scottk/cozystack
1
0
Fork 0
mirror of https://github.com/outbackdingo/cozystack.git synced 2026-03-22 03:41:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

upd

Browse Source
This commit is contained in:
Andrei Kvapil
2023-12-11 16:33:57 +01:00
parent 0d75d63762
commit a37345b972
341 changed files with 50217 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
system/cilium/values.yaml
View File

@@ -22,6 +22,6 @@ cilium:
hostRoot: /sys/fs/cgroup
ipam:
mode: "kubernetes"
k8sServiceHost: 192.168.0.110
k8sServiceHost: 192.168.100.10
k8sServicePort: 6443
ipv4NativeRoutingCIDR: 10.244.0.0/16

3
system/fluxcd/.helmignore Normal file
View File

@@ -0,0 +1,3 @@
images
hack
.gitkeep

2
system/fluxcd/Chart.yaml Normal file
View File

@@ -0,0 +1,2 @@
name: app
version: 0.0.0

5
system/fluxcd/Makefile Normal file
View File

@@ -0,0 +1,5 @@
include ../../hack/app-helm.mk
update:
rm -rf charts
helm pull oci://ghcr.io/fluxcd-community/charts/flux2 --untar --untardir charts

25
system/fluxcd/charts/flux2/.helmignore Normal file
View File

@@ -0,0 +1,25 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
tests/

11
system/fluxcd/charts/flux2/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
annotations:
artifacthub.io/changes: |
- "feat: adding CRD and RBAC annotation option"
apiVersion: v2
appVersion: 2.1.2
description: A Helm chart for flux2
name: flux2
sources:
- https://github.com/fluxcd-community/helm-charts
type: application
version: 2.11.1

174
system/fluxcd/charts/flux2/README.md Normal file
View File

@@ -0,0 +1,174 @@
# flux2
![Version: 2.11.0](https://img.shields.io/badge/Version-2.11.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.1.2](https://img.shields.io/badge/AppVersion-2.1.2-informational?style=flat-square)
A Helm chart for flux2
This helm chart is maintained and released by the fluxcd-community on a best effort basis.
## Source Code
* <https://github.com/fluxcd-community/helm-charts>
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| cli.affinity | object | `{}` | |
| cli.annotations | object | `{}` | |
| cli.image | string | `"ghcr.io/fluxcd/flux-cli"` | |
| cli.nodeSelector | object | `{}` | |
| cli.serviceAccount.automount | bool | `true` | |
| cli.tag | string | `"v2.1.2"` | |
| cli.tolerations | list | `[]` | |
| clusterDomain | string | `"cluster.local"` | |
| crds.annotations | object | `{}` | Add annotations to all CRD resources, e.g. "helm.sh/resource-policy": keep |
| extraObjects | list | `[]` | Array of extra K8s manifests to deploy |
| helmController.affinity | object | `{}` | |
| helmController.annotations."prometheus.io/port" | string | `"8080"` | |
| helmController.annotations."prometheus.io/scrape" | string | `"true"` | |
| helmController.container.additionalArgs | list | `[]` | |
| helmController.create | bool | `true` | |
| helmController.extraEnv | list | `[]` | |
| helmController.image | string | `"ghcr.io/fluxcd/helm-controller"` | |
| helmController.imagePullPolicy | string | `""` | |
| helmController.labels | object | `{}` | |
| helmController.nodeSelector | object | `{}` | |
| helmController.priorityClassName | string | `""` | |
| helmController.resources.limits | object | `{}` | |
| helmController.resources.requests.cpu | string | `"100m"` | |
| helmController.resources.requests.memory | string | `"64Mi"` | |
| helmController.serviceAccount.annotations | object | `{}` | |
| helmController.serviceAccount.automount | bool | `true` | |
| helmController.serviceAccount.create | bool | `true` | |
| helmController.tag | string | `"v0.36.2"` | |
| helmController.tolerations | list | `[]` | |
| imageAutomationController.affinity | object | `{}` | |
| imageAutomationController.annotations."prometheus.io/port" | string | `"8080"` | |
| imageAutomationController.annotations."prometheus.io/scrape" | string | `"true"` | |
| imageAutomationController.container.additionalArgs | list | `[]` | |
| imageAutomationController.create | bool | `true` | |
| imageAutomationController.extraEnv | list | `[]` | |
| imageAutomationController.image | string | `"ghcr.io/fluxcd/image-automation-controller"` | |
| imageAutomationController.imagePullPolicy | string | `""` | |
| imageAutomationController.labels | object | `{}` | |
| imageAutomationController.nodeSelector | object | `{}` | |
| imageAutomationController.priorityClassName | string | `""` | |
| imageAutomationController.resources.limits | object | `{}` | |
| imageAutomationController.resources.requests.cpu | string | `"100m"` | |
| imageAutomationController.resources.requests.memory | string | `"64Mi"` | |
| imageAutomationController.serviceAccount.annotations | object | `{}` | |
| imageAutomationController.serviceAccount.automount | bool | `true` | |
| imageAutomationController.serviceAccount.create | bool | `true` | |
| imageAutomationController.tag | string | `"v0.36.1"` | |
| imageAutomationController.tolerations | list | `[]` | |
| imagePullSecrets | list | `[]` | contents of pod imagePullSecret in form 'name=[secretName]'; applied to all controllers |
| imageReflectionController.affinity | object | `{}` | |
| imageReflectionController.annotations."prometheus.io/port" | string | `"8080"` | |
| imageReflectionController.annotations."prometheus.io/scrape" | string | `"true"` | |
| imageReflectionController.container.additionalArgs | list | `[]` | |
| imageReflectionController.create | bool | `true` | |
| imageReflectionController.extraEnv | list | `[]` | |
| imageReflectionController.image | string | `"ghcr.io/fluxcd/image-reflector-controller"` | |
| imageReflectionController.imagePullPolicy | string | `""` | |
| imageReflectionController.labels | object | `{}` | |
| imageReflectionController.nodeSelector | object | `{}` | |
| imageReflectionController.priorityClassName | string | `""` | |
| imageReflectionController.resources.limits | object | `{}` | |
| imageReflectionController.resources.requests.cpu | string | `"100m"` | |
| imageReflectionController.resources.requests.memory | string | `"64Mi"` | |
| imageReflectionController.serviceAccount.annotations | object | `{}` | |
| imageReflectionController.serviceAccount.automount | bool | `true` | |
| imageReflectionController.serviceAccount.create | bool | `true` | |
| imageReflectionController.tag | string | `"v0.30.0"` | |
| imageReflectionController.tolerations | list | `[]` | |
| installCRDs | bool | `true` | |
| kustomizeController.affinity | object | `{}` | |
| kustomizeController.annotations."prometheus.io/port" | string | `"8080"` | |
| kustomizeController.annotations."prometheus.io/scrape" | string | `"true"` | |
| kustomizeController.container.additionalArgs | list | `[]` | |
| kustomizeController.create | bool | `true` | |
| kustomizeController.envFrom | object | `{"map":{"name":""},"secret":{"name":""}}` | Defines envFrom using a configmap and/or secret. |
| kustomizeController.extraEnv | list | `[]` | |
| kustomizeController.extraSecretMounts | list | `[]` | Defines additional mounts with secrets. Secrets must be manually created in the namespace or with kustomizeController.secret |
| kustomizeController.image | string | `"ghcr.io/fluxcd/kustomize-controller"` | |
| kustomizeController.imagePullPolicy | string | `""` | |
| kustomizeController.labels | object | `{}` | |
| kustomizeController.nodeSelector | object | `{}` | |
| kustomizeController.priorityClassName | string | `""` | |
| kustomizeController.resources.limits | object | `{}` | |
| kustomizeController.resources.requests.cpu | string | `"100m"` | |
| kustomizeController.resources.requests.memory | string | `"64Mi"` | |
| kustomizeController.secret.create | bool | `false` | Create a secret to use it with extraSecretMounts. Defaults to false. |
| kustomizeController.secret.data | object | `{}` | |
| kustomizeController.secret.name | string | `""` | |
| kustomizeController.serviceAccount.annotations | object | `{}` | |
| kustomizeController.serviceAccount.automount | bool | `true` | |
| kustomizeController.serviceAccount.create | bool | `true` | |
| kustomizeController.tag | string | `"v1.1.1"` | |
| kustomizeController.tolerations | list | `[]` | |
| logLevel | string | `"info"` | |
| multitenancy.defaultServiceAccount | string | `"default"` | All Kustomizations and HelmReleases which dont have spec.serviceAccountName specified, will use the default account from the tenants namespace. Tenants have to specify a service account in their Flux resources to be able to deploy workloads in their namespaces as the default account has no permissions. |
| multitenancy.enabled | bool | `false` | Implement the patches for Multi-tenancy lockdown. See https://fluxcd.io/docs/installation/#multi-tenancy-lockdown |
| multitenancy.privileged | bool | `true` | Both kustomize-controller and helm-controller service accounts run privileged with cluster-admin ClusterRoleBinding. Disable if you want to run them with a minimum set of permissions. |
| notificationController.affinity | object | `{}` | |
| notificationController.annotations."prometheus.io/port" | string | `"8080"` | |
| notificationController.annotations."prometheus.io/scrape" | string | `"true"` | |
| notificationController.container.additionalArgs | list | `[]` | |
| notificationController.create | bool | `true` | |
| notificationController.extraEnv | list | `[]` | |
| notificationController.image | string | `"ghcr.io/fluxcd/notification-controller"` | |
| notificationController.imagePullPolicy | string | `""` | |
| notificationController.labels | object | `{}` | |
| notificationController.nodeSelector | object | `{}` | |
| notificationController.priorityClassName | string | `""` | |
| notificationController.resources.limits | object | `{}` | |
| notificationController.resources.requests.cpu | string | `"100m"` | |
| notificationController.resources.requests.memory | string | `"64Mi"` | |
| notificationController.service.annotations | object | `{}` | |
| notificationController.service.labels | object | `{}` | |
| notificationController.serviceAccount.annotations | object | `{}` | |
| notificationController.serviceAccount.automount | bool | `true` | |
| notificationController.serviceAccount.create | bool | `true` | |
| notificationController.tag | string | `"v1.1.0"` | |
| notificationController.tolerations | list | `[]` | |
| notificationController.webhookReceiver.ingress.annotations | object | `{}` | |
| notificationController.webhookReceiver.ingress.create | bool | `false` | |
| notificationController.webhookReceiver.ingress.hosts[0].host | string | `"flux-webhook.example.com"` | |
| notificationController.webhookReceiver.ingress.hosts[0].paths[0].path | string | `"/"` | |
| notificationController.webhookReceiver.ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | |
| notificationController.webhookReceiver.ingress.labels | object | `{}` | |
| notificationController.webhookReceiver.ingress.tls | list | `[]` | |
| notificationController.webhookReceiver.service.annotations | object | `{}` | |
| notificationController.webhookReceiver.service.labels | object | `{}` | |
| policies.create | bool | `true` | |
| prometheus.podMonitor.create | bool | `false` | Enables podMonitor endpoint |
| prometheus.podMonitor.podMetricsEndpoints[0].port | string | `"http-prom"` | |
| prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].action | string | `"keep"` | |
| prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].regex | string | `"Running"` | |
| prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].sourceLabels[0] | string | `"__meta_kubernetes_pod_phase"` | |
| rbac.annotations | object | `{}` | Add annotations to all RBAC resources, e.g. "helm.sh/resource-policy": keep |
| rbac.create | bool | `true` | |
| rbac.createAggregation | bool | `true` | Grant the Kubernetes view, edit and admin roles access to Flux custom resources |
| sourceController.affinity | object | `{}` | |
| sourceController.annotations."prometheus.io/port" | string | `"8080"` | |
| sourceController.annotations."prometheus.io/scrape" | string | `"true"` | |
| sourceController.container.additionalArgs | list | `[]` | |
| sourceController.create | bool | `true` | |
| sourceController.extraEnv | list | `[]` | |
| sourceController.image | string | `"ghcr.io/fluxcd/source-controller"` | |
| sourceController.imagePullPolicy | string | `""` | |
| sourceController.labels | object | `{}` | |
| sourceController.nodeSelector | object | `{}` | |
| sourceController.priorityClassName | string | `""` | |
| sourceController.resources.limits | object | `{}` | |
| sourceController.resources.requests.cpu | string | `"100m"` | |
| sourceController.resources.requests.memory | string | `"64Mi"` | |
| sourceController.service.annotations | object | `{}` | |
| sourceController.service.labels | object | `{}` | |
| sourceController.serviceAccount.annotations | object | `{}` | |
| sourceController.serviceAccount.automount | bool | `true` | |
| sourceController.serviceAccount.create | bool | `true` | |
| sourceController.tag | string | `"v1.1.2"` | |
| sourceController.tolerations | list | `[]` | |
| watchAllNamespaces | bool | `true` | |

7
system/fluxcd/charts/flux2/templates/_helper.tpl Normal file
View File

@@ -0,0 +1,7 @@
{{- define "template.image" -}}
{{- if eq (substr 0 7 .tag) "sha256:" -}}
{{- printf "%s@%s" .image .tag -}}
{{- else -}}
{{- printf "%s:%s" .image .tag -}}
{{- end -}}
{{- end -}}

47
system/fluxcd/charts/flux2/templates/aggregate-clusterroles.yaml Normal file
View File

@@ -0,0 +1,47 @@
{{- if .Values.rbac.createAggregation }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
{{- with .Values.rbac.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
name: flux-edit
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- notification.toolkit.fluxcd.io
- source.toolkit.fluxcd.io
- helm.toolkit.fluxcd.io
- image.toolkit.fluxcd.io
- kustomize.toolkit.fluxcd.io
resources: ["*"]
verbs:
- create
- delete
- deletecollection
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: flux-view
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- notification.toolkit.fluxcd.io
- source.toolkit.fluxcd.io
- helm.toolkit.fluxcd.io
- image.toolkit.fluxcd.io
- kustomize.toolkit.fluxcd.io
resources: ["*"]
verbs:
- get
- list
- watch
{{- end }}

26
system/fluxcd/charts/flux2/templates/cluster-reconciler-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{- if and .Values.rbac.create (or (not .Values.multitenancy.enabled) .Values.multitenancy.privileged) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
{{- with .Values.rbac.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: cluster-reconciler
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kustomize-controller
namespace: {{ .Release.Namespace }}
- kind: ServiceAccount
name: helm-controller
namespace: {{ .Release.Namespace }}
{{- end }}

19
system/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrole.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if and .Values.rbac.create .Values.multitenancy.enabled (not .Values.multitenancy.privileged) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
{{- with .Values.rbac.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
name: cluster-reconciler-impersonator
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
rules:
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["impersonate"]
{{- end }}

26
system/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{- if and .Values.rbac.create .Values.multitenancy.enabled (not .Values.multitenancy.privileged) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
{{- with .Values.rbac.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: cluster-reconciler-impersonator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-reconciler-impersonator
subjects:
- kind: ServiceAccount
name: kustomize-controller
namespace: {{ .Release.Namespace }}
- kind: ServiceAccount
name: helm-controller
namespace: {{ .Release.Namespace }}
{{- end }}

82
system/fluxcd/charts/flux2/templates/crd-controller-clusterrole.yaml Normal file
View File

@@ -0,0 +1,82 @@
{{- if and .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
{{- with .Values.rbac.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
name: crd-controller
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
rules:
- apiGroups: ['source.toolkit.fluxcd.io']
resources: ['*']
verbs: ['*']
- apiGroups: ['kustomize.toolkit.fluxcd.io']
resources: ['*']
verbs: ['*']
- apiGroups: ['helm.toolkit.fluxcd.io']
resources: ['*']
verbs: ['*']
- apiGroups: ['notification.toolkit.fluxcd.io']
resources: ['*']
verbs: ['*']
- apiGroups: ['image.toolkit.fluxcd.io']
resources: ['*']
verbs: ['*']
- apiGroups:
- ""
resources:
- namespaces
- secrets
- configmaps
- serviceaccounts
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
# required by leader election
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps/status
verbs:
- get
- update
- patch
- apiGroups:
- "coordination.k8s.io"
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
{{- end }}

38
system/fluxcd/charts/flux2/templates/crd-controller-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,38 @@
{{- if and .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
{{- with .Values.rbac.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
name: crd-controller
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: crd-controller
subjects:
- kind: ServiceAccount
name: kustomize-controller
namespace: {{ .Release.Namespace }}
- kind: ServiceAccount
name: helm-controller
namespace: {{ .Release.Namespace }}
- kind: ServiceAccount
name: source-controller
namespace: {{ .Release.Namespace }}
- kind: ServiceAccount
name: notification-controller
namespace: {{ .Release.Namespace }}
- kind: ServiceAccount
name: image-reflector-controller
namespace: {{ .Release.Namespace }}
- kind: ServiceAccount
name: image-automation-controller
namespace: {{ .Release.Namespace }}
{{- end }}

4
system/fluxcd/charts/flux2/templates/extra-manifests.yaml Normal file
View File

@@ -0,0 +1,4 @@
{{ range .Values.extraObjects }}
---
{{ tpl (toYaml .) $ }}
{{ end }}

18
system/fluxcd/charts/flux2/templates/helm-controller-sa.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if and .Values.helmController.create}}
{{- if .Values.helmController.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: helm-controller
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: helm-controller
{{- with .Values.helmController.serviceAccount.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
{{- end -}}
{{- end -}}

935
system/fluxcd/charts/flux2/templates/helm-controller.crds.yaml Normal file
View File

@@ -0,0 +1,935 @@
{{- if and .Values.installCRDs .Values.helmController.create }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
{{- with .Values.crds.annotations }}
{{- . | toYaml | nindent 4 }}
{{- end }}
labels:
app.kubernetes.io/component: helm-controller
app.kubernetes.io/instance: '{{ .Release.Namespace }}'
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/part-of: flux
app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
name: helmreleases.helm.toolkit.fluxcd.io
spec:
group: helm.toolkit.fluxcd.io
names:
kind: HelmRelease
listKind: HelmReleaseList
plural: helmreleases
shortNames:
- hr
singular: helmrelease
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].message
name: Status
type: string
name: v2beta1
schema:
openAPIV3Schema:
description: HelmRelease is the Schema for the helmreleases API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: HelmReleaseSpec defines the desired state of a Helm release.
properties:
chart:
description: Chart defines the template of the v1beta2.HelmChart that
should be created for this HelmRelease.
properties:
metadata:
description: ObjectMeta holds the template for metadata like labels
and annotations.
properties:
annotations:
additionalProperties:
type: string
description: 'Annotations is an unstructured key value map
stored with a resource that may be set by external tools
to store and retrieve arbitrary metadata. They are not queryable
and should be preserved when modifying objects. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/'
type: object
labels:
additionalProperties:
type: string
description: 'Map of string keys and values that can be used
to organize and categorize (scope and select) objects. More
info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/'
type: object
type: object
spec:
description: Spec holds the template for the v1beta2.HelmChartSpec
for this HelmRelease.
properties:
chart:
description: The name or path the Helm chart is available
at in the SourceRef.
type: string
interval:
description: Interval at which to check the v1beta2.Source
for updates. Defaults to 'HelmReleaseSpec.Interval'.
pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
type: string
reconcileStrategy:
default: ChartVersion
description: Determines what enables the creation of a new
artifact. Valid values are ('ChartVersion', 'Revision').
See the documentation of the values for an explanation on
their behavior. Defaults to ChartVersion when omitted.
enum:
- ChartVersion
- Revision
type: string
sourceRef:
description: The name and namespace of the v1beta2.Source
the chart is available at.
properties:
apiVersion:
description: APIVersion of the referent.
type: string
kind:
description: Kind of the referent.
enum:
- HelmRepository
- GitRepository
- Bucket
type: string
name:
description: Name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: Namespace of the referent.
maxLength: 63
minLength: 1
type: string
required:
- name
type: object
valuesFile:
description: Alternative values file to use as the default
chart values, expected to be a relative path in the SourceRef.
Deprecated in favor of ValuesFiles, for backwards compatibility
the file defined here is merged before the ValuesFiles items.
Ignored when omitted.
type: string
valuesFiles:
description: Alternative list of values files to use as the
chart values (values.yaml is not included by default), expected
to be a relative path in the SourceRef. Values files are
merged in the order of this list with the last file overriding
the first. Ignored when omitted.
items:
type: string
type: array
verify:
description: Verify contains the secret name containing the
trusted public keys used to verify the signature and specifies
which provider to use to check whether OCI image is authentic.
This field is only supported for OCI sources. Chart dependencies,
which are not bundled in the umbrella chart artifact, are
not verified.
properties:
provider:
default: cosign
description: Provider specifies the technology used to
sign the OCI Helm chart.
enum:
- cosign
type: string
secretRef:
description: SecretRef specifies the Kubernetes Secret
containing the trusted public keys.
properties:
name:
description: Name of the referent.
type: string
required:
- name
type: object
required:
- provider
type: object
version:
default: '*'
description: Version semver expression, ignored for charts
from v1beta2.GitRepository and v1beta2.Bucket sources. Defaults
to latest when omitted.
type: string
required:
- chart
- sourceRef
type: object
required:
- spec
type: object
dependsOn:
description: DependsOn may contain a meta.NamespacedObjectReference
slice with references to HelmRelease resources that must be ready
before this HelmRelease can be reconciled.
items:
description: NamespacedObjectReference contains enough information
to locate the referenced Kubernetes resource object in any namespace.
properties:
name:
description: Name of the referent.
type: string
namespace:
description: Namespace of the referent, when not specified it
acts as LocalObjectReference.
type: string
required:
- name
type: object
type: array
install:
description: Install holds the configuration for Helm install actions
for this HelmRelease.
properties:
crds:
description: "CRDs upgrade CRDs from the Helm Chart's crds directory
according to the CRD upgrade policy provided here. Valid values
are `Skip`, `Create` or `CreateReplace`. Default is `Create`
and if omitted CRDs are installed but not updated. \n Skip:
do neither install nor replace (update) any CRDs. \n Create:
new CRDs are created, existing CRDs are neither updated nor
deleted. \n CreateReplace: new CRDs are created, existing CRDs
are updated (replaced) but not deleted. \n By default, CRDs
are applied (installed) during Helm install action. With this
option users can opt-in to CRD replace existing CRDs on Helm
install actions, which is not (yet) natively supported by Helm.
https://helm.sh/docs/chart_best_practices/custom_resource_definitions."
enum:
- Skip
- Create
- CreateReplace
type: string
createNamespace:
description: CreateNamespace tells the Helm install action to
create the HelmReleaseSpec.TargetNamespace if it does not exist
yet. On uninstall, the namespace will not be garbage collected.
type: boolean
disableHooks:
description: DisableHooks prevents hooks from running during the
Helm install action.
type: boolean
disableOpenAPIValidation:
description: DisableOpenAPIValidation prevents the Helm install
action from validating rendered templates against the Kubernetes
OpenAPI Schema.
type: boolean
disableWait:
description: DisableWait disables the waiting for resources to
be ready after a Helm install has been performed.
type: boolean
disableWaitForJobs:
description: DisableWaitForJobs disables waiting for jobs to complete
after a Helm install has been performed.
type: boolean
remediation:
description: Remediation holds the remediation configuration for
when the Helm install action for the HelmRelease fails. The
default is to not perform any action.
properties:
ignoreTestFailures:
description: IgnoreTestFailures tells the controller to skip
remediation when the Helm tests are run after an install
action but fail. Defaults to 'Test.IgnoreFailures'.
type: boolean
remediateLastFailure:
description: RemediateLastFailure tells the controller to
remediate the last failure, when no retries remain. Defaults
to 'false'.
type: boolean
retries:
description: Retries is the number of retries that should
be attempted on failures before bailing. Remediation, using
an uninstall, is performed between each attempt. Defaults
to '0', a negative integer equals to unlimited retries.
type: integer
type: object
replace:
description: Replace tells the Helm install action to re-use the
'ReleaseName', but only if that name is a deleted release which
remains in the history.
type: boolean
skipCRDs:
description: "SkipCRDs tells the Helm install action to not install
any CRDs. By default, CRDs are installed if not already present.
\n Deprecated use CRD policy (`crds`) attribute with value `Skip`
instead."
type: boolean
timeout:
description: Timeout is the time to wait for any individual Kubernetes
operation (like Jobs for hooks) during the performance of a
Helm install action. Defaults to 'HelmReleaseSpec.Timeout'.
pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
type: string
type: object
interval:
description: Interval at which to reconcile the Helm release. This
interval is approximate and may be subject to jitter to ensure efficient
use of resources.
pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
type: string
kubeConfig:
description: KubeConfig for reconciling the HelmRelease on a remote
cluster. When used in combination with HelmReleaseSpec.ServiceAccountName,
forces the controller to act on behalf of that Service Account at
the target cluster. If the --default-service-account flag is set,
its value will be used as a controller level fallback for when HelmReleaseSpec.ServiceAccountName
is empty.
properties:
secretRef:
description: SecretRef holds the name of a secret that contains
a key with the kubeconfig file as the value. If no key is set,
the key will default to 'value'. It is recommended that the
kubeconfig is self-contained, and the secret is regularly updated
if credentials such as a cloud-access-token expire. Cloud specific
`cmd-path` auth helpers will not function without adding binaries
and credentials to the Pod that is responsible for reconciling
Kubernetes resources.
properties:
key:
description: Key in the Secret, when not specified an implementation-specific
default key is used.
type: string
name:
description: Name of the Secret.
type: string
required:
- name
type: object
required:
- secretRef
type: object
maxHistory:
description: MaxHistory is the number of revisions saved by Helm for
this HelmRelease. Use '0' for an unlimited number of revisions;
defaults to '10'.
type: integer
persistentClient:
description: "PersistentClient tells the controller to use a persistent
Kubernetes client for this release. When enabled, the client will
be reused for the duration of the reconciliation, instead of being
created and destroyed for each (step of a) Helm action. \n This
can improve performance, but may cause issues with some Helm charts
that for example do create Custom Resource Definitions during installation
outside Helm's CRD lifecycle hooks, which are then not observed
to be available by e.g. post-install hooks. \n If not set, it defaults
to true."
type: boolean
postRenderers:
description: PostRenderers holds an array of Helm PostRenderers, which
will be applied in order of their definition.
items:
description: PostRenderer contains a Helm PostRenderer specification.
properties:
kustomize:
description: Kustomization to apply as PostRenderer.
properties:
images:
description: Images is a list of (image name, new name,
new tag or digest) for changing image names, tags or digests.
This can also be achieved with a patch, but this operator
is simpler to specify.
items:
description: Image contains an image name, a new name,
a new tag or digest, which will replace the original
name and tag.
properties:
digest:
description: Digest is the value used to replace the
original image tag. If digest is present NewTag
value is ignored.
type: string
name:
description: Name is a tag-less image name.
type: string
newName:
description: NewName is the value used to replace
the original name.
type: string
newTag:
description: NewTag is the value used to replace the
original tag.
type: string
required:
- name
type: object
type: array
patches:
description: Strategic merge and JSON patches, defined as
inline YAML objects, capable of targeting objects based
on kind, label and annotation selectors.
items:
description: Patch contains an inline StrategicMerge or
JSON6902 patch, and the target the patch should be applied
to.
properties:
patch:
description: Patch contains an inline StrategicMerge
patch or an inline JSON6902 patch with an array
of operation objects.
type: string
target:
description: Target points to the resources that the
patch document should be applied to.
properties:
annotationSelector:
description: AnnotationSelector is a string that
follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
It matches with the resource annotations.
type: string
group:
description: Group is the API group to select
resources from. Together with Version and Kind
it is capable of unambiguously identifying and/or
selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
type: string
kind:
description: Kind of the API Group to select resources
from. Together with Group and Version it is
capable of unambiguously identifying and/or
selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
type: string
labelSelector:
description: LabelSelector is a string that follows
the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
It matches with the resource labels.
type: string
name:
description: Name to match resources with.
type: string
namespace:
description: Namespace to select resources from.
type: string
version:
description: Version of the API Group to select
resources from. Together with Group and Kind
it is capable of unambiguously identifying and/or
selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
type: string
type: object
required:
- patch
type: object
type: array
patchesJson6902:
description: JSON 6902 patches, defined as inline YAML objects.
items:
description: JSON6902Patch contains a JSON6902 patch and
the target the patch should be applied to.
properties:
patch:
description: Patch contains the JSON6902 patch document
with an array of operation objects.
items:
description: JSON6902 is a JSON6902 operation object.
https://datatracker.ietf.org/doc/html/rfc6902#section-4
properties:
from:
description: From contains a JSON-pointer value
that references a location within the target
document where the operation is performed.
The meaning of the value depends on the value
of Op, and is NOT taken into account by all
operations.
type: string
op:
description: Op indicates the operation to perform.
Its value MUST be one of "add", "remove",
"replace", "move", "copy", or "test". https://datatracker.ietf.org/doc/html/rfc6902#section-4
enum:
- test
- remove
- add
- replace
- move
- copy
type: string
path:
description: Path contains the JSON-pointer
value that references a location within the
target document where the operation is performed.
The meaning of the value depends on the value
of Op.
type: string
value:
description: Value contains a valid JSON structure.
The meaning of the value depends on the value
of Op, and is NOT taken into account by all
operations.
x-kubernetes-preserve-unknown-fields: true
required:
- op
- path
type: object
type: array
target:
description: Target points to the resources that the
patch document should be applied to.
properties:
annotationSelector:
description: AnnotationSelector is a string that
follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
It matches with the resource annotations.
type: string
group:
description: Group is the API group to select
resources from. Together with Version and Kind
it is capable of unambiguously identifying and/or
selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
type: string
kind:
description: Kind of the API Group to select resources
from. Together with Group and Version it is
capable of unambiguously identifying and/or
selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
type: string
labelSelector:
description: LabelSelector is a string that follows
the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
It matches with the resource labels.
type: string
name:
description: Name to match resources with.
type: string
namespace:
description: Namespace to select resources from.
type: string
version:
description: Version of the API Group to select
resources from. Together with Group and Kind
it is capable of unambiguously identifying and/or
selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
type: string
type: object
required:
- patch
- target
type: object
type: array
patchesStrategicMerge:
description: Strategic merge patches, defined as inline
YAML objects.
items:
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
type: object
type: array
releaseName:
description: ReleaseName used for the Helm release. Defaults to a
composition of '[TargetNamespace-]Name'.
maxLength: 53
minLength: 1
type: string
rollback:
description: Rollback holds the configuration for Helm rollback actions
for this HelmRelease.
properties:
cleanupOnFail:
description: CleanupOnFail allows deletion of new resources created
during the Helm rollback action when it fails.
type: boolean
disableHooks:
description: DisableHooks prevents hooks from running during the
Helm rollback action.
type: boolean
disableWait:
description: DisableWait disables the waiting for resources to
be ready after a Helm rollback has been performed.
type: boolean
disableWaitForJobs:
description: DisableWaitForJobs disables waiting for jobs to complete
after a Helm rollback has been performed.
type: boolean
force:
description: Force forces resource updates through a replacement
strategy.
type: boolean
recreate:
description: Recreate performs pod restarts for the resource if
applicable.
type: boolean
timeout:
description: Timeout is the time to wait for any individual Kubernetes
operation (like Jobs for hooks) during the performance of a
Helm rollback action. Defaults to 'HelmReleaseSpec.Timeout'.
pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
type: string
type: object
serviceAccountName:
description: The name of the Kubernetes service account to impersonate
when reconciling this HelmRelease.
type: string
storageNamespace:
description: StorageNamespace used for the Helm storage. Defaults
to the namespace of the HelmRelease.
maxLength: 63
minLength: 1
type: string
suspend:
description: Suspend tells the controller to suspend reconciliation
for this HelmRelease, it does not apply to already started reconciliations.
Defaults to false.
type: boolean
targetNamespace:
description: TargetNamespace to target when performing operations
for the HelmRelease. Defaults to the namespace of the HelmRelease.
maxLength: 63
minLength: 1
type: string
test:
description: Test holds the configuration for Helm test actions for
this HelmRelease.
properties:
enable:
description: Enable enables Helm test actions for this HelmRelease
after an Helm install or upgrade action has been performed.
type: boolean
ignoreFailures:
description: IgnoreFailures tells the controller to skip remediation
when the Helm tests are run but fail. Can be overwritten for
tests run after install or upgrade actions in 'Install.IgnoreTestFailures'
and 'Upgrade.IgnoreTestFailures'.
type: boolean
timeout:
description: Timeout is the time to wait for any individual Kubernetes
operation during the performance of a Helm test action. Defaults
to 'HelmReleaseSpec.Timeout'.
pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
type: string
type: object
timeout:
description: Timeout is the time to wait for any individual Kubernetes
operation (like Jobs for hooks) during the performance of a Helm
action. Defaults to '5m0s'.
pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
type: string
uninstall:
description: Uninstall holds the configuration for Helm uninstall
actions for this HelmRelease.
properties:
deletionPropagation:
default: background
description: DeletionPropagation specifies the deletion propagation
policy when a Helm uninstall is performed.
enum:
- background
- foreground
- orphan
type: string
disableHooks:
description: DisableHooks prevents hooks from running during the
Helm rollback action.
type: boolean
disableWait:
description: DisableWait disables waiting for all the resources
to be deleted after a Helm uninstall is performed.
type: boolean
keepHistory:
description: KeepHistory tells Helm to remove all associated resources
and mark the release as deleted, but retain the release history.
type: boolean
timeout:
description: Timeout is the time to wait for any individual Kubernetes
operation (like Jobs for hooks) during the performance of a
Helm uninstall action. Defaults to 'HelmReleaseSpec.Timeout'.
pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
type: string
type: object
upgrade:
description: Upgrade holds the configuration for Helm upgrade actions
for this HelmRelease.
properties:
cleanupOnFail:
description: CleanupOnFail allows deletion of new resources created
during the Helm upgrade action when it fails.
type: boolean
crds:
description: "CRDs upgrade CRDs from the Helm Chart's crds directory
according to the CRD upgrade policy provided here. Valid values
are `Skip`, `Create` or `CreateReplace`. Default is `Skip` and
if omitted CRDs are neither installed nor upgraded. \n Skip:
do neither install nor replace (update) any CRDs. \n Create:
new CRDs are created, existing CRDs are neither updated nor
deleted. \n CreateReplace: new CRDs are created, existing CRDs
are updated (replaced) but not deleted. \n By default, CRDs
are not applied during Helm upgrade action. With this option
users can opt-in to CRD upgrade, which is not (yet) natively
supported by Helm. https://helm.sh/docs/chart_best_practices/custom_resource_definitions."
enum:
- Skip
- Create
- CreateReplace
type: string
disableHooks:
description: DisableHooks prevents hooks from running during the
Helm upgrade action.
type: boolean
disableOpenAPIValidation:
description: DisableOpenAPIValidation prevents the Helm upgrade
action from validating rendered templates against the Kubernetes
OpenAPI Schema.
type: boolean
disableWait:
description: DisableWait disables the waiting for resources to
be ready after a Helm upgrade has been performed.
type: boolean
disableWaitForJobs:
description: DisableWaitForJobs disables waiting for jobs to complete
after a Helm upgrade has been performed.
type: boolean
force:
description: Force forces resource updates through a replacement
strategy.
type: boolean
preserveValues:
description: PreserveValues will make Helm reuse the last release's
values and merge in overrides from 'Values'. Setting this flag
makes the HelmRelease non-declarative.
type: boolean
remediation:
description: Remediation holds the remediation configuration for
when the Helm upgrade action for the HelmRelease fails. The
default is to not perform any action.
properties:
ignoreTestFailures:
description: IgnoreTestFailures tells the controller to skip
remediation when the Helm tests are run after an upgrade
action but fail. Defaults to 'Test.IgnoreFailures'.
type: boolean
remediateLastFailure:
description: RemediateLastFailure tells the controller to
remediate the last failure, when no retries remain. Defaults
to 'false' unless 'Retries' is greater than 0.
type: boolean
retries:
description: Retries is the number of retries that should
be attempted on failures before bailing. Remediation, using
'Strategy', is performed between each attempt. Defaults
to '0', a negative integer equals to unlimited retries.
type: integer
strategy:
description: Strategy to use for failure remediation. Defaults
to 'rollback'.
enum:
- rollback
- uninstall
type: string
type: object
timeout:
description: Timeout is the time to wait for any individual Kubernetes
operation (like Jobs for hooks) during the performance of a
Helm upgrade action. Defaults to 'HelmReleaseSpec.Timeout'.
pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
type: string
type: object
values:
description: Values holds the values for this Helm release.
x-kubernetes-preserve-unknown-fields: true
valuesFrom:
description: ValuesFrom holds references to resources containing Helm
values for this HelmRelease, and information about how they should
be merged.
items:
description: ValuesReference contains a reference to a resource
containing Helm values, and optionally the key they can be found
at.
properties:
kind:
description: Kind of the values referent, valid values are ('Secret',
'ConfigMap').
enum:
- Secret
- ConfigMap
type: string
name:
description: Name of the values referent. Should reside in the
same namespace as the referring resource.
maxLength: 253
minLength: 1
type: string
optional:
description: Optional marks this ValuesReference as optional.
When set, a not found error for the values reference is ignored,
but any ValuesKey, TargetPath or transient error will still
result in a reconciliation failure.
type: boolean
targetPath:
description: TargetPath is the YAML dot notation path the value
should be merged at. When set, the ValuesKey is expected to
be a single flat value. Defaults to 'None', which results
in the values getting merged at the root.
maxLength: 250
pattern: ^([a-zA-Z0-9_\-.\\\/]|\[[0-9]{1,5}\])+$
type: string
valuesKey:
description: ValuesKey is the data key where the values.yaml
or a specific value can be found at. Defaults to 'values.yaml'.
When set, must be a valid Data Key, consisting of alphanumeric
characters, '-', '_' or '.'.
maxLength: 253
pattern: ^[\-._a-zA-Z0-9]+$
type: string
required:
- kind
- name
type: object
type: array
required:
- chart
- interval
type: object
status:
default:
observedGeneration: -1
description: HelmReleaseStatus defines the observed state of a HelmRelease.
properties:
conditions:
description: Conditions holds the conditions for the HelmRelease.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
failures:
description: Failures is the reconciliation failure count against
the latest desired state. It is reset after a successful reconciliation.
format: int64
type: integer
helmChart:
description: HelmChart is the namespaced name of the HelmChart resource
created by the controller for the HelmRelease.
type: string
installFailures:
description: InstallFailures is the install failure count against
the latest desired state. It is reset after a successful reconciliation.
format: int64
type: integer
lastAppliedRevision:
description: LastAppliedRevision is the revision of the last successfully
applied source.
type: string
lastAttemptedRevision:
description: LastAttemptedRevision is the revision of the last reconciliation
attempt.
type: string
lastAttemptedValuesChecksum:
description: LastAttemptedValuesChecksum is the SHA1 checksum of the
values of the last reconciliation attempt.
type: string
lastHandledReconcileAt:
description: LastHandledReconcileAt holds the value of the most recent
reconcile request value, so a change of the annotation value can
be detected.
type: string
lastReleaseRevision:
description: LastReleaseRevision is the revision of the last successful
Helm release.
type: integer
observedGeneration:
description: ObservedGeneration is the last observed generation.
format: int64
type: integer
upgradeFailures:
description: UpgradeFailures is the upgrade failure count against
the latest desired state. It is reset after a successful reconciliation.
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

133
system/fluxcd/charts/flux2/templates/helm-controller.yaml Normal file
View File

@@ -0,0 +1,133 @@
{{- if and .Values.helmController.create}}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: helm-controller
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
control-plane: controller
{{- with .Values.helmController.labels }}
{{- . | toYaml | nindent 4 }}
{{- end }}
name: helm-controller
spec:
{{- if kindIs "invalid" .Values.helmController.replicas }}
replicas: 1
{{- else }}
replicas: {{ .Values.helmController.replicas }}
{{- end}}
selector:
matchLabels:
app: helm-controller
template:
metadata:
{{- with .Values.helmController.annotations }}
annotations: {{ toYaml . | nindent 8 }}
{{- end }}
labels:
app: helm-controller
{{ with .Values.helmController.labels }}{{ toYaml . | indent 8 }}{{ end }}
spec:
automountServiceAccountToken: {{ .Values.helmController.serviceAccount.automount }}
{{- if .Values.helmController.initContainers}}
initContainers:
{{- toYaml .Values.helmController.initContainers | nindent 8}}
{{- end}}
containers:
- args:
{{- if .Values.multitenancy.enabled }}
- --no-cross-namespace-refs=true
- --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default" }}
{{- end}}
{{- if .Values.notificationController.create }}
- --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
{{- end}}
- --watch-all-namespaces={{ .Values.watchAllNamespaces }}
- --log-level={{ .Values.logLevel | default "info" }}
- --log-encoding=json
- --enable-leader-election
{{- range .Values.helmController.container.additionalArgs }}
- {{ . }}
{{- end}}
env:
- name: RUNTIME_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with .Values.helmController.extraEnv }}
{{- toYaml . | nindent 8 }}
{{- end }}
image: {{ template "template.image" .Values.helmController }}
{{- if .Values.helmController.imagePullPolicy }}
imagePullPolicy: {{ .Values.helmController.imagePullPolicy }}
{{- else }}
imagePullPolicy: IfNotPresent
{{- end }}
livenessProbe:
httpGet:
path: /healthz
port: healthz
name: manager
ports:
- containerPort: 8080
name: http-prom
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: healthz
{{- with .Values.helmController.resources }}
resources: {{ toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.helmController.securityContext }}
securityContext: {{ toYaml .Values.helmController.securityContext | nindent 10 }}
{{- else }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
{{- end}}
volumeMounts:
- mountPath: /tmp
name: temp
{{- if .Values.helmController.volumeMounts }}
{{- toYaml .Values.helmController.volumeMounts | nindent 8 }}
{{- end}}
{{- if .Values.helmController.priorityClassName }}
priorityClassName: {{ .Values.helmController.priorityClassName | quote }}
{{- end }}
{{- if .Values.helmController.podSecurityContext }}
securityContext: {{ toYaml .Values.helmController.podSecurityContext | nindent 8 }}
{{- end }}
serviceAccountName: helm-controller
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
{{- end }}
terminationGracePeriodSeconds: 600
volumes:
- emptyDir: {}
name: temp
{{- if .Values.helmController.volumes }}
{{- toYaml .Values.helmController.volumes | nindent 6 }}
{{- end}}
{{- with .Values.helmController.nodeSelector }}
nodeSelector: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.helmController.affinity }}
affinity: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.helmController.tolerations }}
tolerations: {{ toYaml . | nindent 8 }}
{{- end }}
{{- end }}

18
system/fluxcd/charts/flux2/templates/image-automation-controller-sa.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if and .Values.imageAutomationController.create }}
{{- if .Values.imageAutomationController.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: image-automation-controller
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: image-automation-controller
{{- with .Values.imageAutomationController.serviceAccount.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
{{- end -}}
{{- end -}}

326
system/fluxcd/charts/flux2/templates/image-automation-controller.crds.yaml Normal file
View File

@@ -0,0 +1,326 @@
{{- if and .Values.installCRDs .Values.imageAutomationController.create }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
{{- with .Values.crds.annotations }}
{{- . | toYaml | nindent 4 }}
{{- end }}
labels:
app.kubernetes.io/component: image-automation-controller
app.kubernetes.io/instance: '{{ .Release.Namespace }}'
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/part-of: flux
app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
name: imageupdateautomations.image.toolkit.fluxcd.io
spec:
group: image.toolkit.fluxcd.io
names:
kind: ImageUpdateAutomation
listKind: ImageUpdateAutomationList
plural: imageupdateautomations
singular: imageupdateautomation
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.lastAutomationRunTime
name: Last run
type: string
name: v1beta1
schema:
openAPIV3Schema:
description: ImageUpdateAutomation is the Schema for the imageupdateautomations
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ImageUpdateAutomationSpec defines the desired state of ImageUpdateAutomation
properties:
git:
description: GitSpec contains all the git-specific definitions. This
is technically optional, but in practice mandatory until there are
other kinds of source allowed.
properties:
checkout:
description: Checkout gives the parameters for cloning the git
repository, ready to make changes. If not present, the `spec.ref`
field from the referenced `GitRepository` or its default will
be used.
properties:
ref:
description: Reference gives a branch, tag or commit to clone
from the Git repository.
properties:
branch:
description: Branch to check out, defaults to 'master'
if no other field is defined.
type: string
commit:
description: "Commit SHA to check out, takes precedence
over all reference fields. \n This can be combined with
Branch to shallow clone the branch, in which the commit
is expected to exist."
type: string
name:
description: "Name of the reference to check out; takes
precedence over Branch, Tag and SemVer. \n It must be
a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description
Examples: \"refs/heads/main\", \"refs/tags/v0.1.0\",
\"refs/pull/420/head\", \"refs/merge-requests/1/head\""
type: string
semver:
description: SemVer tag expression to check out, takes
precedence over Tag.
type: string
tag:
description: Tag to check out, takes precedence over Branch.
type: string
type: object
required:
- ref
type: object
commit:
description: Commit specifies how to commit to the git repository.
properties:
author:
description: Author gives the email and optionally the name
to use as the author of commits.
properties:
email:
description: Email gives the email to provide when making
a commit.
type: string
name:
description: Name gives the name to provide when making
a commit.
type: string
required:
- email
type: object
messageTemplate:
description: MessageTemplate provides a template for the commit
message, into which will be interpolated the details of
the change made.
type: string
signingKey:
description: SigningKey provides the option to sign commits
with a GPG key
properties:
secretRef:
description: SecretRef holds the name to a secret that
contains a 'git.asc' key corresponding to the ASCII
Armored file containing the GPG signing keypair as the
value. It must be in the same namespace as the ImageUpdateAutomation.
properties:
name:
description: Name of the referent.
type: string
required:
- name
type: object
type: object
required:
- author
type: object
push:
description: Push specifies how and where to push commits made
by the automation. If missing, commits are pushed (back) to
`.spec.checkout.branch` or its default.
properties:
branch:
description: Branch specifies that commits should be pushed
to the branch named. The branch is created using `.spec.checkout.branch`
as the starting point, if it doesn't already exist.
type: string
options:
additionalProperties:
type: string
description: 'Options specifies the push options that are
sent to the Git server when performing a push operation.
For details, see: https://git-scm.com/docs/git-push#Documentation/git-push.txt---push-optionltoptiongt'
type: object
refspec:
description: 'Refspec specifies the Git Refspec to use for
a push operation. If both Branch and Refspec are provided,
then the commit is pushed to the branch and also using the
specified refspec. For more details about Git Refspecs,
see: https://git-scm.com/book/en/v2/Git-Internals-The-Refspec'
type: string
type: object
required:
- commit
type: object
interval:
description: Interval gives an lower bound for how often the automation
run should be attempted.
pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
type: string
sourceRef:
description: SourceRef refers to the resource giving access details
to a git repository.
properties:
apiVersion:
description: API version of the referent.
type: string
kind:
default: GitRepository
description: Kind of the referent.
enum:
- GitRepository
type: string
name:
description: Name of the referent.
type: string
namespace:
description: Namespace of the referent, defaults to the namespace
of the Kubernetes resource object that contains the reference.
type: string
required:
- kind
- name
type: object
suspend:
description: Suspend tells the controller to not run this automation,
until it is unset (or set to false). Defaults to false.
type: boolean
update:
default:
strategy: Setters
description: Update gives the specification for how to update the
files in the repository. This can be left empty, to use the default
value.
properties:
path:
description: Path to the directory containing the manifests to
be updated. Defaults to 'None', which translates to the root
path of the GitRepositoryRef.
type: string
strategy:
default: Setters
description: Strategy names the strategy to be used.
enum:
- Setters
type: string
required:
- strategy
type: object
required:
- interval
- sourceRef
type: object
status:
default:
observedGeneration: -1
description: ImageUpdateAutomationStatus defines the observed state of
ImageUpdateAutomation
properties:
conditions:
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
lastAutomationRunTime:
description: LastAutomationRunTime records the last time the controller
ran this automation through to completion (even if no updates were
made).
format: date-time
type: string
lastHandledReconcileAt:
description: LastHandledReconcileAt holds the value of the most recent
reconcile request value, so a change of the annotation value can
be detected.
type: string
lastPushCommit:
description: LastPushCommit records the SHA1 of the last commit made
by the controller, for this automation object
type: string
lastPushTime:
description: LastPushTime records the time of the last pushed change.
format: date-time
type: string
observedGeneration:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

135
system/fluxcd/charts/flux2/templates/image-automation-controller.yaml Normal file
View File

@@ -0,0 +1,135 @@
{{- if and .Values.imageAutomationController.create}}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: image-automation-controller
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
control-plane: controller
{{- with .Values.imageAutomationController.labels }}
{{- . | toYaml | nindent 4 }}
{{- end }}
name: image-automation-controller
spec:
{{- if kindIs "invalid" .Values.imageAutomationController.replicas }}
replicas: 1
{{- else }}
replicas: {{ .Values.imageAutomationController.replicas }}
{{- end}}
selector:
matchLabels:
app: image-automation-controller
template:
metadata:
{{- with .Values.imageAutomationController.annotations }}
annotations: {{ toYaml . | nindent 8 }}
{{- end }}
labels:
app: image-automation-controller
{{ with .Values.imageAutomationController.labels }}{{ toYaml . | indent 8 }}{{ end }}
spec:
automountServiceAccountToken: {{ .Values.imageAutomationController.serviceAccount.automount }}
{{- if .Values.imageAutomationController.initContainers}}
initContainers:
{{- toYaml .Values.imageAutomationController.initContainers | nindent 8}}
{{- end}}
containers:
- args:
{{- if .Values.multitenancy.enabled }}
- --no-cross-namespace-refs=true
{{- end}}
{{- if .Values.notificationController.create }}
- --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
{{- end}}
- --watch-all-namespaces={{ .Values.watchAllNamespaces }}
- --log-level={{ .Values.logLevel | default "info" }}
- --log-encoding=json
- --enable-leader-election
{{- range .Values.imageAutomationController.container.additionalArgs }}
- {{ . }}
{{- end}}
env:
- name: RUNTIME_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with .Values.imageAutomationController.extraEnv }}
{{- toYaml . | nindent 8 }}
{{- end }}
image: {{ template "template.image" .Values.imageAutomationController }}
{{- if .Values.imageAutomationController.imagePullPolicy }}
imagePullPolicy: {{ .Values.imageAutomationController.imagePullPolicy }}
{{- else }}
imagePullPolicy: IfNotPresent
{{- end }}
livenessProbe:
httpGet:
path: /healthz
port: healthz
name: manager
ports:
- containerPort: 8080
name: http-prom
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: healthz
{{- with .Values.imageAutomationController.resources }}
resources: {{ toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.imageAutomationController.securityContext }}
securityContext: {{ toYaml .Values.imageAutomationController.securityContext | nindent 10 }}
{{- else }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
{{- end}}
volumeMounts:
- mountPath: /tmp
name: temp
{{- if .Values.imageAutomationController.volumeMounts }}
{{- toYaml .Values.imageAutomationController.volumeMounts | nindent 8 }}
{{- end}}
{{- if .Values.imageAutomationController.priorityClassName }}
priorityClassName: {{ .Values.imageAutomationController.priorityClassName | quote }}
{{- end }}
{{- if .Values.imageAutomationController.podSecurityContext }}
securityContext: {{ toYaml .Values.imageAutomationController.podSecurityContext | nindent 8 }}
{{- else }}
securityContext:
fsGroup: 1337
{{- end}}
serviceAccountName: image-automation-controller
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
{{- end }}
terminationGracePeriodSeconds: 10
volumes:
- emptyDir: {}
name: temp
{{- if .Values.imageAutomationController.volumes }}
{{- toYaml .Values.imageAutomationController.volumes | nindent 6 }}
{{- end}}
{{- with .Values.imageAutomationController.nodeSelector }}
nodeSelector: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.imageAutomationController.affinity }}
affinity: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.imageAutomationController.tolerations }}
tolerations: {{ toYaml . | nindent 8 }}
{{- end }}
{{- end }}

18
system/fluxcd/charts/flux2/templates/image-reflector-controller-sa.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if and .Values.imageReflectionController.create }}
{{- if .Values.imageReflectionController.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: image-reflector-controller
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: image-reflector-controller
{{- with .Values.imageReflectionController.serviceAccount.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
{{- end -}}
{{- end -}}

897
system/fluxcd/charts/flux2/templates/image-reflector-controller.crds.yaml Normal file
View File

@@ -0,0 +1,897 @@
{{- if and .Values.installCRDs .Values.imageReflectionController.create }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
{{- with .Values.crds.annotations }}
{{- . | toYaml | nindent 4 }}
{{- end }}
labels:
app.kubernetes.io/component: image-reflector-controller
app.kubernetes.io/instance: '{{ .Release.Namespace }}'
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/part-of: flux
app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
name: imagepolicies.image.toolkit.fluxcd.io
spec:
group: image.toolkit.fluxcd.io
names:
kind: ImagePolicy
listKind: ImagePolicyList
plural: imagepolicies
singular: imagepolicy
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.latestImage
name: LatestImage
type: string
name: v1beta1
schema:
openAPIV3Schema:
description: ImagePolicy is the Schema for the imagepolicies API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ImagePolicySpec defines the parameters for calculating the
ImagePolicy
properties:
filterTags:
description: FilterTags enables filtering for only a subset of tags
based on a set of rules. If no rules are provided, all the tags
from the repository will be ordered and compared.
properties:
extract:
description: Extract allows a capture group to be extracted from
the specified regular expression pattern, useful before tag
evaluation.
type: string
pattern:
description: Pattern specifies a regular expression pattern used
to filter for image tags.
type: string
type: object
imageRepositoryRef:
description: ImageRepositoryRef points at the object specifying the
image being scanned
properties:
name:
description: Name of the referent.
type: string
namespace:
description: Namespace of the referent, when not specified it
acts as LocalObjectReference.
type: string
required:
- name
type: object
policy:
description: Policy gives the particulars of the policy to be followed
in selecting the most recent image
properties:
alphabetical:
description: Alphabetical set of rules to use for alphabetical
ordering of the tags.
properties:
order:
default: asc
description: Order specifies the sorting order of the tags.
Given the letters of the alphabet as tags, ascending order
would select Z, and descending order would select A.
enum:
- asc
- desc
type: string
type: object
numerical:
description: Numerical set of rules to use for numerical ordering
of the tags.
properties:
order:
default: asc
description: Order specifies the sorting order of the tags.
Given the integer values from 0 to 9 as tags, ascending
order would select 9, and descending order would select
0.
enum:
- asc
- desc
type: string
type: object
semver:
description: SemVer gives a semantic version range to check against
the tags available.
properties:
range:
description: Range gives a semver range for the image tag;
the highest version within the range that's a tag yields
the latest image.
type: string
required:
- range
type: object
type: object
required:
- imageRepositoryRef
- policy
type: object
status:
default:
observedGeneration: -1
description: ImagePolicyStatus defines the observed state of ImagePolicy
properties:
conditions:
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
latestImage:
description: LatestImage gives the first in the list of images scanned
by the image repository, when filtered and ordered according to
the policy.
type: string
observedGeneration:
format: int64
type: integer
type: object
type: object
served: true
storage: false
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .status.latestImage
name: LatestImage
type: string
name: v1beta2
schema:
openAPIV3Schema:
description: ImagePolicy is the Schema for the imagepolicies API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ImagePolicySpec defines the parameters for calculating the
ImagePolicy.
properties:
filterTags:
description: FilterTags enables filtering for only a subset of tags
based on a set of rules. If no rules are provided, all the tags
from the repository will be ordered and compared.
properties:
extract:
description: Extract allows a capture group to be extracted from
the specified regular expression pattern, useful before tag
evaluation.
type: string
pattern:
description: Pattern specifies a regular expression pattern used
to filter for image tags.
type: string
type: object
imageRepositoryRef:
description: ImageRepositoryRef points at the object specifying the
image being scanned
properties:
name:
description: Name of the referent.
type: string
namespace:
description: Namespace of the referent, when not specified it
acts as LocalObjectReference.
type: string
required:
- name
type: object
policy:
description: Policy gives the particulars of the policy to be followed
in selecting the most recent image
properties:
alphabetical:
description: Alphabetical set of rules to use for alphabetical
ordering of the tags.
properties:
order:
default: asc
description: Order specifies the sorting order of the tags.
Given the letters of the alphabet as tags, ascending order
would select Z, and descending order would select A.
enum:
- asc
- desc
type: string
type: object
numerical:
description: Numerical set of rules to use for numerical ordering
of the tags.
properties:
order:
default: asc
description: Order specifies the sorting order of the tags.
Given the integer values from 0 to 9 as tags, ascending
order would select 9, and descending order would select
0.
enum:
- asc
- desc
type: string
type: object
semver:
description: SemVer gives a semantic version range to check against
the tags available.
properties:
range:
description: Range gives a semver range for the image tag;
the highest version within the range that's a tag yields
the latest image.
type: string
required:
- range
type: object
type: object
required:
- imageRepositoryRef
- policy
type: object
status:
default:
observedGeneration: -1
description: ImagePolicyStatus defines the observed state of ImagePolicy
properties:
conditions:
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
latestImage:
description: LatestImage gives the first in the list of images scanned
by the image repository, when filtered and ordered according to
the policy.
type: string
observedGeneration:
format: int64
type: integer
observedPreviousImage:
description: ObservedPreviousImage is the observed previous LatestImage.
It is used to keep track of the previous and current images.
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
{{- with .Values.crds.annotations }}
{{- . | toYaml | nindent 4 }}
{{- end }}
labels:
app.kubernetes.io/component: image-reflector-controller
app.kubernetes.io/instance: '{{ .Release.Namespace }}'
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/part-of: flux
app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
name: imagerepositories.image.toolkit.fluxcd.io
spec:
group: image.toolkit.fluxcd.io
names:
kind: ImageRepository
listKind: ImageRepositoryList
plural: imagerepositories
singular: imagerepository
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.lastScanResult.scanTime
name: Last scan
type: string
- jsonPath: .status.lastScanResult.tagCount
name: Tags
type: string
name: v1beta1
schema:
openAPIV3Schema:
description: ImageRepository is the Schema for the imagerepositories API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ImageRepositorySpec defines the parameters for scanning an
image repository, e.g., `fluxcd/flux`.
properties:
accessFrom:
description: AccessFrom defines an ACL for allowing cross-namespace
references to the ImageRepository object based on the caller's namespace
labels.
properties:
namespaceSelectors:
description: NamespaceSelectors is the list of namespace selectors
to which this ACL applies. Items in this list are evaluated
using a logical OR operation.
items:
description: NamespaceSelector selects the namespaces to which
this ACL applies. An empty map of MatchLabels matches all
namespaces in a cluster.
properties:
matchLabels:
additionalProperties:
type: string
description: MatchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field is
"key", the operator is "In", and the values array contains
only "value". The requirements are ANDed.
type: object
type: object
type: array
required:
- namespaceSelectors
type: object
certSecretRef:
description: "CertSecretRef can be given the name of a secret containing
either or both of \n - a PEM-encoded client certificate (`certFile`)
and private key (`keyFile`); - a PEM-encoded CA certificate (`caFile`)
\n and whichever are supplied, will be used for connecting to the
registry. The client cert and key are useful if you are authenticating
with a certificate; the CA cert is useful if you are using a self-signed
server certificate."
properties:
name:
description: Name of the referent.
type: string
required:
- name
type: object
exclusionList:
description: ExclusionList is a list of regex strings used to exclude
certain tags from being stored in the database.
items:
type: string
type: array
image:
description: Image is the name of the image repository
type: string
interval:
description: Interval is the length of time to wait between scans
of the image repository.
pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
type: string
secretRef:
description: SecretRef can be given the name of a secret containing
credentials to use for the image registry. The secret should be
created with `kubectl create secret docker-registry`, or the equivalent.
properties:
name:
description: Name of the referent.
type: string
required:
- name
type: object
serviceAccountName:
description: ServiceAccountName is the name of the Kubernetes ServiceAccount
used to authenticate the image pull if the service account has attached
pull secrets.
maxLength: 253
type: string
suspend:
description: This flag tells the controller to suspend subsequent
image scans. It does not apply to already started scans. Defaults
to false.
type: boolean
timeout:
description: Timeout for image scanning. Defaults to 'Interval' duration.
pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$
type: string
type: object
status:
default:
observedGeneration: -1
description: ImageRepositoryStatus defines the observed state of ImageRepository
properties:
canonicalImageName:
description: CanonicalName is the name of the image repository with
all the implied bits made explicit; e.g., `docker.io/library/alpine`
rather than `alpine`.
type: string
conditions:
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
lastHandledReconcileAt:
description: LastHandledReconcileAt holds the value of the most recent
reconcile request value, so a change of the annotation value can
be detected.
type: string
lastScanResult:
description: LastScanResult contains the number of fetched tags.
properties:
scanTime:
format: date-time
type: string
tagCount:
type: integer
required:
- tagCount
type: object
observedGeneration:
description: ObservedGeneration is the last reconciled generation.
format: int64
type: integer
type: object
type: object
served: true
storage: false
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .status.lastScanResult.scanTime
name: Last scan
type: string
- jsonPath: .status.lastScanResult.tagCount
name: Tags
type: string
name: v1beta2
schema:
openAPIV3Schema:
description: ImageRepository is the Schema for the imagerepositories API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ImageRepositorySpec defines the parameters for scanning an
image repository, e.g., `fluxcd/flux`.
properties:
accessFrom:
description: AccessFrom defines an ACL for allowing cross-namespace
references to the ImageRepository object based on the caller's namespace
labels.
properties:
namespaceSelectors:
description: NamespaceSelectors is the list of namespace selectors
to which this ACL applies. Items in this list are evaluated
using a logical OR operation.
items:
description: NamespaceSelector selects the namespaces to which
this ACL applies. An empty map of MatchLabels matches all
namespaces in a cluster.
properties:
matchLabels:
additionalProperties:
type: string
description: MatchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field is
"key", the operator is "In", and the values array contains
only "value". The requirements are ANDed.
type: object
type: object
type: array
required:
- namespaceSelectors
type: object
certSecretRef:
description: "CertSecretRef can be given the name of a Secret containing
either or both of \n - a PEM-encoded client certificate (`tls.crt`)
and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`)
\n and whichever are supplied, will be used for connecting to the
registry. The client cert and key are useful if you are authenticating
with a certificate; the CA cert is useful if you are using a self-signed
server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`.
\n Note: Support for the `caFile`, `certFile` and `keyFile` keys
has been deprecated."
properties:
name:
description: Name of the referent.
type: string
required:
- name
type: object
exclusionList:
default:
- ^.*\.sig$
description: ExclusionList is a list of regex strings used to exclude
certain tags from being stored in the database.
items:
type: string
maxItems: 25
type: array
image:
description: Image is the name of the image repository
type: string
interval:
description: Interval is the length of time to wait between scans
of the image repository.
pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
type: string
provider:
default: generic
description: The provider used for authentication, can be 'aws', 'azure',
'gcp' or 'generic'. When not specified, defaults to 'generic'.
enum:
- generic
- aws
- azure
- gcp
type: string
secretRef:
description: SecretRef can be given the name of a secret containing
credentials to use for the image registry. The secret should be
created with `kubectl create secret docker-registry`, or the equivalent.
properties:
name:
description: Name of the referent.
type: string
required:
- name
type: object
serviceAccountName:
description: ServiceAccountName is the name of the Kubernetes ServiceAccount
used to authenticate the image pull if the service account has attached
pull secrets.
maxLength: 253
type: string
suspend:
description: This flag tells the controller to suspend subsequent
image scans. It does not apply to already started scans. Defaults
to false.
type: boolean
timeout:
description: Timeout for image scanning. Defaults to 'Interval' duration.
pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$
type: string
type: object
status:
default:
observedGeneration: -1
description: ImageRepositoryStatus defines the observed state of ImageRepository
properties:
canonicalImageName:
description: CanonicalName is the name of the image repository with
all the implied bits made explicit; e.g., `docker.io/library/alpine`
rather than `alpine`.
type: string
conditions:
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
lastHandledReconcileAt:
description: LastHandledReconcileAt holds the value of the most recent
reconcile request value, so a change of the annotation value can
be detected.
type: string
lastScanResult:
description: LastScanResult contains the number of fetched tags.
properties:
latestTags:
items:
type: string
type: array
scanTime:
format: date-time
type: string
tagCount:
type: integer
required:
- tagCount
type: object
observedExclusionList:
description: ObservedExclusionList is a list of observed exclusion
list. It reflects the exclusion rules used for the observed scan
result in spec.lastScanResult.
items:
type: string
type: array
observedGeneration:
description: ObservedGeneration is the last reconciled generation.
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

139
system/fluxcd/charts/flux2/templates/image-reflector-controller.yaml Normal file
View File

@@ -0,0 +1,139 @@
{{- if and .Values.imageReflectionController.create }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: image-reflector-controller
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
control-plane: controller
{{- with .Values.imageReflectionController.labels }}
{{- . | toYaml | nindent 4 }}
{{- end }}
name: image-reflector-controller
spec:
{{- if kindIs "invalid" .Values.imageReflectionController.replicas }}
replicas: 1
{{- else }}
replicas: {{ .Values.imageReflectionController.replicas }}
{{- end}}
selector:
matchLabels:
app: image-reflector-controller
template:
metadata:
{{- with .Values.imageReflectionController.annotations }}
annotations: {{ toYaml . | nindent 8 }}
{{- end }}
labels:
app: image-reflector-controller
{{ with .Values.imageReflectionController.labels }}{{ toYaml . | indent 8 }}{{ end }}
spec:
automountServiceAccountToken: {{ .Values.imageReflectionController.serviceAccount.automount }}
{{- if .Values.imageReflectionController.initContainers}}
initContainers:
{{- toYaml .Values.imageReflectionController.initContainers | nindent 8}}
{{- end}}
containers:
- args:
{{- if .Values.multitenancy.enabled }}
- --no-cross-namespace-refs=true
{{- end}}
{{- if .Values.notificationController.create }}
- --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
{{- end}}
- --watch-all-namespaces={{ .Values.watchAllNamespaces }}
- --log-level={{ .Values.logLevel | default "info" }}
- --log-encoding=json
- --enable-leader-election
{{- range .Values.imageReflectionController.container.additionalArgs }}
- {{ . }}
{{- end}}
env:
- name: RUNTIME_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with .Values.imageReflectionController.extraEnv }}
{{- toYaml . | nindent 8 }}
{{- end }}
image: {{ template "template.image" .Values.imageReflectionController }}
{{- if .Values.imageReflectionController.imagePullPolicy }}
imagePullPolicy: {{ .Values.imageReflectionController.imagePullPolicy }}
{{- else }}
imagePullPolicy: IfNotPresent
{{- end }}
livenessProbe:
httpGet:
path: /healthz
port: healthz
name: manager
ports:
- containerPort: 8080
name: http-prom
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: healthz
{{- with .Values.imageReflectionController.resources }}
resources: {{ toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.imageReflectionController.securityContext }}
securityContext: {{ toYaml .Values.imageReflectionController.securityContext | nindent 10 }}
{{- else }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
{{- end}}
volumeMounts:
- mountPath: /tmp
name: temp
- mountPath: /data
name: data
{{- if .Values.imageReflectionController.volumeMounts }}
{{- toYaml .Values.imageReflectionController.volumeMounts | nindent 8 }}
{{- end}}
{{- if .Values.imageReflectionController.priorityClassName }}
priorityClassName: {{ .Values.imageReflectionController.priorityClassName | quote }}
{{- end }}
{{- if .Values.imageReflectionController.podSecurityContext }}
securityContext: {{ toYaml .Values.imageReflectionController.podSecurityContext | nindent 8 }}
{{- else }}
securityContext:
fsGroup: 1337
{{- end}}
serviceAccountName: image-reflector-controller
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
{{- end }}
terminationGracePeriodSeconds: 10
volumes:
- emptyDir: {}
name: temp
- emptyDir: {}
name: data
{{- if .Values.imageReflectionController.volumes }}
{{- toYaml .Values.imageReflectionController.volumes | nindent 6 }}
{{- end}}
{{- with .Values.imageReflectionController.nodeSelector }}
nodeSelector: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.imageReflectionController.affinity }}
affinity: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.imageReflectionController.tolerations }}
tolerations: {{ toYaml . | nindent 8 }}
{{- end }}
{{- end }}

18
system/fluxcd/charts/flux2/templates/kustomize-controller-sa.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if and .Values.kustomizeController.create }}
{{- if .Values.kustomizeController.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: kustomize-controller
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: kustomize-controller
{{- with .Values.kustomizeController.serviceAccount.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
{{- end -}}
{{- end -}}

18
system/fluxcd/charts/flux2/templates/kustomize-controller-secret.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if and .Values.kustomizeController.secret.create }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.kustomizeController.secret.name }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
type: Opaque
data:
{{- range $key, $value := .Values.kustomizeController.secret.data }}
{{ $key }}: {{ $value | toString | b64enc | quote }}
{{- end }}
{{- end }}

1640
system/fluxcd/charts/flux2/templates/kustomize-controller.crds.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

158
system/fluxcd/charts/flux2/templates/kustomize-controller.yaml Normal file
View File

@@ -0,0 +1,158 @@
{{- if and .Values.kustomizeController.create }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: kustomize-controller
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
control-plane: controller
{{- with .Values.kustomizeController.labels }}
{{- . | toYaml | nindent 4 }}
{{- end }}
name: kustomize-controller
spec:
{{- if kindIs "invalid" .Values.kustomizeController.replicas }}
replicas: 1
{{- else }}
replicas: {{ .Values.kustomizeController.replicas }}
{{- end}}
selector:
matchLabels:
app: kustomize-controller
template:
metadata:
{{- with .Values.kustomizeController.annotations }}
annotations: {{ toYaml . | nindent 8 }}
{{- end }}
labels:
app: kustomize-controller
{{ with .Values.kustomizeController.labels }}{{ toYaml . | indent 8 }}{{ end }}
spec:
automountServiceAccountToken: {{ .Values.kustomizeController.serviceAccount.automount }}
{{- if .Values.kustomizeController.initContainers}}
initContainers:
{{- toYaml .Values.kustomizeController.initContainers | nindent 8}}
{{- end}}
containers:
- args:
{{- if .Values.multitenancy.enabled }}
- --no-cross-namespace-refs=true
- --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default" }}
{{- end}}
{{- if .Values.notificationController.create }}
- --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
{{- end}}
- --watch-all-namespaces={{ .Values.watchAllNamespaces }}
- --log-level={{ .Values.logLevel | default "info" }}
- --log-encoding=json
- --enable-leader-election
{{- range .Values.kustomizeController.container.additionalArgs }}
- {{ . }}
{{- end}}
env:
- name: RUNTIME_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with .Values.kustomizeController.extraEnv }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if or (.Values.kustomizeController.envFrom.map.name) (.Values.kustomizeController.envFrom.secret.name) }}
envFrom:
{{- if .Values.kustomizeController.envFrom.map.name }}
- configMapRef:
name: {{ .Values.kustomizeController.envFrom.map.name }}
{{- end }}
{{- if .Values.kustomizeController.envFrom.secret.name }}
- secretRef:
name: {{ .Values.kustomizeController.envFrom.secret.name }}
{{- end }}
{{- end }}
image: {{ template "template.image" .Values.kustomizeController }}
{{- if .Values.kustomizeController.imagePullPolicy }}
imagePullPolicy: {{ .Values.kustomizeController.imagePullPolicy }}
{{- else }}
imagePullPolicy: IfNotPresent
{{- end }}
livenessProbe:
httpGet:
path: /healthz
port: healthz
name: manager
ports:
- containerPort: 8080
name: http-prom
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: healthz
{{- with .Values.kustomizeController.resources }}
resources: {{ toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.kustomizeController.securityContext }}
securityContext: {{ toYaml .Values.kustomizeController.securityContext | nindent 10 }}
{{- else }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
{{- end}}
volumeMounts:
- mountPath: /tmp
name: temp
{{- if .Values.kustomizeController.volumeMounts }}
{{- toYaml .Values.kustomizeController.volumeMounts | nindent 8 }}
{{- end}}
{{- if .Values.kustomizeController.priorityClassName }}
priorityClassName: {{ .Values.kustomizeController.priorityClassName | quote }}
{{- end }}
{{- range .Values.kustomizeController.extraSecretMounts }}
- name: {{ .name }}
mountPath: {{ .mountPath }}
subPath: {{ .subPath }}
readOnly: {{ .readOnly }}
{{- end }}
{{- if .Values.kustomizeController.podSecurityContext }}
securityContext: {{ toYaml .Values.kustomizeController.podSecurityContext | nindent 8 }}
{{- else }}
securityContext:
fsGroup: 1337
{{- end}}
serviceAccountName: kustomize-controller
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
{{- end }}
terminationGracePeriodSeconds: 60
volumes:
- emptyDir: {}
name: temp
{{- if .Values.kustomizeController.volumes }}
{{- toYaml .Values.kustomizeController.volumes | nindent 6 }}
{{- end}}
{{- range .Values.kustomizeController.extraSecretMounts }}
- name: {{ .name }}
secret:
secretName: {{ .secretName }}
{{- end }}
{{- with .Values.kustomizeController.nodeSelector }}
nodeSelector: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.kustomizeController.affinity }}
affinity: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.kustomizeController.tolerations }}
tolerations: {{ toYaml . | nindent 8 }}
{{- end }}
{{- end }}

49
system/fluxcd/charts/flux2/templates/notification-controller-ingress.yaml Normal file
View File

@@ -0,0 +1,49 @@
{{- if and .Values.notificationController.create .Values.notificationController.webhookReceiver.ingress.create }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
control-plane: controller
{{- with .Values.notificationController.webhookReceiver.ingress.labels }}{{ toYaml . | nindent 4 }}{{ end }}
{{- with .Values.notificationController.webhookReceiver.ingress.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ tpl $value $ | quote }}
{{- end }}
{{- end }}
name: webhook-receiver
spec:
{{- if .Values.notificationController.webhookReceiver.ingress.ingressClassName }}
ingressClassName: {{ .Values.notificationController.webhookReceiver.ingress.ingressClassName }}
{{- end -}}
{{- if .Values.notificationController.webhookReceiver.ingress.tls }}
tls:
{{- range .Values.notificationController.webhookReceiver.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.notificationController.webhookReceiver.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
pathType: {{ .pathType }}
backend:
service:
name: webhook-receiver
port:
number: 80
{{- end }}
{{- end }}
{{- end }}

18
system/fluxcd/charts/flux2/templates/notification-controller-sa.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if and .Values.notificationController.create -}}
{{- if .Values.notificationController.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: notification-controller
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: notification-controller
{{- with .Values.notificationController.serviceAccount.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
{{- end -}}
{{- end -}}

29
system/fluxcd/charts/flux2/templates/notification-controller-service.yaml Normal file
View File

@@ -0,0 +1,29 @@
{{- if and .Values.notificationController.create }}
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
control-plane: controller
{{- with .Values.notificationController.service.labels }}{{ toYaml . | nindent 4 }}{{ end }}
name: notification-controller
{{- with .Values.notificationController.service.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
{{- if .Values.notificationController.service.ports }}
{{- toYaml .Values.notificationController.service.ports | nindent 2 }}
{{- end}}
selector:
app: notification-controller
type: ClusterIP
{{- end }}

26
system/fluxcd/charts/flux2/templates/notification-controller-webhook-service.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{- if and .Values.notificationController.create }}
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
control-plane: controller
{{- with .Values.notificationController.webhookReceiver.service.labels }}{{ toYaml . | nindent 4 }}{{ end }}
name: webhook-receiver
{{- with .Values.notificationController.webhookReceiver.service.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 9292
selector:
app: notification-controller
type: ClusterIP
{{- end }}

1529
system/fluxcd/charts/flux2/templates/notification-controller.crds.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

136
system/fluxcd/charts/flux2/templates/notification-controller.yaml Normal file
View File

@@ -0,0 +1,136 @@
{{- if and .Values.notificationController.create }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: notification-controller
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
control-plane: controller
{{- with .Values.notificationController.labels }}
{{- . | toYaml | nindent 4 }}
{{- end }}
name: notification-controller
spec:
{{- if kindIs "invalid" .Values.notificationController.replicas }}
replicas: 1
{{- else }}
replicas: {{ .Values.notificationController.replicas }}
{{- end}}
selector:
matchLabels:
app: notification-controller
template:
metadata:
{{- with .Values.notificationController.annotations }}
annotations: {{ toYaml . | nindent 8 }}
{{- end }}
labels:
app: notification-controller
{{ with .Values.notificationController.labels }}{{ toYaml . | indent 8 }}{{ end }}
spec:
automountServiceAccountToken: {{ .Values.notificationController.serviceAccount.automount }}
{{- if .Values.notificationController.initContainers}}
initContainers:
{{- toYaml .Values.notificationController.initContainers | nindent 8}}
{{- end}}
containers:
- args:
{{- if .Values.multitenancy.enabled }}
- --no-cross-namespace-refs=true
{{- end}}
- --watch-all-namespaces={{ .Values.watchAllNamespaces }}
- --log-level={{ .Values.logLevel | default "info" }}
- --log-encoding=json
- --enable-leader-election
{{- range .Values.notificationController.container.additionalArgs }}
- {{ . }}
{{- end}}
env:
- name: RUNTIME_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with .Values.notificationController.extraEnv }}
{{- toYaml . | nindent 8 }}
{{- end }}
image: {{ template "template.image" .Values.notificationController }}
{{- if .Values.notificationController.imagePullPolicy }}
imagePullPolicy: {{ .Values.notificationController.imagePullPolicy }}
{{- else }}
imagePullPolicy: IfNotPresent
{{- end }}
livenessProbe:
httpGet:
path: /healthz
port: healthz
name: manager
ports:
- containerPort: 9090
name: http
protocol: TCP
- containerPort: 9292
name: http-webhook
protocol: TCP
- containerPort: 8080
name: http-prom
protocol: TCP
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: healthz
{{- with .Values.notificationController.resources }}
resources: {{ toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.notificationController.securityContext }}
securityContext: {{ toYaml .Values.notificationController.securityContext | nindent 10 }}
{{- else }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
{{- end}}
volumeMounts:
- mountPath: /tmp
name: temp
{{- if .Values.notificationController.volumeMounts }}
{{- toYaml .Values.notificationController.volumeMounts | nindent 8 }}
{{- end}}
{{- if .Values.notificationController.priorityClassName }}
priorityClassName: {{ .Values.notificationController.priorityClassName | quote }}
{{- end }}
{{- if .Values.notificationController.podSecurityContext }}
securityContext: {{ toYaml .Values.notificationController.podSecurityContext | nindent 8 }}
{{- end }}
serviceAccountName: notification-controller
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
{{- end }}
terminationGracePeriodSeconds: 10
volumes:
- emptyDir: {}
name: temp
{{- if .Values.notificationController.volumes }}
{{- toYaml .Values.notificationController.volumes | nindent 6 }}
{{- end}}
{{- with .Values.notificationController.nodeSelector }}
nodeSelector: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.notificationController.affinity }}
affinity: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.notificationController.tolerations }}
tolerations: {{ toYaml . | nindent 8 }}
{{- end }}
{{- end }}

32
system/fluxcd/charts/flux2/templates/podmonitor.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{ if .Values.prometheus.podMonitor.create }}
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: {{ .Release.Name }}
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
{{- range $key, $value := .Values.prometheus.podMonitor.additionalLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
selector:
matchExpressions:
- key: app
operator: In
values:
- helm-controller
- source-controller
- kustomize-controller
- notification-controller
- image-automation-controller
- image-reflector-controller
podMetricsEndpoints:
{{ toYaml .Values.prometheus.podMonitor.podMetricsEndpoints | indent 4 }}
{{- end }}

63
system/fluxcd/charts/flux2/templates/policies.yaml Normal file
View File

@@ -0,0 +1,63 @@
{{- if and .Values.policies.create}}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: allow-egress
spec:
egress:
- {}
ingress:
- from:
- podSelector: {}
podSelector: {}
policyTypes:
- Ingress
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: allow-scraping
spec:
ingress:
- from:
- namespaceSelector: {}
ports:
- port: 8080
protocol: TCP
podSelector: {}
policyTypes:
- Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: allow-webhooks
spec:
ingress:
- from:
- namespaceSelector: {}
podSelector:
matchLabels:
app: notification-controller
policyTypes:
- Ingress
{{- end }}

14
system/fluxcd/charts/flux2/templates/pre-install-job-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: "{{ .Release.Name }}-flux-check"
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "-10"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

72
system/fluxcd/charts/flux2/templates/pre-install-job.yaml Normal file
View File

@@ -0,0 +1,72 @@
apiVersion: batch/v1
kind: Job
metadata:
name: "{{ .Release.Name }}-flux-check"
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
backoffLimit: 1
template:
metadata:
name: "{{ .Release.Name }}"
{{- with .Values.cli.annotations }}
annotations: {{ toYaml . | nindent 8 }}
{{- end }}
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
spec:
restartPolicy: Never
serviceAccountName: "{{ .Release.Name }}-flux-check"
automountServiceAccountToken: {{ .Values.cli.serviceAccount.automount }}
containers:
- name: flux-cli
image: {{ template "template.image" .Values.cli }}
command: ["/usr/local/bin/flux", "check", "--pre", "--namespace", {{ .Release.Namespace }}]
{{- with .Values.cli.resources }}
resources: {{ toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.cli.securityContext }}
securityContext: {{ toYaml .Values.cli.securityContext | nindent 10 }}
{{- else }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
{{- end}}
{{- if .Values.cli.volumeMounts }}
volumeMounts:
{{- toYaml .Values.cli.volumeMounts | nindent 10 }}
{{- end}}
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
{{- end }}
{{- with .Values.cli.nodeSelector }}
nodeSelector: {{ toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.cli.volumes }}
volumes:
{{- toYaml .Values.cli.volumes | nindent 8 }}
{{- end}}
{{- with .Values.cli.affinity }}
affinity: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.cli.tolerations }}
tolerations: {{ toYaml . | nindent 8 }}
{{- end }}

29
system/fluxcd/charts/flux2/templates/source-controller-service.yaml Normal file
View File

@@ -0,0 +1,29 @@
{{- if .Values.sourceController.create }}
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
control-plane: controller
{{- with .Values.sourceController.service.labels }}{{ toYaml . | nindent 4 }}{{ end }}
name: source-controller
{{- with .Values.sourceController.service.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
{{- if .Values.sourceController.service.ports }}
{{- toYaml .Values.sourceController.service.ports | nindent 2 }}
{{- end}}
selector:
app: source-controller
type: ClusterIP
{{- end }}

18
system/fluxcd/charts/flux2/templates/source-controller-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if .Values.sourceController.create -}}
{{- if .Values.sourceController.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: source-controller
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: source-controller
{{- with .Values.sourceController.serviceAccount.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
{{- end -}}
{{- end -}}

3230
system/fluxcd/charts/flux2/templates/source-controller.crds.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

144
system/fluxcd/charts/flux2/templates/source-controller.yaml Normal file
View File

@@ -0,0 +1,144 @@
{{- if .Values.sourceController.create }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: source-controller
app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: flux
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
control-plane: controller
{{- with .Values.sourceController.labels }}
{{- . | toYaml | nindent 4 }}
{{- end }}
name: source-controller
spec:
{{- if kindIs "invalid" .Values.sourceController.replicas }}
replicas: 1
{{- else }}
replicas: {{ .Values.sourceController.replicas }}
{{- end}}
selector:
matchLabels:
app: source-controller
strategy:
type: Recreate
template:
metadata:
{{- with .Values.sourceController.annotations }}
annotations: {{ toYaml . | nindent 8 }}
{{- end }}
labels:
app: source-controller
{{ with .Values.sourceController.labels }}{{ toYaml . | indent 8 }}{{ end }}
spec:
automountServiceAccountToken: {{ .Values.sourceController.serviceAccount.automount }}
{{- if .Values.sourceController.initContainers}}
initContainers:
{{- toYaml .Values.sourceController.initContainers | nindent 8}}
{{- end}}
containers:
- args:
{{- if .Values.notificationController.create }}
- --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
{{- end}}
- --watch-all-namespaces={{ .Values.watchAllNamespaces }}
- --log-level={{ .Values.logLevel | default "info" }}
- --log-encoding=json
- --enable-leader-election
- --storage-path=/data
- --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
{{- range .Values.sourceController.container.additionalArgs }}
- {{ . }}
{{- end}}
env:
- name: RUNTIME_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with .Values.sourceController.extraEnv }}
{{- toYaml . | nindent 8 }}
{{- end }}
image: {{ template "template.image" .Values.sourceController }}
{{- if .Values.sourceController.imagePullPolicy }}
imagePullPolicy: {{ .Values.sourceController.imagePullPolicy }}
{{- else }}
imagePullPolicy: IfNotPresent
{{- end }}
livenessProbe:
httpGet:
path: /healthz
port: healthz
name: manager
ports:
- containerPort: 9090
name: http
protocol: TCP
- containerPort: 8080
name: http-prom
protocol: TCP
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /
port: http
{{- with .Values.sourceController.resources }}
resources: {{ toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.sourceController.securityContext }}
securityContext: {{ toYaml .Values.sourceController.securityContext | nindent 10 }}
{{- else }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
{{- end}}
volumeMounts:
- mountPath: /data
name: data
- mountPath: /tmp
name: tmp
{{- if .Values.sourceController.volumeMounts }}
{{- toYaml .Values.sourceController.volumeMounts | nindent 8 }}
{{- end}}
{{- if .Values.sourceController.priorityClassName }}
priorityClassName: {{ .Values.sourceController.priorityClassName | quote }}
{{- end }}
{{- if .Values.sourceController.podSecurityContext }}
securityContext: {{ toYaml .Values.sourceController.podSecurityContext | nindent 8 }}
{{- else }}
securityContext:
fsGroup: 1337
{{- end}}
serviceAccountName: source-controller
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
{{- end }}
terminationGracePeriodSeconds: 10
volumes:
- emptyDir: {}
name: data
- emptyDir: {}
name: tmp
{{- if .Values.sourceController.volumes }}
{{- toYaml .Values.sourceController.volumes | nindent 6 }}
{{- end}}
{{- with .Values.sourceController.nodeSelector }}
nodeSelector: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.sourceController.affinity }}
affinity: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.sourceController.tolerations }}
tolerations: {{ toYaml . | nindent 8 }}
{{- end }}
{{- end }}

325
system/fluxcd/charts/flux2/values.yaml Normal file
View File

@@ -0,0 +1,325 @@
# global
installCRDs: true
crds:
# -- Add annotations to all CRD resources, e.g. "helm.sh/resource-policy": keep
annotations: {}
multitenancy:
# -- Implement the patches for Multi-tenancy lockdown.
# See https://fluxcd.io/docs/installation/#multi-tenancy-lockdown
enabled: false
# -- All Kustomizations and HelmReleases which dont have spec.serviceAccountName
# specified, will use the default account from the tenants namespace.
# Tenants have to specify a service account in their Flux resources to be able
# to deploy workloads in their namespaces as the default account has no permissions.
defaultServiceAccount: "default"
# -- Both kustomize-controller and helm-controller service accounts run privileged
# with cluster-admin ClusterRoleBinding. Disable if you want to run them with a
# minimum set of permissions.
privileged: true
clusterDomain: cluster.local
cli:
image: ghcr.io/fluxcd/flux-cli
tag: v2.1.2
nodeSelector: {}
affinity: {}
tolerations: []
annotations: {}
serviceAccount:
automount: true
# controllers
helmController:
create: true
image: ghcr.io/fluxcd/helm-controller
tag: v0.36.2
resources:
limits: {}
# cpu: 1000m
# memory: 1Gi
requests:
cpu: 100m
memory: 64Mi
priorityClassName: ""
annotations:
prometheus.io/port: "8080"
prometheus.io/scrape: "true"
labels: {}
container:
additionalArgs: []
extraEnv: []
serviceAccount:
create: true
automount: true
annotations: {}
imagePullPolicy: ""
nodeSelector: {}
# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core
# for example:
# affinity:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: foo.bar.com/role
# operator: In
# values:
# - master
affinity: {}
# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core
# for example:
# tolerations:
# - key: foo.bar.com/role
# operator: Equal
# value: master
# effect: NoSchedule
tolerations: []
imageAutomationController:
create: true
image: ghcr.io/fluxcd/image-automation-controller
tag: v0.36.1
resources:
limits: {}
# cpu: 1000m
# memory: 1Gi
requests:
cpu: 100m
memory: 64Mi
priorityClassName: ""
annotations:
prometheus.io/port: "8080"
prometheus.io/scrape: "true"
labels: {}
container:
additionalArgs: []
extraEnv: []
serviceAccount:
create: true
automount: true
annotations: {}
imagePullPolicy: ""
nodeSelector: {}
affinity: {}
tolerations: []
imageReflectionController:
create: true
image: ghcr.io/fluxcd/image-reflector-controller
tag: v0.30.0
resources:
limits: {}
# cpu: 1000m
# memory: 1Gi
requests:
cpu: 100m
memory: 64Mi
priorityClassName: ""
annotations:
prometheus.io/port: "8080"
prometheus.io/scrape: "true"
labels: {}
container:
additionalArgs: []
extraEnv: []
serviceAccount:
create: true
automount: true
annotations: {}
imagePullPolicy: ""
nodeSelector: {}
affinity: {}
tolerations: []
kustomizeController:
create: true
image: ghcr.io/fluxcd/kustomize-controller
tag: v1.1.1
resources:
limits: {}
# cpu: 1000m
# memory: 1Gi
requests:
cpu: 100m
memory: 64Mi
priorityClassName: ""
annotations:
prometheus.io/port: "8080"
prometheus.io/scrape: "true"
labels: {}
container:
additionalArgs: []
extraEnv: []
serviceAccount:
create: true
automount: true
annotations: {}
imagePullPolicy: ""
secret:
# -- Create a secret to use it with extraSecretMounts. Defaults to false.
create: false
name: ""
data: {}
# -- Defines envFrom using a configmap and/or secret.
envFrom:
map:
name: ""
secret:
name: ""
# -- Defines additional mounts with secrets.
# Secrets must be manually created in the namespace or with kustomizeController.secret
extraSecretMounts: []
# - name: secret-files
# mountPath: /etc/secrets
# subPath: ""
# secretName: secret-files
# readOnly: true
nodeSelector: {}
affinity: {}
tolerations: []
notificationController:
create: true
image: ghcr.io/fluxcd/notification-controller
tag: v1.1.0
resources:
limits: {}
# cpu: 1000m
# memory: 1Gi
requests:
cpu: 100m
memory: 64Mi
priorityClassName: ""
annotations:
prometheus.io/port: "8080"
prometheus.io/scrape: "true"
labels: {}
container:
additionalArgs: []
extraEnv: []
serviceAccount:
create: true
automount: true
annotations: {}
imagePullPolicy: ""
service:
labels: {}
annotations: {}
webhookReceiver:
service:
labels: {}
annotations: {}
ingress:
create: false
# ingressClassName: nginx
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
labels: {}
hosts:
- host: flux-webhook.example.com
paths:
- path: /
pathType: ImplementationSpecific
tls: []
# - secretName: flux-webhook-tls
# hosts:
# - flux-webhook.example.com
nodeSelector: {}
affinity: {}
tolerations: []
sourceController:
create: true
image: ghcr.io/fluxcd/source-controller
tag: v1.1.2
resources:
limits: {}
# cpu: 1000m
# memory: 1Gi
requests:
cpu: 100m
memory: 64Mi
priorityClassName: ""
annotations:
prometheus.io/port: "8080"
prometheus.io/scrape: "true"
labels: {}
container:
additionalArgs: []
serviceAccount:
create: true
automount: true
annotations: {}
imagePullPolicy: ""
service:
labels: {}
annotations: {}
nodeSelector: {}
affinity: {}
tolerations: []
extraEnv: []
policies:
create: true
rbac:
create: true
# -- Grant the Kubernetes view, edit and admin roles access to Flux custom resources
createAggregation: true
# -- Add annotations to all RBAC resources, e.g. "helm.sh/resource-policy": keep
annotations: {}
logLevel: info
watchAllNamespaces: true
# -- contents of pod imagePullSecret in form 'name=[secretName]'; applied to all controllers
imagePullSecrets: []
# -- Array of extra K8s manifests to deploy
extraObjects: []
# Example usage from https://fluxcd.io/docs/components/source/buckets/#static-authentication
# - apiVersion: source.toolkit.fluxcd.io/v1beta2
# kind: Bucket
# metadata:
# name: podinfo
# namespace: default
# spec:
# interval: 1m
# provider: generic
# bucketName: podinfo
# endpoint: minio.minio.svc.cluster.local:9000
# insecure: true
# secretRef:
# name: minio-credentials
# - apiVersion: v1
# kind: Secret
# metadata:
# name: minio-credentials
# namespace: default
# type: Opaque
# data:
# accesskey: <BASE64>
# secretkey: <BASE64>
# Enables podMonitor creation for the Prometheus Operator
prometheus:
podMonitor:
# -- Enables podMonitor endpoint
create: false
podMetricsEndpoints:
- port: http-prom
relabelings:
# https://github.com/prometheus-operator/prometheus-operator/issues/4816
- sourceLabels: [__meta_kubernetes_pod_phase]
action: keep
regex: Running

5
system/fluxcd/values.yaml Normal file
View File

@@ -0,0 +1,5 @@
_helm:
name: kubeapps
namespace: cozy-fluxcd
createNamespace: true
crds: CreateReplace

2
system/ingress-nginx/.helmignore Normal file
View File

@@ -0,0 +1,2 @@
images
hack

2
system/ingress-nginx/Chart.yaml Normal file
View File

@@ -0,0 +1,2 @@
name: app
version: 0.0.0

10
system/ingress-nginx/Makefile Normal file
View File

@@ -0,0 +1,10 @@
include ../../hack/app-helm.mk
update:
rm -rf charts
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update ingress-nginx
helm pull ingress-nginx/ingress-nginx --untar --untardir charts
patch -p 3 < patches/add-metrics2.patch
rm -f charts/ingress-nginx/templates/controller-deployment.yaml.orig
#sed -i '/ type:/a \ allocateLoadBalancerNodePorts: false' charts/ingress-nginx/templates/controller-service.yaml

22
system/ingress-nginx/charts/ingress-nginx/.helmignore Normal file
View File

@@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

460
system/ingress-nginx/charts/ingress-nginx/CHANGELOG.md Normal file
View File

@@ -0,0 +1,460 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.4.0
* Adding support for disabling liveness and readiness probes to the Helm chart by @njegosrailic in https://github.com/kubernetes/ingress-nginx/pull/9238
* add:(admission-webhooks) ability to set securityContext by @ybelMekk in https://github.com/kubernetes/ingress-nginx/pull/9186
* #7652 - Updated Helm chart to use the fullname for the electionID if not specified. by @FutureMatt in https://github.com/kubernetes/ingress-nginx/pull/9133
* Rename controller-wehbooks-networkpolicy.yaml. by @Gacko in https://github.com/kubernetes/ingress-nginx/pull/9123
### 4.3.0
- Support for Kubernetes v.1.25.0 was added and support for endpoint slices
- Support for Kubernetes v1.20.0 and v1.21.0 was removed
- [8890](https://github.com/kubernetes/ingress-nginx/pull/8890) migrate to endpointslices
- [9059](https://github.com/kubernetes/ingress-nginx/pull/9059) kubewebhookcertgen sha change after go1191
- [9046](https://github.com/kubernetes/ingress-nginx/pull/9046) Parameterize metrics port name
- [9104](https://github.com/kubernetes/ingress-nginx/pull/9104) Fix yaml formatting error with multiple annotations
### 4.2.1
- The sha of kube-webhook-certgen image & the opentelemetry image, in values file, was changed to new images built on alpine-v3.16.1
- "[8896](https://github.com/kubernetes/ingress-nginx/pull/8896) updated to new images built today"
### 4.2.0
- Support for Kubernetes v1.19.0 was removed
- "[8810](https://github.com/kubernetes/ingress-nginx/pull/8810) Prepare for v1.3.0"
- "[8808](https://github.com/kubernetes/ingress-nginx/pull/8808) revert arch var name"
- "[8805](https://github.com/kubernetes/ingress-nginx/pull/8805) Bump k8s.io/klog/v2 from 2.60.1 to 2.70.1"
- "[8803](https://github.com/kubernetes/ingress-nginx/pull/8803) Update to nginx base with alpine v3.16"
- "[8802](https://github.com/kubernetes/ingress-nginx/pull/8802) chore: start v1.3.0 release process"
- "[8798](https://github.com/kubernetes/ingress-nginx/pull/8798) Add v1.24.0 to test matrix"
- "[8796](https://github.com/kubernetes/ingress-nginx/pull/8796) fix: add MAC_OS variable for static-check"
- "[8793](https://github.com/kubernetes/ingress-nginx/pull/8793) changed to alpine-v3.16"
- "[8781](https://github.com/kubernetes/ingress-nginx/pull/8781) Bump github.com/stretchr/testify from 1.7.5 to 1.8.0"
- "[8778](https://github.com/kubernetes/ingress-nginx/pull/8778) chore: remove stable.txt from release process"
- "[8775](https://github.com/kubernetes/ingress-nginx/pull/8775) Remove stable"
- "[8773](https://github.com/kubernetes/ingress-nginx/pull/8773) Bump github/codeql-action from 2.1.14 to 2.1.15"
- "[8772](https://github.com/kubernetes/ingress-nginx/pull/8772) Bump ossf/scorecard-action from 1.1.1 to 1.1.2"
- "[8771](https://github.com/kubernetes/ingress-nginx/pull/8771) fix bullet md format"
- "[8770](https://github.com/kubernetes/ingress-nginx/pull/8770) Add condition for monitoring.coreos.com/v1 API"
- "[8769](https://github.com/kubernetes/ingress-nginx/pull/8769) Fix typos and add links to developer guide"
- "[8767](https://github.com/kubernetes/ingress-nginx/pull/8767) change v1.2.0 to v1.2.1 in deploy doc URLs"
- "[8765](https://github.com/kubernetes/ingress-nginx/pull/8765) Bump github/codeql-action from 1.0.26 to 2.1.14"
- "[8752](https://github.com/kubernetes/ingress-nginx/pull/8752) Bump github.com/spf13/cobra from 1.4.0 to 1.5.0"
- "[8751](https://github.com/kubernetes/ingress-nginx/pull/8751) Bump github.com/stretchr/testify from 1.7.2 to 1.7.5"
- "[8750](https://github.com/kubernetes/ingress-nginx/pull/8750) added announcement"
- "[8740](https://github.com/kubernetes/ingress-nginx/pull/8740) change sha e2etestrunner and echoserver"
- "[8738](https://github.com/kubernetes/ingress-nginx/pull/8738) Update docs to make it easier for noobs to follow step by step"
- "[8737](https://github.com/kubernetes/ingress-nginx/pull/8737) updated baseimage sha"
- "[8736](https://github.com/kubernetes/ingress-nginx/pull/8736) set ld-musl-path"
- "[8733](https://github.com/kubernetes/ingress-nginx/pull/8733) feat: migrate leaderelection lock to leases"
- "[8726](https://github.com/kubernetes/ingress-nginx/pull/8726) prometheus metric: upstream_latency_seconds"
- "[8720](https://github.com/kubernetes/ingress-nginx/pull/8720) Ci pin deps"
- "[8719](https://github.com/kubernetes/ingress-nginx/pull/8719) Working OpenTelemetry sidecar (base nginx image)"
- "[8714](https://github.com/kubernetes/ingress-nginx/pull/8714) Create Openssf scorecard"
- "[8708](https://github.com/kubernetes/ingress-nginx/pull/8708) Bump github.com/prometheus/common from 0.34.0 to 0.35.0"
- "[8703](https://github.com/kubernetes/ingress-nginx/pull/8703) Bump actions/dependency-review-action from 1 to 2"
- "[8701](https://github.com/kubernetes/ingress-nginx/pull/8701) Fix several typos"
- "[8699](https://github.com/kubernetes/ingress-nginx/pull/8699) fix the gosec test and a make target for it"
- "[8698](https://github.com/kubernetes/ingress-nginx/pull/8698) Bump actions/upload-artifact from 2.3.1 to 3.1.0"
- "[8697](https://github.com/kubernetes/ingress-nginx/pull/8697) Bump actions/setup-go from 2.2.0 to 3.2.0"
- "[8695](https://github.com/kubernetes/ingress-nginx/pull/8695) Bump actions/download-artifact from 2 to 3"
- "[8694](https://github.com/kubernetes/ingress-nginx/pull/8694) Bump crazy-max/ghaction-docker-buildx from 1.6.2 to 3.3.1"
### 4.1.2
- "[8587](https://github.com/kubernetes/ingress-nginx/pull/8587) Add CAP_SYS_CHROOT to DS/PSP when needed"
- "[8458](https://github.com/kubernetes/ingress-nginx/pull/8458) Add portNamePreffix Helm chart parameter"
- "[8522](https://github.com/kubernetes/ingress-nginx/pull/8522) Add documentation for controller.service.loadBalancerIP in Helm chart"
### 4.1.0
- "[8481](https://github.com/kubernetes/ingress-nginx/pull/8481) Fix log creation in chroot script"
- "[8479](https://github.com/kubernetes/ingress-nginx/pull/8479) changed nginx base img tag to img built with alpine3.14.6"
- "[8478](https://github.com/kubernetes/ingress-nginx/pull/8478) update base images and protobuf gomod"
- "[8468](https://github.com/kubernetes/ingress-nginx/pull/8468) Fallback to ngx.var.scheme for redirectScheme with use-forward-headers when X-Forwarded-Proto is empty"
- "[8456](https://github.com/kubernetes/ingress-nginx/pull/8456) Implement object deep inspector"
- "[8455](https://github.com/kubernetes/ingress-nginx/pull/8455) Update dependencies"
- "[8454](https://github.com/kubernetes/ingress-nginx/pull/8454) Update index.md"
- "[8447](https://github.com/kubernetes/ingress-nginx/pull/8447) typo fixing"
- "[8446](https://github.com/kubernetes/ingress-nginx/pull/8446) Fix suggested annotation-value-word-blocklist"
- "[8444](https://github.com/kubernetes/ingress-nginx/pull/8444) replace deprecated topology key in example with current one"
- "[8443](https://github.com/kubernetes/ingress-nginx/pull/8443) Add dependency review enforcement"
- "[8434](https://github.com/kubernetes/ingress-nginx/pull/8434) added new auth-tls-match-cn annotation"
- "[8426](https://github.com/kubernetes/ingress-nginx/pull/8426) Bump github.com/prometheus/common from 0.32.1 to 0.33.0"
### 4.0.18
- "[8291](https://github.com/kubernetes/ingress-nginx/pull/8291) remove git tag env from cloud build"
- "[8286](https://github.com/kubernetes/ingress-nginx/pull/8286) Fix OpenTelemetry sidecar image build"
- "[8277](https://github.com/kubernetes/ingress-nginx/pull/8277) Add OpenSSF Best practices badge"
- "[8273](https://github.com/kubernetes/ingress-nginx/pull/8273) Issue#8241"
- "[8267](https://github.com/kubernetes/ingress-nginx/pull/8267) Add fsGroup value to admission-webhooks/job-patch charts"
- "[8262](https://github.com/kubernetes/ingress-nginx/pull/8262) Updated confusing error"
- "[8256](https://github.com/kubernetes/ingress-nginx/pull/8256) fix: deny locations with invalid auth-url annotation"
- "[8253](https://github.com/kubernetes/ingress-nginx/pull/8253) Add a certificate info metric"
- "[8236](https://github.com/kubernetes/ingress-nginx/pull/8236) webhook: remove useless code."
- "[8227](https://github.com/kubernetes/ingress-nginx/pull/8227) Update libraries in webhook image"
- "[8225](https://github.com/kubernetes/ingress-nginx/pull/8225) fix inconsistent-label-cardinality for prometheus metrics: nginx_ingress_controller_requests"
- "[8221](https://github.com/kubernetes/ingress-nginx/pull/8221) Do not validate ingresses with unknown ingress class in admission webhook endpoint"
- "[8210](https://github.com/kubernetes/ingress-nginx/pull/8210) Bump github.com/prometheus/client_golang from 1.11.0 to 1.12.1"
- "[8209](https://github.com/kubernetes/ingress-nginx/pull/8209) Bump google.golang.org/grpc from 1.43.0 to 1.44.0"
- "[8204](https://github.com/kubernetes/ingress-nginx/pull/8204) Add Artifact Hub lint"
- "[8203](https://github.com/kubernetes/ingress-nginx/pull/8203) Fix Indentation of example and link to cert-manager tutorial"
- "[8201](https://github.com/kubernetes/ingress-nginx/pull/8201) feat(metrics): add path and method labels to requests countera"
- "[8199](https://github.com/kubernetes/ingress-nginx/pull/8199) use functional options to reduce number of methods creating an EchoDeployment"
- "[8196](https://github.com/kubernetes/ingress-nginx/pull/8196) docs: fix inconsistent controller annotation"
- "[8191](https://github.com/kubernetes/ingress-nginx/pull/8191) Using Go install for misspell"
- "[8186](https://github.com/kubernetes/ingress-nginx/pull/8186) prometheus+grafana using servicemonitor"
- "[8185](https://github.com/kubernetes/ingress-nginx/pull/8185) Append elements on match, instead of removing for cors-annotations"
- "[8179](https://github.com/kubernetes/ingress-nginx/pull/8179) Bump github.com/opencontainers/runc from 1.0.3 to 1.1.0"
- "[8173](https://github.com/kubernetes/ingress-nginx/pull/8173) Adding annotations to the controller service account"
- "[8163](https://github.com/kubernetes/ingress-nginx/pull/8163) Update the $req_id placeholder description"
- "[8162](https://github.com/kubernetes/ingress-nginx/pull/8162) Versioned static manifests"
- "[8159](https://github.com/kubernetes/ingress-nginx/pull/8159) Adding some geoip variables and default values"
- "[8155](https://github.com/kubernetes/ingress-nginx/pull/8155) #7271 feat: avoid-pdb-creation-when-default-backend-disabled-and-replicas-gt-1"
- "[8151](https://github.com/kubernetes/ingress-nginx/pull/8151) Automatically generate helm docs"
- "[8143](https://github.com/kubernetes/ingress-nginx/pull/8143) Allow to configure delay before controller exits"
- "[8136](https://github.com/kubernetes/ingress-nginx/pull/8136) add ingressClass option to helm chart - back compatibility with ingress.class annotations"
- "[8126](https://github.com/kubernetes/ingress-nginx/pull/8126) Example for JWT"
### 4.0.15
- [8120] https://github.com/kubernetes/ingress-nginx/pull/8120 Update go in runner and release v1.1.1
- [8119] https://github.com/kubernetes/ingress-nginx/pull/8119 Update to go v1.17.6
- [8118] https://github.com/kubernetes/ingress-nginx/pull/8118 Remove deprecated libraries, update other libs
- [8117] https://github.com/kubernetes/ingress-nginx/pull/8117 Fix codegen errors
- [8115] https://github.com/kubernetes/ingress-nginx/pull/8115 chart/ghaction: set the correct permission to have access to push a release
- [8098] https://github.com/kubernetes/ingress-nginx/pull/8098 generating SHA for CA only certs in backend_ssl.go + comparison of P…
- [8088] https://github.com/kubernetes/ingress-nginx/pull/8088 Fix Edit this page link to use main branch
- [8072] https://github.com/kubernetes/ingress-nginx/pull/8072 Expose GeoIP2 Continent code as variable
- [8061] https://github.com/kubernetes/ingress-nginx/pull/8061 docs(charts): using helm-docs for chart
- [8058] https://github.com/kubernetes/ingress-nginx/pull/8058 Bump github.com/spf13/cobra from 1.2.1 to 1.3.0
- [8054] https://github.com/kubernetes/ingress-nginx/pull/8054 Bump google.golang.org/grpc from 1.41.0 to 1.43.0
- [8051] https://github.com/kubernetes/ingress-nginx/pull/8051 align bug report with feature request regarding kind documentation
- [8046] https://github.com/kubernetes/ingress-nginx/pull/8046 Report expired certificates (#8045)
- [8044] https://github.com/kubernetes/ingress-nginx/pull/8044 remove G109 check till gosec resolves issues
- [8042] https://github.com/kubernetes/ingress-nginx/pull/8042 docs_multiple_instances_one_cluster_ticket_7543
- [8041] https://github.com/kubernetes/ingress-nginx/pull/8041 docs: fix typo'd executable name
- [8035] https://github.com/kubernetes/ingress-nginx/pull/8035 Comment busy owners
- [8029] https://github.com/kubernetes/ingress-nginx/pull/8029 Add stream-snippet as a ConfigMap and Annotation option
- [8023] https://github.com/kubernetes/ingress-nginx/pull/8023 fix nginx compilation flags
- [8021] https://github.com/kubernetes/ingress-nginx/pull/8021 Disable default modsecurity_rules_file if modsecurity-snippet is specified
- [8019] https://github.com/kubernetes/ingress-nginx/pull/8019 Revise main documentation page
- [8018] https://github.com/kubernetes/ingress-nginx/pull/8018 Preserve order of plugin invocation
- [8015] https://github.com/kubernetes/ingress-nginx/pull/8015 Add newline indenting to admission webhook annotations
- [8014] https://github.com/kubernetes/ingress-nginx/pull/8014 Add link to example error page manifest in docs
- [8009] https://github.com/kubernetes/ingress-nginx/pull/8009 Fix spelling in documentation and top-level files
- [8008] https://github.com/kubernetes/ingress-nginx/pull/8008 Add relabelings in controller-servicemonitor.yaml
- [8003] https://github.com/kubernetes/ingress-nginx/pull/8003 Minor improvements (formatting, consistency) in install guide
- [8001] https://github.com/kubernetes/ingress-nginx/pull/8001 fix: go-grpc Dockerfile
- [7999] https://github.com/kubernetes/ingress-nginx/pull/7999 images: use k8s-staging-test-infra/gcb-docker-gcloud
- [7996] https://github.com/kubernetes/ingress-nginx/pull/7996 doc: improvement
- [7983] https://github.com/kubernetes/ingress-nginx/pull/7983 Fix a couple of misspellings in the annotations documentation.
- [7979] https://github.com/kubernetes/ingress-nginx/pull/7979 allow set annotations for admission Jobs
- [7977] https://github.com/kubernetes/ingress-nginx/pull/7977 Add ssl_reject_handshake to default server
- [7975] https://github.com/kubernetes/ingress-nginx/pull/7975 add legacy version update v0.50.0 to main changelog
- [7972] https://github.com/kubernetes/ingress-nginx/pull/7972 updated service upstream definition
### 4.0.14
- [8061] https://github.com/kubernetes/ingress-nginx/pull/8061 Using helm-docs to populate values table in README.md
### 4.0.13
- [8008] https://github.com/kubernetes/ingress-nginx/pull/8008 Add relabelings in controller-servicemonitor.yaml
### 4.0.12
- [7978] https://github.com/kubernetes/ingress-nginx/pull/7979 Support custom annotations in admissions Jobs
### 4.0.11
- [7873] https://github.com/kubernetes/ingress-nginx/pull/7873 Makes the [appProtocol](https://kubernetes.io/docs/concepts/services-networking/_print/#application-protocol) field optional.
### 4.0.10
- [7964] https://github.com/kubernetes/ingress-nginx/pull/7964 Update controller version to v1.1.0
### 4.0.9
- [6992] https://github.com/kubernetes/ingress-nginx/pull/6992 Add ability to specify labels for all resources
### 4.0.7
- [7923] https://github.com/kubernetes/ingress-nginx/pull/7923 Release v1.0.5 of ingress-nginx
- [7806] https://github.com/kubernetes/ingress-nginx/pull/7806 Choice option for internal/external loadbalancer type service
### 4.0.6
- [7804] https://github.com/kubernetes/ingress-nginx/pull/7804 Release v1.0.4 of ingress-nginx
- [7651] https://github.com/kubernetes/ingress-nginx/pull/7651 Support ipFamilyPolicy and ipFamilies fields in Helm Chart
- [7798] https://github.com/kubernetes/ingress-nginx/pull/7798 Exoscale: use HTTP Healthcheck mode
- [7793] https://github.com/kubernetes/ingress-nginx/pull/7793 Update kube-webhook-certgen to v1.1.1
### 4.0.5
- [7740] https://github.com/kubernetes/ingress-nginx/pull/7740 Release v1.0.3 of ingress-nginx
### 4.0.3
- [7707] https://github.com/kubernetes/ingress-nginx/pull/7707 Release v1.0.2 of ingress-nginx
### 4.0.2
- [7681] https://github.com/kubernetes/ingress-nginx/pull/7681 Release v1.0.1 of ingress-nginx
### 4.0.1
- [7535] https://github.com/kubernetes/ingress-nginx/pull/7535 Release v1.0.0 ingress-nginx
### 3.34.0
- [7256] https://github.com/kubernetes/ingress-nginx/pull/7256 Add namespace field in the namespace scoped resource templates
### 3.33.0
- [7164] https://github.com/kubernetes/ingress-nginx/pull/7164 Update nginx to v1.20.1
### 3.32.0
- [7117] https://github.com/kubernetes/ingress-nginx/pull/7117 Add annotations for HPA
### 3.31.0
- [7137] https://github.com/kubernetes/ingress-nginx/pull/7137 Add support for custom probes
### 3.30.0
- [#7092](https://github.com/kubernetes/ingress-nginx/pull/7092) Removes the possibility of using localhost in ExternalNames as endpoints
### 3.29.0
- [X] [#6945](https://github.com/kubernetes/ingress-nginx/pull/7020) Add option to specify job label for ServiceMonitor
### 3.28.0
- [ ] [#6900](https://github.com/kubernetes/ingress-nginx/pull/6900) Support existing PSPs
### 3.27.0
- Update ingress-nginx v0.45.0
### 3.26.0
- [X] [#6979](https://github.com/kubernetes/ingress-nginx/pull/6979) Changed servicePort value for metrics
### 3.25.0
- [X] [#6957](https://github.com/kubernetes/ingress-nginx/pull/6957) Add ability to specify automountServiceAccountToken
### 3.24.0
- [X] [#6908](https://github.com/kubernetes/ingress-nginx/pull/6908) Add volumes to default-backend deployment
### 3.23.0
- Update ingress-nginx v0.44.0
### 3.22.0
- [X] [#6802](https://github.com/kubernetes/ingress-nginx/pull/6802) Add value for configuring a custom Diffie-Hellman parameters file
- [X] [#6815](https://github.com/kubernetes/ingress-nginx/pull/6815) Allow use of numeric namespaces in helm chart
### 3.21.0
- [X] [#6783](https://github.com/kubernetes/ingress-nginx/pull/6783) Add custom annotations to ScaledObject
- [X] [#6761](https://github.com/kubernetes/ingress-nginx/pull/6761) Adding quotes in the serviceAccount name in Helm values
- [X] [#6767](https://github.com/kubernetes/ingress-nginx/pull/6767) Remove ClusterRole when scope option is enabled
- [X] [#6785](https://github.com/kubernetes/ingress-nginx/pull/6785) Update kube-webhook-certgen image to v1.5.1
### 3.20.1
- Do not create KEDA in case of DaemonSets.
- Fix KEDA v2 definition
### 3.20.0
- [X] [#6730](https://github.com/kubernetes/ingress-nginx/pull/6730) Do not create HPA for defaultBackend if not enabled.
### 3.19.0
- Update ingress-nginx v0.43.0
### 3.18.0
- [X] [#6688](https://github.com/kubernetes/ingress-nginx/pull/6688) Allow volume-type emptyDir in controller podsecuritypolicy
- [X] [#6691](https://github.com/kubernetes/ingress-nginx/pull/6691) Improve parsing of helm parameters
### 3.17.0
- Update ingress-nginx v0.42.0
### 3.16.1
- Fix chart-releaser action
### 3.16.0
- [X] [#6646](https://github.com/kubernetes/ingress-nginx/pull/6646) Added LoadBalancerIP value for internal service
### 3.15.1
- Fix chart-releaser action
### 3.15.0
- [X] [#6586](https://github.com/kubernetes/ingress-nginx/pull/6586) Fix 'maxmindLicenseKey' location in values.yaml
### 3.14.0
- [X] [#6469](https://github.com/kubernetes/ingress-nginx/pull/6469) Allow custom service names for controller and backend
### 3.13.0
- [X] [#6544](https://github.com/kubernetes/ingress-nginx/pull/6544) Fix default backend HPA name variable
### 3.12.0
- [X] [#6514](https://github.com/kubernetes/ingress-nginx/pull/6514) Remove helm2 support and update docs
### 3.11.1
- [X] [#6505](https://github.com/kubernetes/ingress-nginx/pull/6505) Reorder HPA resource list to work with GitOps tooling
### 3.11.0
- Support Keda Autoscaling
### 3.10.1
- Fix regression introduced in 0.41.0 with external authentication
### 3.10.0
- Fix routing regression introduced in 0.41.0 with PathType Exact
### 3.9.0
- [X] [#6423](https://github.com/kubernetes/ingress-nginx/pull/6423) Add Default backend HPA autoscaling
### 3.8.0
- [X] [#6395](https://github.com/kubernetes/ingress-nginx/pull/6395) Update jettech/kube-webhook-certgen image
- [X] [#6377](https://github.com/kubernetes/ingress-nginx/pull/6377) Added loadBalancerSourceRanges for internal lbs
- [X] [#6356](https://github.com/kubernetes/ingress-nginx/pull/6356) Add securitycontext settings on defaultbackend
- [X] [#6401](https://github.com/kubernetes/ingress-nginx/pull/6401) Fix controller service annotations
- [X] [#6403](https://github.com/kubernetes/ingress-nginx/pull/6403) Initial helm chart changelog
### 3.7.1
- [X] [#6326](https://github.com/kubernetes/ingress-nginx/pull/6326) Fix liveness and readiness probe path in daemonset chart
### 3.7.0
- [X] [#6316](https://github.com/kubernetes/ingress-nginx/pull/6316) Numerals in podAnnotations in quotes [#6315](https://github.com/kubernetes/ingress-nginx/issues/6315)
### 3.6.0
- [X] [#6305](https://github.com/kubernetes/ingress-nginx/pull/6305) Add default linux nodeSelector
### 3.5.1
- [X] [#6299](https://github.com/kubernetes/ingress-nginx/pull/6299) Fix helm chart release
### 3.5.0
- [X] [#6260](https://github.com/kubernetes/ingress-nginx/pull/6260) Allow Helm Chart to customize admission webhook's annotations, timeoutSeconds, namespaceSelector, objectSelector and cert files locations
### 3.4.0
- [X] [#6268](https://github.com/kubernetes/ingress-nginx/pull/6268) Update to 0.40.2 in helm chart #6288
### 3.3.1
- [X] [#6259](https://github.com/kubernetes/ingress-nginx/pull/6259) Release helm chart
- [X] [#6258](https://github.com/kubernetes/ingress-nginx/pull/6258) Fix chart markdown link
- [X] [#6253](https://github.com/kubernetes/ingress-nginx/pull/6253) Release v0.40.0
### 3.3.1
- [X] [#6233](https://github.com/kubernetes/ingress-nginx/pull/6233) Add admission controller e2e test
### 3.3.0
- [X] [#6203](https://github.com/kubernetes/ingress-nginx/pull/6203) Refactor parsing of key values
- [X] [#6162](https://github.com/kubernetes/ingress-nginx/pull/6162) Add helm chart options to expose metrics service as NodePort
- [X] [#6180](https://github.com/kubernetes/ingress-nginx/pull/6180) Fix helm chart admissionReviewVersions regression
- [X] [#6169](https://github.com/kubernetes/ingress-nginx/pull/6169) Fix Typo in example prometheus rules
### 3.0.0
- [X] [#6167](https://github.com/kubernetes/ingress-nginx/pull/6167) Update chart requirements
### 2.16.0
- [X] [#6154](https://github.com/kubernetes/ingress-nginx/pull/6154) add `topologySpreadConstraint` to controller
### 2.15.0
- [X] [#6087](https://github.com/kubernetes/ingress-nginx/pull/6087) Adding parameter for externalTrafficPolicy in internal controller service spec
### 2.14.0
- [X] [#6104](https://github.com/kubernetes/ingress-nginx/pull/6104) Misc fixes for nginx-ingress chart for better keel and prometheus-operator integration
### 2.13.0
- [X] [#6093](https://github.com/kubernetes/ingress-nginx/pull/6093) Release v0.35.0
### 2.13.0
- [X] [#6093](https://github.com/kubernetes/ingress-nginx/pull/6093) Release v0.35.0
- [X] [#6080](https://github.com/kubernetes/ingress-nginx/pull/6080) Switch images to k8s.gcr.io after Vanity Domain Flip
### 2.12.1
- [X] [#6075](https://github.com/kubernetes/ingress-nginx/pull/6075) Sync helm chart affinity examples
### 2.12.0
- [X] [#6039](https://github.com/kubernetes/ingress-nginx/pull/6039) Add configurable serviceMonitor metricRelabelling and targetLabels
- [X] [#6044](https://github.com/kubernetes/ingress-nginx/pull/6044) Fix YAML linting
### 2.11.3
- [X] [#6038](https://github.com/kubernetes/ingress-nginx/pull/6038) Bump chart version PATCH
### 2.11.2
- [X] [#5951](https://github.com/kubernetes/ingress-nginx/pull/5951) Bump chart patch version
### 2.11.1
- [X] [#5900](https://github.com/kubernetes/ingress-nginx/pull/5900) Release helm chart for v0.34.1
### 2.11.0
- [X] [#5879](https://github.com/kubernetes/ingress-nginx/pull/5879) Update helm chart for v0.34.0
- [X] [#5671](https://github.com/kubernetes/ingress-nginx/pull/5671) Make liveness probe more fault tolerant than readiness probe
### 2.10.0
- [X] [#5843](https://github.com/kubernetes/ingress-nginx/pull/5843) Update jettech/kube-webhook-certgen image
### 2.9.1
- [X] [#5823](https://github.com/kubernetes/ingress-nginx/pull/5823) Add quoting to sysctls because numeric values need to be presented as strings (#5823)
### 2.9.0
- [X] [#5795](https://github.com/kubernetes/ingress-nginx/pull/5795) Use fully qualified images to avoid cri-o issues
### TODO
Keep building the changelog using *git log charts* checking the tag

21
system/ingress-nginx/charts/ingress-nginx/Chart.yaml Normal file
View File

@@ -0,0 +1,21 @@
annotations:
artifacthub.io/changes: '- "Update Ingress-Nginx version controller-v1.9.4"'
artifacthub.io/prerelease: "false"
apiVersion: v2
appVersion: 1.9.4
description: Ingress controller for Kubernetes using NGINX as a reverse proxy and
load balancer
home: https://github.com/kubernetes/ingress-nginx
icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png
keywords:
- ingress
- nginx
kubeVersion: '>=1.20.0-0'
maintainers:
- name: rikatz
- name: strongjz
- name: tao12345666333
name: ingress-nginx
sources:
- https://github.com/kubernetes/ingress-nginx
version: 4.8.3

10
system/ingress-nginx/charts/ingress-nginx/OWNERS Normal file
View File

@@ -0,0 +1,10 @@
# See the OWNERS docs: https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md
approvers:
- ingress-nginx-helm-maintainers
reviewers:
- ingress-nginx-helm-reviewers
labels:
- area/helm

512
system/ingress-nginx/charts/ingress-nginx/README.md Normal file
View File

@@ -0,0 +1,512 @@
# ingress-nginx
[ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
![Version: 4.8.3](https://img.shields.io/badge/Version-4.8.3-informational?style=flat-square) ![AppVersion: 1.9.4](https://img.shields.io/badge/AppVersion-1.9.4-informational?style=flat-square)
To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
## Requirements
Kubernetes: `>=1.20.0-0`
## Get Repo Info
```console
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
```
## Install Chart
**Important:** only helm3 is supported
```console
helm install [RELEASE_NAME] ingress-nginx/ingress-nginx
```
The command deploys ingress-nginx on the Kubernetes cluster in the default configuration.
_See [configuration](#configuration) below._
_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
## Uninstall Chart
```console
helm uninstall [RELEASE_NAME]
```
This removes all the Kubernetes components associated with the chart and deletes the release.
_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._
## Upgrading Chart
```console
helm upgrade [RELEASE_NAME] [CHART] --install
```
_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._
### Migrating from stable/nginx-ingress
There are two main ways to migrate a release from `stable/nginx-ingress` to `ingress-nginx/ingress-nginx` chart:
1. For Nginx Ingress controllers used for non-critical services, the easiest method is to [uninstall](#uninstall-chart) the old release and [install](#install-chart) the new one
1. For critical services in production that require zero-downtime, you will want to:
1. [Install](#install-chart) a second Ingress controller
1. Redirect your DNS traffic from the old controller to the new controller
1. Log traffic from both controllers during this changeover
1. [Uninstall](#uninstall-chart) the old controller once traffic has fully drained from it
Note that there are some different and upgraded configurations between the two charts, described by Rimas Mocevicius from JFrog in the "Upgrading to ingress-nginx Helm chart" section of [Migrating from Helm chart nginx-ingress to ingress-nginx](https://rimusz.net/migrating-to-ingress-nginx). As the `ingress-nginx/ingress-nginx` chart continues to update, you will want to check current differences by running [helm configuration](#configuration) commands on both charts.
## Configuration
See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands:
```console
helm show values ingress-nginx/ingress-nginx
```
### PodDisruptionBudget
Note that the PodDisruptionBudget resource will only be defined if the replicaCount is greater than one,
else it would make it impossible to evacuate a node. See [gh issue #7127](https://github.com/helm/charts/issues/7127) for more info.
### Prometheus Metrics
The Ingress-Nginx Controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`.
You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`.
Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. And set `controller.metrics.serviceMonitor.additionalLabels.release="prometheus"`. "release=prometheus" should match the label configured in the prometheus servicemonitor ( see `kubectl get servicemonitor prometheus-kube-prom-prometheus -oyaml -n prometheus`)
### ingress-nginx nginx\_status page/stats server
Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in Ingress-Nginx Controller:
- In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed
- In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost.
You can use `curl --unix-socket /tmp/nginx-status-server.sock http://localhost/nginx_status` inside the controller container to access it locally, or use the snippet from [nginx-ingress changelog](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230) to re-enable the http server
### ExternalDNS Service Configuration
Add an [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) annotation to the LoadBalancer service:
```yaml
controller:
service:
annotations:
external-dns.alpha.kubernetes.io/hostname: kubernetes-example.com.
```
### AWS L7 ELB with SSL Termination
Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/ab3a789caae65eec4ad6e3b46b19750b481b6bce/deploy/aws/l7/service-l7.yaml):
```yaml
controller:
service:
targetPorts:
http: http
https: http
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:XX-XXXX-X:XXXXXXXXX:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
```
### Additional Internal Load Balancer
This setup is useful when you need both external and internal load balancers but don't want to have multiple ingress controllers and multiple ingress objects per application.
By default, the ingress object will point to the external load balancer address, but if correctly configured, you can make use of the internal one if the URL you are looking up resolves to the internal load balancer's URL.
You'll need to set both the following values:
`controller.service.internal.enabled`
`controller.service.internal.annotations`
If one of them is missing the internal load balancer will not be deployed. Example you may have `controller.service.internal.enabled=true` but no annotations set, in this case no action will be taken.
`controller.service.internal.annotations` varies with the cloud service you're using.
Example for AWS:
```yaml
controller:
service:
internal:
enabled: true
annotations:
# Create internal NLB
service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
# Create internal ELB(Deprecated)
# service.beta.kubernetes.io/aws-load-balancer-internal: "true"
# Any other annotation can be declared here.
```
Example for GCE:
```yaml
controller:
service:
internal:
enabled: true
annotations:
# Create internal LB. More information: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing
# For GKE versions 1.17 and later
networking.gke.io/load-balancer-type: "Internal"
# For earlier versions
# cloud.google.com/load-balancer-type: "Internal"
# Any other annotation can be declared here.
```
Example for Azure:
```yaml
controller:
service:
annotations:
# Create internal LB
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
# Any other annotation can be declared here.
```
Example for Oracle Cloud Infrastructure:
```yaml
controller:
service:
annotations:
# Create internal LB
service.beta.kubernetes.io/oci-load-balancer-internal: "true"
# Any other annotation can be declared here.
```
The load balancer annotations of more cloud service providers can be found: [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer).
An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object.
Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`.
### Ingress Admission Webhooks
With nginx-ingress-controller version 0.25+, the Ingress-Nginx Controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
**This feature is enabled by default since 0.31.0.**
With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521)
#### How the Chart Configures the Hooks
A validating and configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks.
1. A pre-install hook provisions a certificate into the same namespace using a format compatible with provisioning using end user certificates. If the certificate already exists, the hook exits.
2. The Ingress-Nginx Controller pod is configured to use a TLS proxy container, which will load that certificate.
3. Validating and Mutating webhook configurations are created in the cluster.
4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations
#### Alternatives
It should be possible to use [cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) if a more complete solution is required.
You can enable automatic self-signed TLS certificate provisioning via cert-manager by setting the `controller.admissionWebhooks.certManager.enabled` value to true.
Please ensure that cert-manager is correctly installed and configured.
### Helm Error When Upgrading: spec.clusterIP: Invalid value: ""
If you are upgrading this chart from a version between 0.31.0 and 1.2.2 then you may get an error like this:
```console
Error: UPGRADE FAILED: Service "?????-controller" is invalid: spec.clusterIP: Invalid value: "": field is immutable
```
Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13646) but to resolve this you can set `xxxx.service.omitClusterIP` to `true` where `xxxx` is the service referenced in the error.
As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered.
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commonLabels | object | `{}` | |
| controller.addHeaders | object | `{}` | Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers |
| controller.admissionWebhooks.annotations | object | `{}` | |
| controller.admissionWebhooks.certManager.admissionCert.duration | string | `""` | |
| controller.admissionWebhooks.certManager.enabled | bool | `false` | |
| controller.admissionWebhooks.certManager.rootCert.duration | string | `""` | |
| controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` | |
| controller.admissionWebhooks.createSecretJob.resources | object | `{}` | |
| controller.admissionWebhooks.createSecretJob.securityContext.allowPrivilegeEscalation | bool | `false` | |
| controller.admissionWebhooks.enabled | bool | `true` | |
| controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one |
| controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set |
| controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use |
| controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` | |
| controller.admissionWebhooks.labels | object | `{}` | Labels to be added to admission webhooks |
| controller.admissionWebhooks.namespaceSelector | object | `{}` | |
| controller.admissionWebhooks.objectSelector | object | `{}` | |
| controller.admissionWebhooks.patch.enabled | bool | `true` | |
| controller.admissionWebhooks.patch.image.digest | string | `"sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80"` | |
| controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | |
| controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | |
| controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | |
| controller.admissionWebhooks.patch.image.tag | string | `"v20231011-8b53cabe0"` | |
| controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
| controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | |
| controller.admissionWebhooks.patch.podAnnotations | object | `{}` | |
| controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # |
| controller.admissionWebhooks.patch.securityContext.fsGroup | int | `2000` | |
| controller.admissionWebhooks.patch.securityContext.runAsNonRoot | bool | `true` | |
| controller.admissionWebhooks.patch.securityContext.runAsUser | int | `2000` | |
| controller.admissionWebhooks.patch.tolerations | list | `[]` | |
| controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` | |
| controller.admissionWebhooks.patchWebhookJob.securityContext.allowPrivilegeEscalation | bool | `false` | |
| controller.admissionWebhooks.port | int | `8443` | |
| controller.admissionWebhooks.service.annotations | object | `{}` | |
| controller.admissionWebhooks.service.externalIPs | list | `[]` | |
| controller.admissionWebhooks.service.loadBalancerSourceRanges | list | `[]` | |
| controller.admissionWebhooks.service.servicePort | int | `443` | |
| controller.admissionWebhooks.service.type | string | `"ClusterIP"` | |
| controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # |
| controller.allowSnippetAnnotations | bool | `false` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected |
| controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # |
| controller.autoscaling.annotations | object | `{}` | |
| controller.autoscaling.behavior | object | `{}` | |
| controller.autoscaling.enabled | bool | `false` | |
| controller.autoscaling.maxReplicas | int | `11` | |
| controller.autoscaling.minReplicas | int | `1` | |
| controller.autoscaling.targetCPUUtilizationPercentage | int | `50` | |
| controller.autoscaling.targetMemoryUtilizationPercentage | int | `50` | |
| controller.autoscalingTemplate | list | `[]` | |
| controller.config | object | `{}` | Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ |
| controller.configAnnotations | object | `{}` | Annotations to be added to the controller config configuration configmap. |
| controller.configMapNamespace | string | `""` | Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) |
| controller.containerName | string | `"controller"` | Configures the controller container name |
| controller.containerPort | object | `{"http":80,"https":443}` | Configures the ports that the nginx-controller listens on |
| controller.customTemplate.configMapKey | string | `""` | |
| controller.customTemplate.configMapName | string | `""` | |
| controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. |
| controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. |
| controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' |
| controller.enableAnnotationValidations | bool | `false` | |
| controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # |
| controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false |
| controller.existingPsp | string | `""` | Use an existing PSP instead of creating one |
| controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use |
| controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. |
| controller.extraEnvs | list | `[]` | Additional environment variables to set |
| controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. |
| controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module |
| controller.extraVolumeMounts | list | `[]` | Additional volumeMounts to the controller main container. |
| controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. |
| controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. |
| controller.healthCheckPath | string | `"/healthz"` | Path of the health check endpoint. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. |
| controller.hostAliases | list | `[]` | Optionally customize the pod hostAliases. |
| controller.hostNetwork | bool | `false` | Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 is merged |
| controller.hostPort.enabled | bool | `false` | Enable 'hostPort' or not |
| controller.hostPort.ports.http | int | `80` | 'hostPort' http port |
| controller.hostPort.ports.https | int | `443` | 'hostPort' https port |
| controller.hostname | object | `{}` | Optionally customize the pod hostname. |
| controller.image.allowPrivilegeEscalation | bool | `true` | |
| controller.image.chroot | bool | `false` | |
| controller.image.digest | string | `"sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3"` | |
| controller.image.digestChroot | string | `"sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26"` | |
| controller.image.image | string | `"ingress-nginx/controller"` | |
| controller.image.pullPolicy | string | `"IfNotPresent"` | |
| controller.image.registry | string | `"registry.k8s.io"` | |
| controller.image.runAsUser | int | `101` | |
| controller.image.tag | string | `"v1.9.4"` | |
| controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
| controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
| controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass |
| controller.ingressClassResource.default | bool | `false` | Is this the default ingressClass for the cluster |
| controller.ingressClassResource.enabled | bool | `true` | Is this ingressClass enabled or not |
| controller.ingressClassResource.name | string | `"nginx"` | Name of the ingressClass |
| controller.ingressClassResource.parameters | object | `{}` | Parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters. |
| controller.keda.apiVersion | string | `"keda.sh/v1alpha1"` | |
| controller.keda.behavior | object | `{}` | |
| controller.keda.cooldownPeriod | int | `300` | |
| controller.keda.enabled | bool | `false` | |
| controller.keda.maxReplicas | int | `11` | |
| controller.keda.minReplicas | int | `1` | |
| controller.keda.pollingInterval | int | `30` | |
| controller.keda.restoreToOriginalReplicaCount | bool | `false` | |
| controller.keda.scaledObject.annotations | object | `{}` | |
| controller.keda.triggers | list | `[]` | |
| controller.kind | string | `"Deployment"` | Use a `DaemonSet` or `Deployment` |
| controller.labels | object | `{}` | Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels # |
| controller.lifecycle | object | `{"preStop":{"exec":{"command":["/wait-shutdown"]}}}` | Improve connection draining when ingress controller pod is deleted using a lifecycle hook: With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds to 300, allowing the draining of connections up to five minutes. If the active connections end before that, the pod will terminate gracefully at that time. To effectively take advantage of this feature, the Configmap feature worker-shutdown-timeout new value is 240s instead of 10s. # |
| controller.livenessProbe.failureThreshold | int | `5` | |
| controller.livenessProbe.httpGet.path | string | `"/healthz"` | |
| controller.livenessProbe.httpGet.port | int | `10254` | |
| controller.livenessProbe.httpGet.scheme | string | `"HTTP"` | |
| controller.livenessProbe.initialDelaySeconds | int | `10` | |
| controller.livenessProbe.periodSeconds | int | `10` | |
| controller.livenessProbe.successThreshold | int | `1` | |
| controller.livenessProbe.timeoutSeconds | int | `1` | |
| controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. # https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases |
| controller.metrics.enabled | bool | `false` | |
| controller.metrics.port | int | `10254` | |
| controller.metrics.portName | string | `"metrics"` | |
| controller.metrics.prometheusRule.additionalLabels | object | `{}` | |
| controller.metrics.prometheusRule.enabled | bool | `false` | |
| controller.metrics.prometheusRule.rules | list | `[]` | |
| controller.metrics.service.annotations | object | `{}` | |
| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
| controller.metrics.service.labels | object | `{}` | Labels to be added to the metrics service resource |
| controller.metrics.service.loadBalancerSourceRanges | list | `[]` | |
| controller.metrics.service.servicePort | int | `10254` | |
| controller.metrics.service.type | string | `"ClusterIP"` | |
| controller.metrics.serviceMonitor.additionalLabels | object | `{}` | |
| controller.metrics.serviceMonitor.enabled | bool | `false` | |
| controller.metrics.serviceMonitor.metricRelabelings | list | `[]` | |
| controller.metrics.serviceMonitor.namespace | string | `""` | |
| controller.metrics.serviceMonitor.namespaceSelector | object | `{}` | |
| controller.metrics.serviceMonitor.relabelings | list | `[]` | |
| controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` | |
| controller.metrics.serviceMonitor.targetLabels | list | `[]` | |
| controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. |
| controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
| controller.name | string | `"controller"` | |
| controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
| controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | |
| controller.opentelemetry.enabled | bool | `false` | |
| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` | |
| controller.opentelemetry.resources | object | `{}` | |
| controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # |
| controller.podLabels | object | `{}` | Labels to add to the pod container metadata |
| controller.podSecurityContext | object | `{}` | Security Context policies for controller pods |
| controller.priorityClassName | string | `""` | |
| controller.proxySetHeaders | object | `{}` | Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers |
| controller.publishService | object | `{"enabled":true,"pathOverride":""}` | Allows customization of the source of the IP address or FQDN to report in the ingress status field. By default, it reads the information provided by the service. If disable, the status field reports the IP address of the node or nodes where an ingress controller pod is running. |
| controller.publishService.enabled | bool | `true` | Enable 'publishService' or not |
| controller.publishService.pathOverride | string | `""` | Allows overriding of the publish service to bind to Must be <namespace>/<service_name> |
| controller.readinessProbe.failureThreshold | int | `3` | |
| controller.readinessProbe.httpGet.path | string | `"/healthz"` | |
| controller.readinessProbe.httpGet.port | int | `10254` | |
| controller.readinessProbe.httpGet.scheme | string | `"HTTP"` | |
| controller.readinessProbe.initialDelaySeconds | int | `10` | |
| controller.readinessProbe.periodSeconds | int | `10` | |
| controller.readinessProbe.successThreshold | int | `1` | |
| controller.readinessProbe.timeoutSeconds | int | `1` | |
| controller.replicaCount | int | `1` | |
| controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply |
| controller.resources.requests.cpu | string | `"100m"` | |
| controller.resources.requests.memory | string | `"90Mi"` | |
| controller.scope.enabled | bool | `false` | Enable 'scope' or not |
| controller.scope.namespace | string | `""` | Namespace to limit the controller to; defaults to $(POD_NAMESPACE) |
| controller.scope.namespaceSelector | string | `""` | When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. |
| controller.service.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine. |
| controller.service.appProtocol | bool | `true` | If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http It allows choosing the protocol for each backend specified in the Kubernetes service. See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 Will be ignored for Kubernetes versions older than 1.20 # |
| controller.service.enableHttp | bool | `true` | |
| controller.service.enableHttps | bool | `true` | |
| controller.service.enabled | bool | `true` | |
| controller.service.external.enabled | bool | `true` | |
| controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
| controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine. |
| controller.service.internal.enabled | bool | `false` | Enables an additional internal load balancer (besides the external one). |
| controller.service.internal.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS. |
| controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. |
| controller.service.internal.ports | object | `{}` | Custom port mapping for internal service |
| controller.service.internal.targetPorts | object | `{}` | Custom target port mapping for internal service |
| controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ |
| controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack-ness requested or required by this Service. Possible values are SingleStack, PreferDualStack or RequireDualStack. The ipFamilies and clusterIPs fields depend on the value of this field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ |
| controller.service.labels | object | `{}` | |
| controller.service.loadBalancerClass | string | `""` | Used by cloud providers to select a load balancer implementation other than the cloud provider default. https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class |
| controller.service.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer |
| controller.service.loadBalancerSourceRanges | list | `[]` | |
| controller.service.nodePorts.http | string | `""` | |
| controller.service.nodePorts.https | string | `""` | |
| controller.service.nodePorts.tcp | object | `{}` | |
| controller.service.nodePorts.udp | object | `{}` | |
| controller.service.ports.http | int | `80` | |
| controller.service.ports.https | int | `443` | |
| controller.service.targetPorts.http | string | `"http"` | |
| controller.service.targetPorts.https | string | `"https"` | |
| controller.service.type | string | `"LoadBalancer"` | |
| controller.shareProcessNamespace | bool | `false` | |
| controller.sysctls | object | `{}` | See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls |
| controller.tcp.annotations | object | `{}` | Annotations to be added to the tcp config configmap |
| controller.tcp.configMapNamespace | string | `""` | Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) |
| controller.terminationGracePeriodSeconds | int | `300` | `terminationGracePeriodSeconds` to avoid killing pods before we are ready # wait up to five minutes for the drain of connections # |
| controller.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # |
| controller.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ # |
| controller.udp.annotations | object | `{}` | Annotations to be added to the udp config configmap |
| controller.udp.configMapNamespace | string | `""` | Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) |
| controller.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
| controller.watchIngressWithoutClass | bool | `false` | Process Ingress objects without ingressClass annotation/ingressClassName field Overrides value for --watch-ingress-without-class flag of the controller binary Defaults to false |
| defaultBackend.affinity | object | `{}` | |
| defaultBackend.autoscaling.annotations | object | `{}` | |
| defaultBackend.autoscaling.enabled | bool | `false` | |
| defaultBackend.autoscaling.maxReplicas | int | `2` | |
| defaultBackend.autoscaling.minReplicas | int | `1` | |
| defaultBackend.autoscaling.targetCPUUtilizationPercentage | int | `50` | |
| defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` | |
| defaultBackend.containerSecurityContext | object | `{}` | Security Context policies for controller main container. See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # |
| defaultBackend.enabled | bool | `false` | |
| defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one |
| defaultBackend.extraArgs | object | `{}` | |
| defaultBackend.extraEnvs | list | `[]` | Additional environment variables to set for defaultBackend pods |
| defaultBackend.extraVolumeMounts | list | `[]` | |
| defaultBackend.extraVolumes | list | `[]` | |
| defaultBackend.image.allowPrivilegeEscalation | bool | `false` | |
| defaultBackend.image.image | string | `"defaultbackend-amd64"` | |
| defaultBackend.image.pullPolicy | string | `"IfNotPresent"` | |
| defaultBackend.image.readOnlyRootFilesystem | bool | `true` | |
| defaultBackend.image.registry | string | `"registry.k8s.io"` | |
| defaultBackend.image.runAsNonRoot | bool | `true` | |
| defaultBackend.image.runAsUser | int | `65534` | |
| defaultBackend.image.tag | string | `"1.5"` | |
| defaultBackend.labels | object | `{}` | Labels to be added to the default backend resources |
| defaultBackend.livenessProbe.failureThreshold | int | `3` | |
| defaultBackend.livenessProbe.initialDelaySeconds | int | `30` | |
| defaultBackend.livenessProbe.periodSeconds | int | `10` | |
| defaultBackend.livenessProbe.successThreshold | int | `1` | |
| defaultBackend.livenessProbe.timeoutSeconds | int | `5` | |
| defaultBackend.minAvailable | int | `1` | |
| defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
| defaultBackend.name | string | `"defaultbackend"` | |
| defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
| defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # |
| defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata |
| defaultBackend.podSecurityContext | object | `{}` | Security Context policies for controller pods See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # |
| defaultBackend.port | int | `8080` | |
| defaultBackend.priorityClassName | string | `""` | |
| defaultBackend.readinessProbe.failureThreshold | int | `6` | |
| defaultBackend.readinessProbe.initialDelaySeconds | int | `0` | |
| defaultBackend.readinessProbe.periodSeconds | int | `5` | |
| defaultBackend.readinessProbe.successThreshold | int | `1` | |
| defaultBackend.readinessProbe.timeoutSeconds | int | `5` | |
| defaultBackend.replicaCount | int | `1` | |
| defaultBackend.resources | object | `{}` | |
| defaultBackend.service.annotations | object | `{}` | |
| defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
| defaultBackend.service.loadBalancerSourceRanges | list | `[]` | |
| defaultBackend.service.servicePort | int | `80` | |
| defaultBackend.service.type | string | `"ClusterIP"` | |
| defaultBackend.serviceAccount.automountServiceAccountToken | bool | `true` | |
| defaultBackend.serviceAccount.create | bool | `true` | |
| defaultBackend.serviceAccount.name | string | `""` | |
| defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # |
| defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
| dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param |
| imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
| namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace |
| podSecurityPolicy.enabled | bool | `false` | |
| portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration |
| rbac.create | bool | `true` | |
| rbac.scope | bool | `false` | |
| revisionHistoryLimit | int | `10` | Rollback limit # |
| serviceAccount.annotations | object | `{}` | Annotations for the controller service account |
| serviceAccount.automountServiceAccountToken | bool | `true` | |
| serviceAccount.create | bool | `true` | |
| serviceAccount.name | string | `""` | |
| tcp | object | `{}` | TCP service key-value pairs # Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md # |
| udp | object | `{}` | UDP service key-value pairs # Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md # |

229
system/ingress-nginx/charts/ingress-nginx/README.md.gotmpl Normal file
View File

@@ -0,0 +1,229 @@
{{ template "chart.header" . }}
[ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
{{ template "chart.requirementsSection" . }}
## Get Repo Info
```console
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
```
## Install Chart
**Important:** only helm3 is supported
```console
helm install [RELEASE_NAME] ingress-nginx/ingress-nginx
```
The command deploys ingress-nginx on the Kubernetes cluster in the default configuration.
_See [configuration](#configuration) below._
_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
## Uninstall Chart
```console
helm uninstall [RELEASE_NAME]
```
This removes all the Kubernetes components associated with the chart and deletes the release.
_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._
## Upgrading Chart
```console
helm upgrade [RELEASE_NAME] [CHART] --install
```
_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._
### Migrating from stable/nginx-ingress
There are two main ways to migrate a release from `stable/nginx-ingress` to `ingress-nginx/ingress-nginx` chart:
1. For Nginx Ingress controllers used for non-critical services, the easiest method is to [uninstall](#uninstall-chart) the old release and [install](#install-chart) the new one
1. For critical services in production that require zero-downtime, you will want to:
1. [Install](#install-chart) a second Ingress controller
1. Redirect your DNS traffic from the old controller to the new controller
1. Log traffic from both controllers during this changeover
1. [Uninstall](#uninstall-chart) the old controller once traffic has fully drained from it
Note that there are some different and upgraded configurations between the two charts, described by Rimas Mocevicius from JFrog in the "Upgrading to ingress-nginx Helm chart" section of [Migrating from Helm chart nginx-ingress to ingress-nginx](https://rimusz.net/migrating-to-ingress-nginx). As the `ingress-nginx/ingress-nginx` chart continues to update, you will want to check current differences by running [helm configuration](#configuration) commands on both charts.
## Configuration
See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands:
```console
helm show values ingress-nginx/ingress-nginx
```
### PodDisruptionBudget
Note that the PodDisruptionBudget resource will only be defined if the replicaCount is greater than one,
else it would make it impossible to evacuate a node. See [gh issue #7127](https://github.com/helm/charts/issues/7127) for more info.
### Prometheus Metrics
The Ingress-Nginx Controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`.
You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`.
Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. And set `controller.metrics.serviceMonitor.additionalLabels.release="prometheus"`. "release=prometheus" should match the label configured in the prometheus servicemonitor ( see `kubectl get servicemonitor prometheus-kube-prom-prometheus -oyaml -n prometheus`)
### ingress-nginx nginx\_status page/stats server
Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in Ingress-Nginx Controller:
- In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed
- In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost.
You can use `curl --unix-socket /tmp/nginx-status-server.sock http://localhost/nginx_status` inside the controller container to access it locally, or use the snippet from [nginx-ingress changelog](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230) to re-enable the http server
### ExternalDNS Service Configuration
Add an [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) annotation to the LoadBalancer service:
```yaml
controller:
service:
annotations:
external-dns.alpha.kubernetes.io/hostname: kubernetes-example.com.
```
### AWS L7 ELB with SSL Termination
Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/ab3a789caae65eec4ad6e3b46b19750b481b6bce/deploy/aws/l7/service-l7.yaml):
```yaml
controller:
service:
targetPorts:
http: http
https: http
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:XX-XXXX-X:XXXXXXXXX:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
```
### Additional Internal Load Balancer
This setup is useful when you need both external and internal load balancers but don't want to have multiple ingress controllers and multiple ingress objects per application.
By default, the ingress object will point to the external load balancer address, but if correctly configured, you can make use of the internal one if the URL you are looking up resolves to the internal load balancer's URL.
You'll need to set both the following values:
`controller.service.internal.enabled`
`controller.service.internal.annotations`
If one of them is missing the internal load balancer will not be deployed. Example you may have `controller.service.internal.enabled=true` but no annotations set, in this case no action will be taken.
`controller.service.internal.annotations` varies with the cloud service you're using.
Example for AWS:
```yaml
controller:
service:
internal:
enabled: true
annotations:
# Create internal NLB
service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
# Create internal ELB(Deprecated)
# service.beta.kubernetes.io/aws-load-balancer-internal: "true"
# Any other annotation can be declared here.
```
Example for GCE:
```yaml
controller:
service:
internal:
enabled: true
annotations:
# Create internal LB. More information: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing
# For GKE versions 1.17 and later
networking.gke.io/load-balancer-type: "Internal"
# For earlier versions
# cloud.google.com/load-balancer-type: "Internal"
# Any other annotation can be declared here.
```
Example for Azure:
```yaml
controller:
service:
annotations:
# Create internal LB
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
# Any other annotation can be declared here.
```
Example for Oracle Cloud Infrastructure:
```yaml
controller:
service:
annotations:
# Create internal LB
service.beta.kubernetes.io/oci-load-balancer-internal: "true"
# Any other annotation can be declared here.
```
The load balancer annotations of more cloud service providers can be found: [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer).
An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object.
Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`.
### Ingress Admission Webhooks
With nginx-ingress-controller version 0.25+, the Ingress-Nginx Controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
**This feature is enabled by default since 0.31.0.**
With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521)
#### How the Chart Configures the Hooks
A validating and configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks.
1. A pre-install hook provisions a certificate into the same namespace using a format compatible with provisioning using end user certificates. If the certificate already exists, the hook exits.
2. The Ingress-Nginx Controller pod is configured to use a TLS proxy container, which will load that certificate.
3. Validating and Mutating webhook configurations are created in the cluster.
4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations
#### Alternatives
It should be possible to use [cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) if a more complete solution is required.
You can enable automatic self-signed TLS certificate provisioning via cert-manager by setting the `controller.admissionWebhooks.certManager.enabled` value to true.
Please ensure that cert-manager is correctly installed and configured.
### Helm Error When Upgrading: spec.clusterIP: Invalid value: ""
If you are upgrading this chart from a version between 0.31.0 and 1.2.2 then you may get an error like this:
```console
Error: UPGRADE FAILED: Service "?????-controller" is invalid: spec.clusterIP: Invalid value: "": field is immutable
```
Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13646) but to resolve this you can set `xxxx.service.omitClusterIP` to `true` where `xxxx` is the service referenced in the error.
As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered.
{{ template "chart.valuesSection" . }}

9
system/ingress-nginx/charts/ingress-nginx/changelog.md.gotmpl Normal file
View File

@@ -0,0 +1,9 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### {{ .NewHelmChartVersion }}
{{ with .HelmUpdates }}
{{ range . }}* {{ . }}
{{ end }}{{ end }}
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-{{ .PreviousHelmChartVersion }}...helm-chart-{{ .NewHelmChartVersion }}

0
system/ingress-nginx/charts/ingress-nginx/changelog/.gitkeep Normal file
View File

13
system/ingress-nginx/charts/ingress-nginx/changelog/Changelog-4.5.2.md Normal file
View File

@@ -0,0 +1,13 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.5.2
* add lint on chart before release (#9570)
* ci: remove setup-helm step (#9404)
* feat(helm): Optionally use cert-manager instead admission patch (#9279)
* run helm release on main only and when the chart/value changes only (#9290)
* Update Ingress-Nginx version controller-v1.6.4
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.4.3...helm-chart-4.5.2

24
system/ingress-nginx/charts/ingress-nginx/changelog/Changelog-4.6.0.md Normal file
View File

@@ -0,0 +1,24 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.5.3
* docs(helm): fix value key in readme for enabling certManager (#9640)
* Upgrade alpine 3.17.2
* Upgrade golang 1.20
* Drop testing/support for Kubernetes 1.23
* docs(helm): fix value key in readme for enabling certManager (#9640)
* Update Ingress-Nginx version controller-v1.7.0
* feat: OpenTelemetry module integration (#9062)
* canary-weight-total annotation ignored in rule backends (#9729)
* fix controller psp's volume config (#9740)
* Fix several Helm YAML issues with extraModules and extraInitContainers (#9709)
* Chart: Drop `controller.headers`, rework DH param secret. (#9659)
* Deployment/DaemonSet: Label pods using `ingress-nginx.labels`. (#9732)
* HPA: autoscaling/v2beta1 deprecated, bump apiVersion to v2 for defaultBackend (#9731)
* Fix incorrect annotation name in upstream hashing configuration (#9617)
* Update Ingress-Nginx version controller-v1.7.0
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.5.2...helm-chart-4.6.0

11
system/ingress-nginx/charts/ingress-nginx/changelog/Changelog-4.6.1.md Normal file
View File

@@ -0,0 +1,11 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.6.1
* [helm] Support custom port configuration for internal service (#9846)
* Adding resource type to default HPA configuration to resolve issues with Terraform helm chart usage (#9803)
* Update Ingress-Nginx version controller-v1.7.1
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.6.0...helm-chart-4.6.1

14
system/ingress-nginx/charts/ingress-nginx/changelog/Changelog-4.7.0.md Normal file
View File

@@ -0,0 +1,14 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.7.0
* helm: Fix opentelemetry module installation for daemonset (#9792)
* Update charts/* to keep project name display aligned (#9931)
* HPA: Use capabilites & align manifests. (#9521)
* PodDisruptionBudget spec logic update (#9904)
* add option for annotations in PodDisruptionBudget (#9843)
* Update Ingress-Nginx version controller-v1.8.0
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.6.1...helm-chart-4.7.0

12
system/ingress-nginx/charts/ingress-nginx/changelog/Changelog-4.7.1.md Normal file
View File

@@ -0,0 +1,12 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.7.1
* Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406)
* feat(helm): Add loadBalancerClass (#9562)
* added helmshowvalues example (#10019)
* Update Ingress-Nginx version controller-v1.8.1
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.0...helm-chart-4.7.1

9
system/ingress-nginx/charts/ingress-nginx/changelog/Changelog-4.7.2.md Normal file
View File

@@ -0,0 +1,9 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.7.2
* Update Ingress-Nginx version controller-v1.8.2
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.1...helm-chart-4.7.2

13
system/ingress-nginx/charts/ingress-nginx/changelog/Changelog-4.8.0-beta.0.md Normal file
View File

@@ -0,0 +1,13 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.8.0-beta.0
* ci(helm): fix Helm Chart release action 422 error (#10237)
* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249)
* [helm] configure allow to configure hostAliases (#10180)
* [helm] pass service annotations through helm tpl engine (#10084)
* Update Ingress-Nginx version controller-v1.9.0-beta.0
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.2...helm-chart-4.8.0-beta.0

13
system/ingress-nginx/charts/ingress-nginx/changelog/Changelog-4.8.0.md Normal file
View File

@@ -0,0 +1,13 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.8.0
* ci(helm): fix Helm Chart release action 422 error (#10237)
* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249)
* [helm] configure allow to configure hostAliases (#10180)
* [helm] pass service annotations through helm tpl engine (#10084)
* Update Ingress-Nginx version controller-v1.9.0
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.2...helm-chart-4.8.0

9
system/ingress-nginx/charts/ingress-nginx/changelog/Changelog-4.8.1.md Normal file
View File

@@ -0,0 +1,9 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.8.1
* Update Ingress-Nginx version controller-v1.9.1
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.0...helm-chart-4.8.1

10
system/ingress-nginx/charts/ingress-nginx/changelog/Changelog-4.8.2.md Normal file
View File

@@ -0,0 +1,10 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.8.2
* - "update nginx base, httpbun, e2e, helm webhook cert gen (#10506)"
* - "Update Ingress-Nginx version controller-v1.9.3"
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.1...helm-chart-4.8.2

8
system/ingress-nginx/charts/ingress-nginx/changelog/Changelog-4.8.3.md Normal file
View File

@@ -0,0 +1,8 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.8.3
* Update Ingress-Nginx version controller-v1.9.4
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.2...helm-chart-4.8.3

6
system/ingress-nginx/charts/ingress-nginx/ci/controller-admission-tls-cert-manager-values.yaml Normal file
View File

@@ -0,0 +1,6 @@
controller:
admissionWebhooks:
certManager:
enabled: true
service:
type: ClusterIP

7
system/ingress-nginx/charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml Normal file
View File

@@ -0,0 +1,7 @@
controller:
watchIngressWithoutClass: true
ingressClassResource:
name: custom-nginx
enabled: true
default: true
controllerValue: "k8s.io/custom-nginx"

14
system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml Normal file
View File

@@ -0,0 +1,14 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
kind: DaemonSet
allowSnippetAnnotations: false
admissionWebhooks:
enabled: false
service:
type: ClusterIP
config:
use-proxy-protocol: "true"

22
system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml Normal file
View File

@@ -0,0 +1,22 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: NodePort
nodePorts:
tcp:
9000: 30090
udp:
9001: 30091
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"

10
system/ingress-nginx/charts/ingress-nginx/ci/daemonset-extra-modules.yaml Normal file
View File

@@ -0,0 +1,10 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
service:
type: ClusterIP
extraModules:
- name: opentelemetry
image: busybox

14
system/ingress-nginx/charts/ingress-nginx/ci/daemonset-headers-values.yaml Normal file
View File

@@ -0,0 +1,14 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
addHeaders:
X-Frame-Options: deny
proxySetHeaders:
X-Forwarded-Proto: https
service:
type: ClusterIP

14
system/ingress-nginx/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml Normal file
View File

@@ -0,0 +1,14 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
internal:
enabled: true
annotations:
service.beta.kubernetes.io/aws-load-balancer-internal: "true"

10
system/ingress-nginx/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml Normal file
View File

@@ -0,0 +1,10 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: NodePort

17
system/ingress-nginx/charts/ingress-nginx/ci/daemonset-podannotations-values.yaml Normal file
View File

@@ -0,0 +1,17 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
metrics:
enabled: true
service:
type: ClusterIP
podAnnotations:
prometheus.io/path: /metrics
prometheus.io/port: "10254"
prometheus.io/scheme: http
prometheus.io/scrape: "true"

20
system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml Normal file
View File

@@ -0,0 +1,20 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
tcp:
configMapNamespace: default
udp:
configMapNamespace: default
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"

18
system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-portNamePrefix-values.yaml Normal file
View File

@@ -0,0 +1,18 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"
portNamePrefix: "port"

16
system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml Normal file
View File

@@ -0,0 +1,16 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"

14
system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-values.yaml Normal file
View File

@@ -0,0 +1,14 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
tcp:
9000: "default/test:8080"
9001: "default/test:8080"

10
system/ingress-nginx/charts/ingress-nginx/ci/deamonset-default-values.yaml Normal file
View File

@@ -0,0 +1,10 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP

12
system/ingress-nginx/charts/ingress-nginx/ci/deamonset-metrics-values.yaml Normal file
View File

@@ -0,0 +1,12 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
metrics:
enabled: true
service:
type: ClusterIP

13
system/ingress-nginx/charts/ingress-nginx/ci/deamonset-psp-values.yaml Normal file
View File

@@ -0,0 +1,13 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
podSecurityPolicy:
enabled: true

13
system/ingress-nginx/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml Normal file
View File

@@ -0,0 +1,13 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: true
service:
type: ClusterIP
podSecurityPolicy:
enabled: true

10
system/ingress-nginx/charts/ingress-nginx/ci/deamonset-webhook-values.yaml Normal file
View File

@@ -0,0 +1,10 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: true
service:
type: ClusterIP

14
system/ingress-nginx/charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml Normal file
View File

@@ -0,0 +1,14 @@
controller:
autoscaling:
enabled: true
behavior:
scaleDown:
stabilizationWindowSeconds: 300
policies:
- type: Pods
value: 1
periodSeconds: 180
admissionWebhooks:
enabled: false
service:
type: ClusterIP

11
system/ingress-nginx/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml Normal file
View File

@@ -0,0 +1,11 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
autoscaling:
enabled: true
admissionWebhooks:
enabled: false
service:
type: ClusterIP

12
system/ingress-nginx/charts/ingress-nginx/ci/deployment-customconfig-values.yaml Normal file
View File

@@ -0,0 +1,12 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
config:
use-proxy-protocol: "true"
allowSnippetAnnotations: false
admissionWebhooks:
enabled: false
service:
type: ClusterIP

20
system/ingress-nginx/charts/ingress-nginx/ci/deployment-customnodeport-values.yaml Normal file
View File

@@ -0,0 +1,20 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: NodePort
nodePorts:
tcp:
9000: 30090
udp:
9001: 30091
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"

8
system/ingress-nginx/charts/ingress-nginx/ci/deployment-default-values.yaml Normal file
View File

@@ -0,0 +1,8 @@
# Left blank to test default values
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP

12
system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml Normal file
View File

@@ -0,0 +1,12 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
containerSecurityContext:
allowPrivilegeEscalation: false
extraModules:
- name: opentelemetry
image: busybox

12
system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml Normal file
View File

@@ -0,0 +1,12 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
extraModules:
- name: opentelemetry
image: busybox
containerSecurityContext:
allowPrivilegeEscalation: false

10
system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules.yaml Normal file
View File

@@ -0,0 +1,10 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
extraModules:
- name: opentelemetry
image: busybox

13
system/ingress-nginx/charts/ingress-nginx/ci/deployment-headers-values.yaml Normal file
View File

@@ -0,0 +1,13 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
addHeaders:
X-Frame-Options: deny
proxySetHeaders:
X-Forwarded-Proto: https
service:
type: ClusterIP

19
system/ingress-nginx/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml Normal file
View File

@@ -0,0 +1,19 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
internal:
enabled: true
annotations:
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
ports:
http: 443
https: 80
targetPorts:
http: 443
https: 80

11
system/ingress-nginx/charts/ingress-nginx/ci/deployment-metrics-values.yaml Normal file
View File

@@ -0,0 +1,11 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
metrics:
enabled: true
service:
type: ClusterIP

9
system/ingress-nginx/charts/ingress-nginx/ci/deployment-nodeport-values.yaml Normal file
View File

@@ -0,0 +1,9 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: NodePort

16
system/ingress-nginx/charts/ingress-nginx/ci/deployment-podannotations-values.yaml Normal file
View File

@@ -0,0 +1,16 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
metrics:
enabled: true
service:
type: ClusterIP
podAnnotations:
prometheus.io/path: /metrics
prometheus.io/port: "10254"
prometheus.io/scheme: http
prometheus.io/scrape: "true"

10
system/ingress-nginx/charts/ingress-nginx/ci/deployment-psp-values.yaml Normal file
View File

@@ -0,0 +1,10 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
podSecurityPolicy:
enabled: true

19
system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml Normal file
View File

@@ -0,0 +1,19 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
tcp:
configMapNamespace: default
udp:
configMapNamespace: default
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"

17
system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-portNamePrefix-values.yaml Normal file
View File

@@ -0,0 +1,17 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"
portNamePrefix: "port"

Some files were not shown because too many files have changed in this diff Show More