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
@@ -80,7 +80,7 @@ spec:
containers:
- name: {{ .Values.controller.containerName }}
{{- with .Values.controller.image }}
image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{- end -}}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}"
image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}
{{- end }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
{{- if .Values.controller.lifecycle }}
@@ -189,13 +189,13 @@ spec:
{{- if .Values.controller.extraModules }}
{{- range .Values.controller.extraModules }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.controller.opentelemetry.enabled }}
{{- with .Values.controller.opentelemetry }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}
@@ -209,7 +209,7 @@ spec:
tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.controller.affinity }}
affinity: {{ toYaml .Values.controller.affinity | nindent 8 }}
affinity: {{ tpl (toYaml .Values.controller.affinity) $ | nindent 8 }}
{{- end }}
{{- if .Values.controller.topologySpreadConstraints }}
topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }}

23
packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-ingressclass-aliases.yaml Normal file
View File

@@ -0,0 +1,23 @@
{{- if .Values.controller.ingressClassResource.enabled -}}
{{- range .Values.controller.ingressClassResource.aliases }}
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
{{- include "ingress-nginx.labels" $ | nindent 4 }}
app.kubernetes.io/component: controller
{{- with $.Values.controller.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ . }}
{{- if $.Values.controller.ingressClassResource.annotations }}
annotations: {{ toYaml $.Values.controller.ingressClassResource.annotations | nindent 4 }}
{{- end }}
spec:
controller: {{ $.Values.controller.ingressClassResource.controllerValue }}
{{- with $.Values.controller.ingressClassResource.parameters }}
parameters: {{ toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

15
packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-ingressclass.yaml
View File

@@ -1,6 +1,4 @@
{{- if .Values.controller.ingressClassResource.enabled -}}
# We don't support namespaced ingressClass yet
# So a ClusterRole and a ClusterRoleBinding is required
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
@@ -11,11 +9,18 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ .Values.controller.ingressClassResource.name }}
{{- if .Values.controller.ingressClassResource.default }}
{{- if or .Values.controller.ingressClassResource.default .Values.controller.ingressClassResource.annotations }}
annotations:
{{- if .Values.controller.ingressClassResource.default }}
ingressclass.kubernetes.io/is-default-class: "true"
{{- end }}
{{- end }}
{{- if .Values.controller.ingressClassResource.annotations }}
{{- toYaml .Values.controller.ingressClassResource.annotations | nindent 4 }}
{{- end }}
{{- end }}
spec:
controller: {{ .Values.controller.ingressClassResource.controllerValue }}
{{ template "ingressClass.parameters" . }}
{{- with .Values.controller.ingressClassResource.parameters }}
parameters: {{ toYaml . | nindent 4 }}
{{- end }}
{{- end }}

2
packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-keda.yaml
View File

@@ -1,4 +1,4 @@
{{- if and .Values.controller.keda.enabled (eq .Values.controller.kind "Deployment") -}}
{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled (not .Values.controller.autoscaling.enabled) -}}
apiVersion: {{ .Values.controller.keda.apiVersion }}
kind: ScaledObject
metadata:

12
packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml
View File

@@ -1,4 +1,13 @@
{{- if or (and .Values.controller.autoscaling.enabled (gt (.Values.controller.autoscaling.minReplicas | int) 1)) (and (not .Values.controller.autoscaling.enabled) (gt (.Values.controller.replicaCount | int) 1)) }}
# PDB is not supported for DaemonSets.
# https://github.com/kubernetes/kubernetes/issues/108124
{{- if eq .Values.controller.kind "Deployment" }}
{{- $replicas := .Values.controller.replicaCount }}
{{- if and .Values.controller.autoscaling.enabled (not .Values.controller.keda.enabled) }}
{{- $replicas = .Values.controller.autoscaling.minReplicas }}
{{- else if and .Values.controller.keda.enabled (not .Values.controller.autoscaling.enabled) }}
{{- $replicas = .Values.controller.keda.minReplicas }}
{{- end }}
{{- if gt ($replicas | int) 1 }}
apiVersion: {{ ternary "policy/v1" "policy/v1beta1" (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }}
kind: PodDisruptionBudget
metadata:
@@ -24,3 +33,4 @@ spec:
maxUnavailable: {{ .Values.controller.maxUnavailable }}
{{- end }}
{{- end }}
{{- end }}

2
packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-prometheusrules.yaml
View File

@@ -1,4 +1,4 @@
{{- if and ( .Values.controller.metrics.enabled ) ( .Values.controller.metrics.prometheusRule.enabled ) ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) -}}
{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.prometheusRule.enabled -}}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:

3
packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-role.yaml
View File

@@ -44,12 +44,15 @@ rules:
- get
- list
- watch
# Omit Ingress status permissions if `--update-status` is disabled.
{{- if ne (index .Values.controller.extraArgs "update-status") "false" }}
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
{{- end }}
- apiGroups:
- networking.k8s.io
resources:

55
packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service-internal.yaml
View File

@@ -1,4 +1,4 @@
{{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled .Values.controller.service.internal.annotations}}
{{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled .Values.controller.service.internal.annotations -}}
apiVersion: v1
kind: Service
metadata:
@@ -15,9 +15,12 @@ metadata:
name: {{ include "ingress-nginx.controller.fullname" . }}-internal
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
type: "{{ .Values.controller.service.type }}"
{{- if hasKey .Values.controller.service.internal "allocateLoadBalancerNodePorts" }}
allocateLoadBalancerNodePorts: {{ .Values.controller.service.internal.allocateLoadBalancerNodePorts }}
type: {{ .Values.controller.service.internal.type | default .Values.controller.service.type }}
{{- if .Values.controller.service.internal.clusterIP }}
clusterIP: {{ .Values.controller.service.internal.clusterIP }}
{{- end }}
{{- if .Values.controller.service.internal.externalIPs }}
externalIPs: {{ toYaml .Values.controller.service.internal.externalIPs | nindent 4 }}
{{- end }}
{{- if .Values.controller.service.internal.loadBalancerIP }}
loadBalancerIP: {{ .Values.controller.service.internal.loadBalancerIP }}
@@ -25,8 +28,28 @@ spec:
{{- if .Values.controller.service.internal.loadBalancerSourceRanges }}
loadBalancerSourceRanges: {{ toYaml .Values.controller.service.internal.loadBalancerSourceRanges | nindent 4 }}
{{- end }}
{{- if .Values.controller.service.internal.loadBalancerClass }}
loadBalancerClass: {{ .Values.controller.service.internal.loadBalancerClass }}
{{- end }}
{{- if hasKey .Values.controller.service.internal "allocateLoadBalancerNodePorts" }}
allocateLoadBalancerNodePorts: {{ .Values.controller.service.internal.allocateLoadBalancerNodePorts }}
{{- end }}
{{- if .Values.controller.service.internal.externalTrafficPolicy }}
externalTrafficPolicy: {{ .Values.controller.service.internal.externalTrafficPolicy }}
{{- end }}
{{- if .Values.controller.service.internal.sessionAffinity }}
sessionAffinity: {{ .Values.controller.service.internal.sessionAffinity }}
{{- end }}
{{- if .Values.controller.service.internal.healthCheckNodePort }}
healthCheckNodePort: {{ .Values.controller.service.internal.healthCheckNodePort }}
{{- end }}
{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version -}}
{{- if .Values.controller.service.internal.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.controller.service.internal.ipFamilyPolicy }}
{{- end }}
{{- if .Values.controller.service.internal.ipFamilies }}
ipFamilies: {{ toYaml .Values.controller.service.internal.ipFamilies | nindent 4 }}
{{- end }}
{{- end }}
ports:
{{- $setNodePorts := (or (eq .Values.controller.service.type "NodePort") (eq .Values.controller.service.type "LoadBalancer")) }}
@@ -35,11 +58,11 @@ spec:
port: {{ .Values.controller.service.internal.ports.http | default .Values.controller.service.ports.http }}
protocol: TCP
targetPort: {{ .Values.controller.service.internal.targetPorts.http | default .Values.controller.service.targetPorts.http }}
{{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
{{- if and (semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version) (.Values.controller.service.internal.appProtocol) }}
appProtocol: http
{{- end }}
{{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }}
nodePort: {{ .Values.controller.service.nodePorts.http }}
{{- if (and $setNodePorts (not (empty .Values.controller.service.internal.nodePorts.http))) }}
nodePort: {{ .Values.controller.service.internal.nodePorts.http }}
{{- end }}
{{- end }}
{{- if .Values.controller.service.enableHttps }}
@@ -47,11 +70,11 @@ spec:
port: {{ .Values.controller.service.internal.ports.https | default .Values.controller.service.ports.https }}
protocol: TCP
targetPort: {{ .Values.controller.service.internal.targetPorts.https | default .Values.controller.service.targetPorts.https }}
{{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
{{- if and (semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version) (.Values.controller.service.internal.appProtocol) }}
appProtocol: https
{{- end }}
{{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }}
nodePort: {{ .Values.controller.service.nodePorts.https }}
{{- if (and $setNodePorts (not (empty .Values.controller.service.internal.nodePorts.https))) }}
nodePort: {{ .Values.controller.service.internal.nodePorts.https }}
{{- end }}
{{- end }}
{{- range $key, $value := .Values.tcp }}
@@ -59,9 +82,9 @@ spec:
port: {{ $key }}
protocol: TCP
targetPort: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-tcp
{{- if $.Values.controller.service.nodePorts.tcp }}
{{- if index $.Values.controller.service.nodePorts.tcp $key }}
nodePort: {{ index $.Values.controller.service.nodePorts.tcp $key }}
{{- if $.Values.controller.service.internal.nodePorts.tcp }}
{{- if index $.Values.controller.service.internal.nodePorts.tcp $key }}
nodePort: {{ index $.Values.controller.service.internal.nodePorts.tcp $key }}
{{- end }}
{{- end }}
{{- end }}
@@ -70,9 +93,9 @@ spec:
port: {{ $key }}
protocol: UDP
targetPort: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-udp
{{- if $.Values.controller.service.nodePorts.udp }}
{{- if index $.Values.controller.service.nodePorts.udp $key }}
nodePort: {{ index $.Values.controller.service.nodePorts.udp $key }}
{{- if $.Values.controller.service.internal.nodePorts.udp }}
{{- if index $.Values.controller.service.internal.nodePorts.udp $key }}
nodePort: {{ index $.Values.controller.service.internal.nodePorts.udp $key }}
{{- end }}
{{- end }}
{{- end }}

2
packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service-webhook.yaml
View File

@@ -31,7 +31,7 @@ spec:
- name: https-webhook
port: 443
targetPort: webhook
{{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
appProtocol: https
{{- end }}
selector:

12
packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service.yaml
View File

@@ -16,9 +16,6 @@ metadata:
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
type: {{ .Values.controller.service.type }}
{{- if hasKey .Values.controller.service "allocateLoadBalancerNodePorts" }}
allocateLoadBalancerNodePorts: {{ .Values.controller.service.allocateLoadBalancerNodePorts }}
{{- end }}
{{- if .Values.controller.service.clusterIP }}
clusterIP: {{ .Values.controller.service.clusterIP }}
{{- end }}
@@ -34,6 +31,9 @@ spec:
{{- if .Values.controller.service.loadBalancerClass }}
loadBalancerClass: {{ .Values.controller.service.loadBalancerClass }}
{{- end }}
{{- if hasKey .Values.controller.service "allocateLoadBalancerNodePorts" }}
allocateLoadBalancerNodePorts: {{ .Values.controller.service.allocateLoadBalancerNodePorts }}
{{- end }}
{{- if .Values.controller.service.externalTrafficPolicy }}
externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }}
{{- end }}
@@ -47,8 +47,6 @@ spec:
{{- if .Values.controller.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy }}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version -}}
{{- if .Values.controller.service.ipFamilies }}
ipFamilies: {{ toYaml .Values.controller.service.ipFamilies | nindent 4 }}
{{- end }}
@@ -60,7 +58,7 @@ spec:
port: {{ .Values.controller.service.ports.http }}
protocol: TCP
targetPort: {{ .Values.controller.service.targetPorts.http }}
{{- if and (semverCompare ">=1.20" .Capabilities.KubeVersion.Version) (.Values.controller.service.appProtocol) }}
{{- if and (semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version) (.Values.controller.service.appProtocol) }}
appProtocol: http
{{- end }}
{{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }}
@@ -72,7 +70,7 @@ spec:
port: {{ .Values.controller.service.ports.https }}
protocol: TCP
targetPort: {{ .Values.controller.service.targetPorts.https }}
{{- if and (semverCompare ">=1.20" .Capabilities.KubeVersion.Version) (.Values.controller.service.appProtocol) }}
{{- if and (semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version) (.Values.controller.service.appProtocol) }}
appProtocol: https
{{- end }}
{{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }}

3
packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-servicemonitor.yaml
View File

@@ -14,6 +14,9 @@ metadata:
{{- if .Values.controller.metrics.serviceMonitor.additionalLabels }}
{{- toYaml .Values.controller.metrics.serviceMonitor.additionalLabels | nindent 4 }}
{{- end }}
{{- if .Values.controller.metrics.serviceMonitor.annotations }}
annotations: {{ toYaml .Values.controller.metrics.serviceMonitor.annotations | nindent 4 }}
{{- end }}
spec:
endpoints:
- port: {{ .Values.controller.metrics.portName }}

9
packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-deployment.yaml
View File

@@ -30,7 +30,7 @@ spec:
annotations: {{ toYaml .Values.defaultBackend.podAnnotations | nindent 8 }}
{{- end }}
labels:
{{- include "ingress-nginx.selectorLabels" . | nindent 8 }}
{{- include "ingress-nginx.labels" . | nindent 8 }}
app.kubernetes.io/component: default-backend
{{- with .Values.defaultBackend.labels }}
{{- toYaml . | nindent 8 }}
@@ -51,7 +51,7 @@ spec:
containers:
- name: {{ template "ingress-nginx.name" . }}-default-backend
{{- with .Values.defaultBackend.image }}
image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }}
{{- end }}
imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }}
{{- if .Values.defaultBackend.extraArgs }}
@@ -107,7 +107,10 @@ spec:
tolerations: {{ toYaml .Values.defaultBackend.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.defaultBackend.affinity }}
affinity: {{ toYaml .Values.defaultBackend.affinity | nindent 8 }}
affinity: {{ tpl (toYaml .Values.defaultBackend.affinity) $ | nindent 8 }}
{{- end }}
{{- if .Values.defaultBackend.topologySpreadConstraints }}
topologySpreadConstraints: {{ tpl (toYaml .Values.defaultBackend.topologySpreadConstraints) $ | nindent 8 }}
{{- end }}
terminationGracePeriodSeconds: 60
{{- if .Values.defaultBackend.extraVolumes }}

10
packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-extra-configmaps.yaml
View File

@@ -1,23 +1,23 @@
{{- if .Values.defaultBackend.enabled }}
{{- range .Values.defaultBackend.extraConfigMaps }}
{{- range .Values.defaultBackend.extraConfigMaps }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .name }}
namespace: {{ include "ingress-nginx.namespace" $ | quote }}
labels:
{{- include "ingress-nginx.labels" $ | nindent 4 }}
app.kubernetes.io/component: default-backend
{{- with $.Values.defaultBackend.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ .name }}
namespace: {{ include "ingress-nginx.namespace" $ }}
data:
{{- with .data }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

16
packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-hpa.yaml
View File

@@ -21,14 +21,6 @@ spec:
minReplicas: {{ .Values.defaultBackend.autoscaling.minReplicas }}
maxReplicas: {{ .Values.defaultBackend.autoscaling.maxReplicas }}
metrics:
{{- with .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ . }}
{{- end }}
{{- with .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
@@ -37,4 +29,12 @@ spec:
type: Utilization
averageUtilization: {{ . }}
{{- end }}
{{- with .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ . }}
{{- end }}
{{- end }}

2
packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-service.yaml
View File

@@ -32,7 +32,7 @@ spec:
port: {{ .Values.defaultBackend.service.servicePort }}
protocol: TCP
targetPort: http
{{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
appProtocol: http
{{- end }}
selector:

11
packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml Normal file
View File

@@ -0,0 +1,11 @@
suite: Admission Webhooks > Patch Job > ClusterRole
templates:
- admission-webhooks/job-patch/clusterrole.yaml
tests:
- it: should not create a ClusterRole if `controller.admissionWebhooks.patch.rbac.create` is false
set:
controller.admissionWebhooks.patch.rbac.create: false
asserts:
- hasDocuments:
count: 0

11
packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml Normal file
View File

@@ -0,0 +1,11 @@
suite: Admission Webhooks > Patch Job > ClusterRoleBinding
templates:
- admission-webhooks/job-patch/clusterrolebinding.yaml
tests:
- it: should not create a ClusterRoleBinding if `controller.admissionWebhooks.patch.rbac.create` is false
set:
controller.admissionWebhooks.patch.rbac.create: false
asserts:
- hasDocuments:
count: 0

11
packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml Normal file
View File

@@ -0,0 +1,11 @@
suite: Admission Webhooks > Patch Job > Role
templates:
- admission-webhooks/job-patch/role.yaml
tests:
- it: should not create a Role if `controller.admissionWebhooks.patch.rbac.create` is false
set:
controller.admissionWebhooks.patch.rbac.create: false
asserts:
- hasDocuments:
count: 0

11
packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml Normal file
View File

@@ -0,0 +1,11 @@
suite: Admission Webhooks > Patch Job > RoleBinding
templates:
- admission-webhooks/job-patch/rolebinding.yaml
tests:
- it: should not create a RoleBinding if `controller.admissionWebhooks.patch.rbac.create` is false
set:
controller.admissionWebhooks.patch.rbac.create: false
asserts:
- hasDocuments:
count: 0

47
packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml Normal file
View File

@@ -0,0 +1,47 @@
suite: Admission Webhooks > Patch Job > ServiceAccount
templates:
- admission-webhooks/job-patch/serviceaccount.yaml
tests:
- it: should not create a ServiceAccount if `controller.admissionWebhooks.patch.serviceAccount.create` is false
set:
controller.admissionWebhooks.patch.serviceAccount.create: false
asserts:
- hasDocuments:
count: 0
- it: should create a ServiceAccount if `controller.admissionWebhooks.patch.serviceAccount.create` is true
set:
controller.admissionWebhooks.patch.serviceAccount.create: true
asserts:
- hasDocuments:
count: 1
- isKind:
of: ServiceAccount
- equal:
path: metadata.name
value: ingress-nginx-admission
- it: should create a ServiceAccount with specified name if `controller.admissionWebhooks.patch.serviceAccount.name` is set
set:
controller.admissionWebhooks.patch.serviceAccount.name: ingress-nginx-admission-test-sa
asserts:
- hasDocuments:
count: 1
- isKind:
of: ServiceAccount
- equal:
path: metadata.name
value: ingress-nginx-admission-test-sa
- it: should create a ServiceAccount with token auto-mounting disabled if `controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken` is false
set:
controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false
asserts:
- hasDocuments:
count: 1
- isKind:
of: ServiceAccount
- equal:
path: automountServiceAccountToken
value: false

27
packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap-addheaders_test.yaml Normal file
View File

@@ -0,0 +1,27 @@
suite: Controller > ConfigMap > Add Headers
templates:
- controller-configmap-addheaders.yaml
tests:
- it: should not create a ConfigMap if `controller.addHeaders` is not set
set:
controller.addHeaders: null
asserts:
- hasDocuments:
count: 0
- it: should create a ConfigMap if `controller.addHeaders` is set
set:
controller.addHeaders:
X-Another-Custom-Header: Value
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- equal:
path: metadata.name
value: RELEASE-NAME-ingress-nginx-custom-add-headers
- equal:
path: data.X-Another-Custom-Header
value: Value

27
packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap-proxyheaders_test.yaml Normal file
View File

@@ -0,0 +1,27 @@
suite: Controller > ConfigMap > Proxy Headers
templates:
- controller-configmap-proxyheaders.yaml
tests:
- it: should not create a ConfigMap if `controller.proxySetHeaders` is not set
set:
controller.proxySetHeaders: null
asserts:
- hasDocuments:
count: 0
- it: should create a ConfigMap if `controller.proxySetHeaders` is set
set:
controller.proxySetHeaders:
X-Custom-Header: Value
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- equal:
path: metadata.name
value: RELEASE-NAME-ingress-nginx-custom-proxy-headers
- equal:
path: data.X-Custom-Header
value: Value

31
packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap_test.yaml Normal file
View File

@@ -0,0 +1,31 @@
suite: Controller > ConfigMap
templates:
- controller-configmap.yaml
tests:
- it: should create a ConfigMap
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- equal:
path: metadata.name
value: RELEASE-NAME-ingress-nginx-controller
- it: should create a ConfigMap with templated values if `controller.config` contains templates
set:
controller.config:
global-rate-limit-memcached-host: "memcached.{{ .Release.Namespace }}.svc.kubernetes.local"
global-rate-limit-memcached-port: 11211
use-gzip: true
asserts:
- equal:
path: data.global-rate-limit-memcached-host
value: memcached.NAMESPACE.svc.kubernetes.local
- equal:
path: data.global-rate-limit-memcached-port
value: "11211"
- equal:
path: data.use-gzip
value: "true"

140
packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-daemonset_test.yaml Normal file
View File

@@ -0,0 +1,140 @@
suite: Controller > DaemonSet
templates:
- controller-daemonset.yaml
tests:
- it: should create a DaemonSet if `controller.kind` is "DaemonSet"
set:
controller.kind: DaemonSet
asserts:
- hasDocuments:
count: 1
- isKind:
of: DaemonSet
- equal:
path: metadata.name
value: RELEASE-NAME-ingress-nginx-controller
- it: should create a DaemonSet with argument `--enable-metrics=false` if `controller.metrics.enabled` is false
set:
controller.kind: DaemonSet
controller.metrics.enabled: false
asserts:
- contains:
path: spec.template.spec.containers[0].args
content: --enable-metrics=false
- it: should create a DaemonSet without argument `--enable-metrics=false` if `controller.metrics.enabled` is true
set:
controller.kind: DaemonSet
controller.metrics.enabled: true
asserts:
- notContains:
path: spec.template.spec.containers[0].args
content: --enable-metrics=false
- it: should create a DaemonSet with argument `--controller-class=k8s.io/ingress-nginx-internal` if `controller.ingressClassResource.controllerValue` is "k8s.io/ingress-nginx-internal"
set:
controller.kind: DaemonSet
controller.ingressClassResource.controllerValue: k8s.io/ingress-nginx-internal
asserts:
- contains:
path: spec.template.spec.containers[0].args
content: --controller-class=k8s.io/ingress-nginx-internal
- it: should create a DaemonSet with resource limits if `controller.resources.limits` is set
set:
controller.kind: DaemonSet
controller.resources.limits.cpu: 500m
controller.resources.limits.memory: 512Mi
asserts:
- equal:
path: spec.template.spec.containers[0].resources.limits.cpu
value: 500m
- equal:
path: spec.template.spec.containers[0].resources.limits.memory
value: 512Mi
- it: should create a DaemonSet with topology spread constraints if `controller.topologySpreadConstraints` is set
set:
controller.kind: DaemonSet
controller.topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
app.kubernetes.io/instance: '{{ .Release.Name }}'
app.kubernetes.io/component: controller
topologyKey: topology.kubernetes.io/zone
maxSkew: 1
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
app.kubernetes.io/instance: '{{ .Release.Name }}'
app.kubernetes.io/component: controller
topologyKey: kubernetes.io/hostname
maxSkew: 1
whenUnsatisfiable: ScheduleAnyway
asserts:
- equal:
path: spec.template.spec.topologySpreadConstraints
value:
- labelSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/component: controller
topologyKey: topology.kubernetes.io/zone
maxSkew: 1
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/component: controller
topologyKey: kubernetes.io/hostname
maxSkew: 1
whenUnsatisfiable: ScheduleAnyway
- it: should create a DaemonSet with affinity if `controller.affinity` is set
set:
controller.kind: DaemonSet
controller.affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- '{{ include "ingress-nginx.name" . }}'
- key: app.kubernetes.io/instance
operator: In
values:
- '{{ .Release.Name }}'
- key: app.kubernetes.io/component
operator: In
values:
- controller
topologyKey: kubernetes.io/hostname
asserts:
- equal:
path: spec.template.spec.affinity
value:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- ingress-nginx
- key: app.kubernetes.io/instance
operator: In
values:
- RELEASE-NAME
- key: app.kubernetes.io/component
operator: In
values:
- controller
topologyKey: kubernetes.io/hostname

162
packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-deployment_test.yaml Normal file
View File

@@ -0,0 +1,162 @@
suite: Controller > Deployment
templates:
- controller-deployment.yaml
tests:
- it: should create a Deployment
asserts:
- hasDocuments:
count: 1
- isKind:
of: Deployment
- equal:
path: metadata.name
value: RELEASE-NAME-ingress-nginx-controller
- it: should create a Deployment with 3 replicas if `controller.replicaCount` is 3
set:
controller.replicaCount: 3
asserts:
- equal:
path: spec.replicas
value: 3
- it: should create a Deployment without replicas if `controller.autoscaling.enabled` is true
set:
controller.autoscaling.enabled: true
asserts:
- notExists:
path: spec.replicas
- it: should create a Deployment without replicas if `controller.keda.enabled` is true
set:
controller.keda.enabled: true
asserts:
- notExists:
path: spec.replicas
- it: should create a Deployment with replicas if `controller.autoscaling.enabled` is true and `controller.keda.enabled` is true
set:
controller.autoscaling.enabled: true
controller.keda.enabled: true
asserts:
- exists:
path: spec.replicas
- it: should create a Deployment with argument `--enable-metrics=false` if `controller.metrics.enabled` is false
set:
controller.metrics.enabled: false
asserts:
- contains:
path: spec.template.spec.containers[0].args
content: --enable-metrics=false
- it: should create a Deployment without argument `--enable-metrics=false` if `controller.metrics.enabled` is true
set:
controller.metrics.enabled: true
asserts:
- notContains:
path: spec.template.spec.containers[0].args
content: --enable-metrics=false
- it: should create a Deployment with argument `--controller-class=k8s.io/ingress-nginx-internal` if `controller.ingressClassResource.controllerValue` is "k8s.io/ingress-nginx-internal"
set:
controller.ingressClassResource.controllerValue: k8s.io/ingress-nginx-internal
asserts:
- contains:
path: spec.template.spec.containers[0].args
content: --controller-class=k8s.io/ingress-nginx-internal
- it: should create a Deployment with resource limits if `controller.resources.limits` is set
set:
controller.resources.limits.cpu: 500m
controller.resources.limits.memory: 512Mi
asserts:
- equal:
path: spec.template.spec.containers[0].resources.limits.cpu
value: 500m
- equal:
path: spec.template.spec.containers[0].resources.limits.memory
value: 512Mi
- it: should create a Deployment with topology spread constraints if `controller.topologySpreadConstraints` is set
set:
controller.topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
app.kubernetes.io/instance: '{{ .Release.Name }}'
app.kubernetes.io/component: controller
topologyKey: topology.kubernetes.io/zone
maxSkew: 1
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
app.kubernetes.io/instance: '{{ .Release.Name }}'
app.kubernetes.io/component: controller
topologyKey: kubernetes.io/hostname
maxSkew: 1
whenUnsatisfiable: ScheduleAnyway
asserts:
- equal:
path: spec.template.spec.topologySpreadConstraints
value:
- labelSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/component: controller
topologyKey: topology.kubernetes.io/zone
maxSkew: 1
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/component: controller
topologyKey: kubernetes.io/hostname
maxSkew: 1
whenUnsatisfiable: ScheduleAnyway
- it: should create a Deployment with affinity if `controller.affinity` is set
set:
controller.affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- '{{ include "ingress-nginx.name" . }}'
- key: app.kubernetes.io/instance
operator: In
values:
- '{{ .Release.Name }}'
- key: app.kubernetes.io/component
operator: In
values:
- controller
topologyKey: kubernetes.io/hostname
asserts:
- equal:
path: spec.template.spec.affinity
value:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- ingress-nginx
- key: app.kubernetes.io/instance
operator: In
values:
- RELEASE-NAME
- key: app.kubernetes.io/component
operator: In
values:
- controller
topologyKey: kubernetes.io/hostname

31
packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-hpa_test.yaml Normal file
View File

@@ -0,0 +1,31 @@
suite: Controller > HPA
templates:
- controller-hpa.yaml
tests:
- it: should create an HPA if `controller.autoscaling.enabled` is true
set:
controller.autoscaling.enabled: true
asserts:
- hasDocuments:
count: 1
- isKind:
of: HorizontalPodAutoscaler
- equal:
path: metadata.name
value: RELEASE-NAME-ingress-nginx-controller
- it: should not create an HPA if `controller.autoscaling.enabled` is true and `controller.keda.enabled` is true
set:
controller.autoscaling.enabled: true
controller.keda.enabled: true
asserts:
- hasDocuments:
count: 0
- it: should not create an HPA if `controller.kind` is "DaemonSet"
set:
controller.kind: DaemonSet
asserts:
- hasDocuments:
count: 0

Some files were not shown because too many files have changed in this diff Show More