fix: vendor critical bootstrap charts
This commit is contained in:
@@ -948,6 +948,7 @@ jobs:
|
||||
B2_ACCOUNT_ID: ${{ secrets.B2_ACCOUNT_ID }}
|
||||
B2_APPLICATION_KEY: ${{ secrets.B2_APPLICATION_KEY }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
echo "Finding latest backup in B2..."
|
||||
|
||||
CREDS=$(echo -n "${B2_ACCOUNT_ID}:${B2_APPLICATION_KEY}" | base64)
|
||||
@@ -985,14 +986,15 @@ jobs:
|
||||
")
|
||||
|
||||
if [ "$LATEST" = "NONE" ]; then
|
||||
echo "No backups found in B2. Skipping restore."
|
||||
exit 0
|
||||
echo "No Rancher backups found in B2; refusing to continue without restored Rancher state." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
BACKUP_FILE=$(basename "$LATEST")
|
||||
echo "Latest backup: ${BACKUP_FILE}"
|
||||
|
||||
echo "Creating Restore CR..."
|
||||
kubectl -n cattle-resources-system delete restore restore-from-b2 --ignore-not-found
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: resources.cattle.io/v1
|
||||
kind: Restore
|
||||
@@ -1022,7 +1024,9 @@ jobs:
|
||||
fi
|
||||
sleep 10
|
||||
done
|
||||
echo "Restore did not complete within timeout. Continuing anyway."
|
||||
echo "Restore did not complete within timeout." >&2
|
||||
kubectl -n cattle-resources-system describe restore restore-from-b2 || true
|
||||
exit 1
|
||||
|
||||
- name: Seed observability runtime images
|
||||
run: |
|
||||
|
||||
@@ -23,6 +23,8 @@ env:
|
||||
TF_VAR_proxmox_api_token_id: ${{ secrets.PROXMOX_API_TOKEN_ID }}
|
||||
TF_VAR_proxmox_api_token_secret: ${{ secrets.PROXMOX_API_TOKEN_SECRET }}
|
||||
TF_VAR_proxmox_insecure: "true"
|
||||
B2_ACCOUNT_ID: ${{ secrets.B2_ACCOUNT_ID }}
|
||||
B2_APPLICATION_KEY: ${{ secrets.B2_APPLICATION_KEY }}
|
||||
|
||||
jobs:
|
||||
destroy:
|
||||
@@ -58,6 +60,34 @@ jobs:
|
||||
-backend-config="secret_key=${{ secrets.S3_SECRET_KEY }}" \
|
||||
-backend-config="skip_requesting_account_id=true"
|
||||
|
||||
- name: Verify Rancher backup exists
|
||||
run: |
|
||||
set -euo pipefail
|
||||
CREDS=$(printf '%s:%s' "${B2_ACCOUNT_ID}" "${B2_APPLICATION_KEY}" | base64 -w0)
|
||||
AUTH_RESP=$(curl -fsS -H "Authorization: Basic ${CREDS}" https://api.backblazeb2.com/b2api/v2/b2_authorize_account)
|
||||
API_URL=$(printf '%s' "${AUTH_RESP}" | python3 -c "import json,sys; print(json.load(sys.stdin)['apiUrl'])")
|
||||
AUTH_TOKEN=$(printf '%s' "${AUTH_RESP}" | python3 -c "import json,sys; print(json.load(sys.stdin)['authorizationToken'])")
|
||||
BUCKET_ID=$(printf '%s' "${AUTH_RESP}" | python3 -c "import json,sys; print(json.load(sys.stdin).get('allowed', {}).get('bucketId') or '')")
|
||||
|
||||
if [ -z "${BUCKET_ID}" ]; then
|
||||
BUCKET_ID=$(curl -fsS -H "Authorization: Bearer ${AUTH_TOKEN}" \
|
||||
"${API_URL}/b2api/v2/b2_list_buckets?accountId=${B2_ACCOUNT_ID}&bucketName=HetznerTerra" \
|
||||
| python3 -c "import json,sys; buckets=json.load(sys.stdin).get('buckets',[]); print(buckets[0]['bucketId'] if buckets else '')")
|
||||
fi
|
||||
|
||||
LATEST=$(curl -fsS -H "Authorization: Bearer ${AUTH_TOKEN}" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d "{\"bucketId\":\"${BUCKET_ID}\",\"prefix\":\"rancher-backups/\",\"maxFileCount\":100}" \
|
||||
"${API_URL}/b2api/v2/b2_list_file_names" \
|
||||
| python3 -c "import json,sys; files=json.load(sys.stdin).get('files', []); tars=sorted(f['fileName'] for f in files if f['fileName'].endswith('.tar.gz')); print(tars[-1] if tars else '')")
|
||||
|
||||
if [ -z "${LATEST}" ]; then
|
||||
echo "No Rancher backup found in B2; refusing to destroy cluster." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Verified Rancher backup exists: ${LATEST}"
|
||||
|
||||
- name: Terraform Destroy
|
||||
id: destroy
|
||||
working-directory: terraform
|
||||
|
||||
@@ -8,11 +8,10 @@ spec:
|
||||
targetNamespace: cert-manager
|
||||
chart:
|
||||
spec:
|
||||
chart: cert-manager
|
||||
version: "v1.17.2"
|
||||
chart: ./infrastructure/charts/cert-manager
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: jetstack
|
||||
kind: GitRepository
|
||||
name: platform
|
||||
namespace: flux-system
|
||||
install:
|
||||
createNamespace: true
|
||||
|
||||
@@ -1,8 +0,0 @@
|
||||
apiVersion: source.toolkit.fluxcd.io/v1
|
||||
kind: HelmRepository
|
||||
metadata:
|
||||
name: jetstack
|
||||
namespace: flux-system
|
||||
spec:
|
||||
interval: 1h
|
||||
url: https://charts.jetstack.io
|
||||
@@ -2,5 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- namespace.yaml
|
||||
- helmrepository-cert-manager.yaml
|
||||
- helmrelease-cert-manager.yaml
|
||||
|
||||
@@ -8,11 +8,10 @@ spec:
|
||||
targetNamespace: cattle-resources-system
|
||||
chart:
|
||||
spec:
|
||||
chart: rancher-backup-crd
|
||||
version: "106.0.2+up8.1.0"
|
||||
chart: ./infrastructure/charts/rancher-backup-crd
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: rancher-charts
|
||||
kind: GitRepository
|
||||
name: platform
|
||||
namespace: flux-system
|
||||
install:
|
||||
createNamespace: true
|
||||
|
||||
@@ -10,11 +10,10 @@ spec:
|
||||
- name: rancher-backup-crd
|
||||
chart:
|
||||
spec:
|
||||
chart: rancher-backup
|
||||
version: "106.0.2+up8.1.0"
|
||||
chart: ./infrastructure/charts/rancher-backup
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: rancher-charts
|
||||
kind: GitRepository
|
||||
name: platform
|
||||
namespace: flux-system
|
||||
install:
|
||||
createNamespace: true
|
||||
|
||||
@@ -1,8 +0,0 @@
|
||||
apiVersion: source.toolkit.fluxcd.io/v1
|
||||
kind: HelmRepository
|
||||
metadata:
|
||||
name: rancher-charts
|
||||
namespace: flux-system
|
||||
spec:
|
||||
interval: 1h
|
||||
url: https://charts.rancher.io
|
||||
@@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- namespace.yaml
|
||||
- helmrepository-rancher-backup.yaml
|
||||
- helmrelease-rancher-backup-crd.yaml
|
||||
- helmrelease-rancher-backup.yaml
|
||||
- b2-credentials-externalsecret.yaml
|
||||
|
||||
@@ -1,8 +0,0 @@
|
||||
apiVersion: source.toolkit.fluxcd.io/v1
|
||||
kind: HelmRepository
|
||||
metadata:
|
||||
name: rancher-stable
|
||||
namespace: flux-system
|
||||
spec:
|
||||
interval: 1h
|
||||
url: https://releases.rancher.com/server-charts/stable
|
||||
@@ -8,11 +8,10 @@ spec:
|
||||
targetNamespace: kube-system
|
||||
chart:
|
||||
spec:
|
||||
chart: traefik
|
||||
version: "39.0.0"
|
||||
chart: ./infrastructure/charts/traefik
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: traefik
|
||||
kind: GitRepository
|
||||
name: platform
|
||||
namespace: flux-system
|
||||
install:
|
||||
createNamespace: true
|
||||
|
||||
@@ -1,9 +0,0 @@
|
||||
apiVersion: source.toolkit.fluxcd.io/v1
|
||||
kind: HelmRepository
|
||||
metadata:
|
||||
name: traefik
|
||||
namespace: flux-system
|
||||
spec:
|
||||
interval: 10m
|
||||
url: https://traefik.github.io/charts
|
||||
provider: generic
|
||||
@@ -1,5 +1,4 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- helmrepository-traefik.yaml
|
||||
- helmrelease-traefik.yaml
|
||||
@@ -0,0 +1,26 @@
|
||||
annotations:
|
||||
artifacthub.io/category: security
|
||||
artifacthub.io/license: Apache-2.0
|
||||
artifacthub.io/prerelease: "false"
|
||||
artifacthub.io/signKey: |
|
||||
fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
|
||||
url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
|
||||
apiVersion: v2
|
||||
appVersion: v1.17.2
|
||||
description: A Helm chart for cert-manager
|
||||
home: https://cert-manager.io
|
||||
icon: https://raw.githubusercontent.com/cert-manager/community/4d35a69437d21b76322157e6284be4cd64e6d2b7/logo/logo-small.png
|
||||
keywords:
|
||||
- cert-manager
|
||||
- kube-lego
|
||||
- letsencrypt
|
||||
- tls
|
||||
kubeVersion: '>= 1.22.0-0'
|
||||
maintainers:
|
||||
- email: cert-manager-maintainers@googlegroups.com
|
||||
name: cert-manager-maintainers
|
||||
url: https://cert-manager.io
|
||||
name: cert-manager
|
||||
sources:
|
||||
- https://github.com/cert-manager/cert-manager
|
||||
version: v1.17.2
|
||||
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,18 @@
|
||||
{{- if .Values.installCRDs }}
|
||||
⚠️ WARNING: `installCRDs` is deprecated, use `crds.enabled` instead.
|
||||
{{- end }}
|
||||
cert-manager {{ .Chart.AppVersion }} has been deployed successfully!
|
||||
|
||||
In order to begin issuing certificates, you will need to set up a ClusterIssuer
|
||||
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
|
||||
|
||||
More information on the different types of issuers and how to configure them
|
||||
can be found in our documentation:
|
||||
|
||||
https://cert-manager.io/docs/configuration/
|
||||
|
||||
For information on how to configure cert-manager to automatically provision
|
||||
Certificates for Ingress resources, take a look at the `ingress-shim`
|
||||
documentation:
|
||||
|
||||
https://cert-manager.io/docs/usage/ingress/
|
||||
@@ -0,0 +1,202 @@
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "cert-manager.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
*/}}
|
||||
{{- define "cert-manager.fullname" -}}
|
||||
{{- if .Values.fullnameOverride -}}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||
{{- if contains $name .Release.Name -}}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "cert-manager.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create -}}
|
||||
{{ default (include "cert-manager.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Webhook templates
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
Manually fix the 'app' and 'name' labels to 'webhook' to maintain
|
||||
compatibility with the v0.9 deployment selector.
|
||||
*/}}
|
||||
{{- define "webhook.name" -}}
|
||||
{{- printf "webhook" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "webhook.fullname" -}}
|
||||
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 55 | trimSuffix "-" -}}
|
||||
{{- printf "%s-webhook" $trimmedName | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "webhook.caRef" -}}
|
||||
{{- template "cert-manager.namespace" }}/{{ template "webhook.fullname" . }}-ca
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "webhook.serviceAccountName" -}}
|
||||
{{- if .Values.webhook.serviceAccount.create -}}
|
||||
{{ default (include "webhook.fullname" .) .Values.webhook.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.webhook.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
cainjector templates
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
Manually fix the 'app' and 'name' labels to 'cainjector' to maintain
|
||||
compatibility with the v0.9 deployment selector.
|
||||
*/}}
|
||||
{{- define "cainjector.name" -}}
|
||||
{{- printf "cainjector" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "cainjector.fullname" -}}
|
||||
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}}
|
||||
{{- printf "%s-cainjector" $trimmedName | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "cainjector.serviceAccountName" -}}
|
||||
{{- if .Values.cainjector.serviceAccount.create -}}
|
||||
{{ default (include "cainjector.fullname" .) .Values.cainjector.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.cainjector.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
startupapicheck templates
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
Manually fix the 'app' and 'name' labels to 'startupapicheck' to maintain
|
||||
compatibility with the v0.9 deployment selector.
|
||||
*/}}
|
||||
{{- define "startupapicheck.name" -}}
|
||||
{{- printf "startupapicheck" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "startupapicheck.fullname" -}}
|
||||
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}}
|
||||
{{- printf "%s-startupapicheck" $trimmedName | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "startupapicheck.serviceAccountName" -}}
|
||||
{{- if .Values.startupapicheck.serviceAccount.create -}}
|
||||
{{ default (include "startupapicheck.fullname" .) .Values.startupapicheck.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.startupapicheck.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "chartName" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Labels that should be added on each resource
|
||||
*/}}
|
||||
{{- define "labels" -}}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
{{- if eq .Values.creator "helm" }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
helm.sh/chart: {{ include "chartName" . }}
|
||||
{{- end -}}
|
||||
{{- if .Values.global.commonLabels}}
|
||||
{{ toYaml .Values.global.commonLabels }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Namespace for all resources to be installed into
|
||||
If not defined in values file then the helm release namespace is used
|
||||
By default this is not set so the helm release namespace will be used
|
||||
|
||||
This gets around an problem within helm discussed here
|
||||
https://github.com/helm/helm/issues/5358
|
||||
*/}}
|
||||
{{- define "cert-manager.namespace" -}}
|
||||
{{ .Values.namespace | default .Release.Namespace }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Util function for generating the image URL based on the provided options.
|
||||
IMPORTANT: This function is standardized across all charts in the cert-manager GH organization.
|
||||
Any changes to this function should also be made in cert-manager, trust-manager, approver-policy, ...
|
||||
See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linked PRs.
|
||||
*/}}
|
||||
{{- define "image" -}}
|
||||
{{- $defaultTag := index . 1 -}}
|
||||
{{- with index . 0 -}}
|
||||
{{- if .registry -}}{{ printf "%s/%s" .registry .repository }}{{- else -}}{{- .repository -}}{{- end -}}
|
||||
{{- if .digest -}}{{ printf "@%s" .digest }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Check that the user has not set both .installCRDs and .crds.enabled or
|
||||
set .installCRDs and disabled .crds.keep.
|
||||
.installCRDs is deprecated and users should use .crds.enabled and .crds.keep instead.
|
||||
*/}}
|
||||
{{- define "cert-manager.crd-check" -}}
|
||||
{{- if and (.Values.installCRDs) (.Values.crds.enabled) }}
|
||||
{{- fail "ERROR: the deprecated .installCRDs option cannot be enabled at the same time as its replacement .crds.enabled" }}
|
||||
{{- end }}
|
||||
{{- if and (.Values.installCRDs) (not .Values.crds.keep) }}
|
||||
{{- fail "ERROR: .crds.keep is not compatible with .installCRDs, please use .crds.enabled and .crds.keep instead" }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
@@ -0,0 +1,19 @@
|
||||
{{- if .Values.cainjector.config -}}
|
||||
{{- $config := .Values.cainjector.config -}}
|
||||
{{- $_ := set $config "apiVersion" (default "cainjector.config.cert-manager.io/v1alpha1" $config.apiVersion) -}}
|
||||
{{- $_ := set $config "kind" (default "CAInjectorConfiguration" $config.kind) -}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ include "cainjector.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
data:
|
||||
config.yaml: |
|
||||
{{- $config | toYaml | nindent 4 }}
|
||||
{{- end -}}
|
||||
@@ -0,0 +1,166 @@
|
||||
{{- if .Values.cainjector.enabled }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "cainjector.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.cainjector.deploymentAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
replicas: {{ .Values.cainjector.replicaCount }}
|
||||
{{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
|
||||
{{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
|
||||
revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- with .Values.cainjector.strategy }}
|
||||
strategy:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 8 }}
|
||||
{{- with .Values.cainjector.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if and .Values.prometheus.enabled (not (or .Values.prometheus.servicemonitor.enabled .Values.prometheus.podmonitor.enabled)) }}
|
||||
{{- if not .Values.cainjector.podAnnotations }}
|
||||
annotations:
|
||||
{{- end }}
|
||||
prometheus.io/path: "/metrics"
|
||||
prometheus.io/scrape: 'true'
|
||||
prometheus.io/port: '9402'
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if not .Values.cainjector.serviceAccount.create }}
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ template "cainjector.serviceAccountName" . }}
|
||||
{{- if hasKey .Values.cainjector "automountServiceAccountToken" }}
|
||||
automountServiceAccountToken: {{ .Values.cainjector.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
enableServiceLinks: {{ .Values.cainjector.enableServiceLinks }}
|
||||
{{- with .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.securityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}-cainjector
|
||||
image: "{{ template "image" (tuple .Values.cainjector.image $.Chart.AppVersion) }}"
|
||||
imagePullPolicy: {{ .Values.cainjector.image.pullPolicy }}
|
||||
args:
|
||||
{{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
|
||||
{{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
|
||||
- --v={{ .Values.global.logLevel }}
|
||||
{{- end }}
|
||||
{{- if .Values.cainjector.config }}
|
||||
- --config=/var/cert-manager/config/config.yaml
|
||||
{{- end }}
|
||||
{{- with .Values.global.leaderElection }}
|
||||
- --leader-election-namespace={{ .namespace }}
|
||||
{{- if .leaseDuration }}
|
||||
- --leader-election-lease-duration={{ .leaseDuration }}
|
||||
{{- end }}
|
||||
{{- if .renewDeadline }}
|
||||
- --leader-election-renew-deadline={{ .renewDeadline }}
|
||||
{{- end }}
|
||||
{{- if .retryPeriod }}
|
||||
- --leader-election-retry-period={{ .retryPeriod }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.featureGates}}
|
||||
- --feature-gates={{ . }}
|
||||
{{- end}}
|
||||
{{- with .Values.cainjector.extraArgs }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if not .Values.prometheus.enabled }}
|
||||
- --metrics-listen-address=0
|
||||
{{- end }}
|
||||
{{- if .Values.prometheus.enabled }}
|
||||
ports:
|
||||
- containerPort: 9402
|
||||
name: http-metrics
|
||||
protocol: TCP
|
||||
{{- end }}
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
{{- with .Values.cainjector.extraEnv }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.cainjector.config .Values.cainjector.volumeMounts }}
|
||||
volumeMounts:
|
||||
{{- if .Values.cainjector.config }}
|
||||
- name: config
|
||||
mountPath: /var/cert-manager/config
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.volumeMounts }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.topologySpreadConstraints }}
|
||||
topologySpreadConstraints:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.cainjector.volumes .Values.cainjector.config }}
|
||||
volumes:
|
||||
{{- if .Values.cainjector.config }}
|
||||
- name: config
|
||||
configMap:
|
||||
name: {{ include "cainjector.fullname" . }}
|
||||
{{- end }}
|
||||
{{ with .Values.cainjector.volumes }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,29 @@
|
||||
{{- if .Values.cainjector.podDisruptionBudget.enabled }}
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ include "cainjector.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
|
||||
{{- if not (or (hasKey .Values.cainjector.podDisruptionBudget "minAvailable") (hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable")) }}
|
||||
minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
|
||||
{{- end }}
|
||||
{{- if hasKey .Values.cainjector.podDisruptionBudget "minAvailable" }}
|
||||
minAvailable: {{ .Values.cainjector.podDisruptionBudget.minAvailable }}
|
||||
{{- end }}
|
||||
{{- if hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable" }}
|
||||
maxUnavailable: {{ .Values.cainjector.podDisruptionBudget.maxUnavailable }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,20 @@
|
||||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
- {{ template "cainjector.fullname" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,22 @@
|
||||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cainjector.fullname" . }}-psp
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "cainjector.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,51 @@
|
||||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
|
||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
{{- end }}
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
allowedCapabilities: [] # default set of capabilities are implicitly allowed
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
hostNetwork: false
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,156 @@
|
||||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.global.rbac.create }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["get", "create", "update", "patch"]
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
- apiGroups: ["apiregistration.k8s.io"]
|
||||
resources: ["apiservices"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
- apiGroups: ["apiextensions.k8s.io"]
|
||||
resources: ["customresourcedefinitions"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cainjector.fullname" . }}
|
||||
subjects:
|
||||
- name: {{ template "cainjector.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
# leader election rules
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}:leaderelection
|
||||
namespace: {{ .Values.global.leaderElection.namespace }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
# Used for leader election by the controller
|
||||
# cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
|
||||
# see cmd/cainjector/start.go#L113
|
||||
# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
|
||||
# see cmd/cainjector/start.go#L137
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
|
||||
verbs: ["get", "update", "patch"]
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
verbs: ["create"]
|
||||
|
||||
---
|
||||
|
||||
# grant cert-manager permission to manage the leaderelection configmap in the
|
||||
# leader election namespace
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "cainjector.fullname" . }}:leaderelection
|
||||
namespace: {{ .Values.global.leaderElection.namespace }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ template "cainjector.fullname" . }}:leaderelection
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "cainjector.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- $certmanagerNamespace := include "cert-manager.namespace" . }}
|
||||
{{- if (.Values.cainjector.config.metricsTLSConfig).dynamic }}
|
||||
{{- if $certmanagerNamespace | eq .Values.cainjector.config.metricsTLSConfig.dynamic.secretNamespace }}
|
||||
|
||||
---
|
||||
|
||||
# Metrics server dynamic TLS serving certificate rules
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}:dynamic-serving
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
resourceNames:
|
||||
# Allow cainjector to read and update the metrics CA Secret when dynamic TLS is
|
||||
# enabled for the metrics server and if the Secret is configured to be in the
|
||||
# same namespace as cert-manager.
|
||||
- {{ .Values.cainjector.config.metricsTLSConfig.dynamic.secretName | quote }}
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
# It's not possible to grant CREATE permission on a single resourceName.
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["create"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "cainjector.fullname" . }}:dynamic-serving
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ template "cainjector.fullname" . }}:dynamic-serving
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "cainjector.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,32 @@
|
||||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.cainjector.serviceAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml . | indent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.cainjector.serviceLabels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 9402
|
||||
name: http-metrics
|
||||
selector:
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,27 @@
|
||||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.cainjector.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
automountServiceAccountToken: {{ .Values.cainjector.serviceAccount.automountServiceAccountToken }}
|
||||
metadata:
|
||||
name: {{ template "cainjector.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.cainjector.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.cainjector.serviceAccount.labels }}
|
||||
{{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,19 @@
|
||||
{{- if .Values.config -}}
|
||||
{{- $config := .Values.config -}}
|
||||
{{- $_ := set $config "apiVersion" (default "controller.config.cert-manager.io/v1alpha1" $config.apiVersion) -}}
|
||||
{{- $_ := set $config "kind" (default "ControllerConfiguration" $config.kind) -}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ include "cert-manager.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
data:
|
||||
config.yaml: |
|
||||
{{- $config | toYaml | nindent 4 }}
|
||||
{{- end -}}
|
||||
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,237 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.deploymentAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicaCount }}
|
||||
{{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
|
||||
{{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
|
||||
revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- with .Values.strategy }}
|
||||
strategy:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 8 }}
|
||||
{{- with .Values.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if and .Values.prometheus.enabled (not (or .Values.prometheus.servicemonitor.enabled .Values.prometheus.podmonitor.enabled)) }}
|
||||
{{- if not .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- end }}
|
||||
prometheus.io/path: "/metrics"
|
||||
prometheus.io/scrape: 'true'
|
||||
prometheus.io/port: '9402'
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if not .Values.serviceAccount.create }}
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ template "cert-manager.serviceAccountName" . }}
|
||||
{{- if hasKey .Values "automountServiceAccountToken" }}
|
||||
automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
enableServiceLinks: {{ .Values.enableServiceLinks }}
|
||||
{{- with .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.securityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.volumes .Values.config}}
|
||||
volumes:
|
||||
{{- if .Values.config }}
|
||||
- name: config
|
||||
configMap:
|
||||
name: {{ include "cert-manager.fullname" . }}
|
||||
{{- end }}
|
||||
{{ with .Values.volumes }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}-controller
|
||||
image: "{{ template "image" (tuple .Values.image $.Chart.AppVersion) }}"
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
args:
|
||||
{{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
|
||||
{{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
|
||||
- --v={{ .Values.global.logLevel }}
|
||||
{{- end }}
|
||||
{{- if .Values.config }}
|
||||
- --config=/var/cert-manager/config/config.yaml
|
||||
{{- end }}
|
||||
{{- $config := default .Values.config "" }}
|
||||
{{- if .Values.clusterResourceNamespace }}
|
||||
- --cluster-resource-namespace={{ .Values.clusterResourceNamespace }}
|
||||
{{- else }}
|
||||
- --cluster-resource-namespace=$(POD_NAMESPACE)
|
||||
{{- end }}
|
||||
{{- with .Values.global.leaderElection }}
|
||||
- --leader-election-namespace={{ .namespace }}
|
||||
{{- if .leaseDuration }}
|
||||
- --leader-election-lease-duration={{ .leaseDuration }}
|
||||
{{- end }}
|
||||
{{- if .renewDeadline }}
|
||||
- --leader-election-renew-deadline={{ .renewDeadline }}
|
||||
{{- end }}
|
||||
{{- if .retryPeriod }}
|
||||
- --leader-election-retry-period={{ .retryPeriod }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.acmesolver.image }}
|
||||
- --acme-http01-solver-image={{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}
|
||||
{{- end }}
|
||||
{{- with .Values.extraArgs }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.ingressShim }}
|
||||
{{- if .defaultIssuerName }}
|
||||
- --default-issuer-name={{ .defaultIssuerName }}
|
||||
{{- end }}
|
||||
{{- if .defaultIssuerKind }}
|
||||
- --default-issuer-kind={{ .defaultIssuerKind }}
|
||||
{{- end }}
|
||||
{{- if .defaultIssuerGroup }}
|
||||
- --default-issuer-group={{ .defaultIssuerGroup }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.featureGates }}
|
||||
- --feature-gates={{ .Values.featureGates }}
|
||||
{{- end }}
|
||||
{{- if .Values.maxConcurrentChallenges }}
|
||||
- --max-concurrent-challenges={{ .Values.maxConcurrentChallenges }}
|
||||
{{- end }}
|
||||
{{- if .Values.enableCertificateOwnerRef }}
|
||||
- --enable-certificate-owner-ref=true
|
||||
{{- end }}
|
||||
{{- if .Values.dns01RecursiveNameserversOnly }}
|
||||
- --dns01-recursive-nameservers-only=true
|
||||
{{- end }}
|
||||
{{- with .Values.dns01RecursiveNameservers }}
|
||||
- --dns01-recursive-nameservers={{ . }}
|
||||
{{- end }}
|
||||
{{- if .Values.disableAutoApproval }}
|
||||
- --controllers=-certificaterequests-approver
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: 9402
|
||||
name: http-metrics
|
||||
protocol: TCP
|
||||
- containerPort: 9403
|
||||
name: http-healthz
|
||||
protocol: TCP
|
||||
{{- with .Values.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.config .Values.volumeMounts }}
|
||||
volumeMounts:
|
||||
{{- if .Values.config }}
|
||||
- name: config
|
||||
mountPath: /var/cert-manager/config
|
||||
{{- end }}
|
||||
{{- with .Values.volumeMounts }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
{{- with .Values.extraEnv }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.http_proxy }}
|
||||
- name: HTTP_PROXY
|
||||
value: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.https_proxy }}
|
||||
- name: HTTPS_PROXY
|
||||
value: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.no_proxy }}
|
||||
- name: NO_PROXY
|
||||
value: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
|
||||
{{- with .Values.livenessProbe }}
|
||||
{{- if .enabled }}
|
||||
# LivenessProbe settings are based on those used for the Kubernetes
|
||||
# controller-manager. See:
|
||||
# https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
port: http-healthz
|
||||
path: /livez
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: {{ .initialDelaySeconds }}
|
||||
periodSeconds: {{ .periodSeconds }}
|
||||
timeoutSeconds: {{ .timeoutSeconds }}
|
||||
successThreshold: {{ .successThreshold }}
|
||||
failureThreshold: {{ .failureThreshold }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.topologySpreadConstraints }}
|
||||
topologySpreadConstraints:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.podDnsPolicy }}
|
||||
dnsPolicy: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.podDnsConfig }}
|
||||
dnsConfig:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.hostAliases }}
|
||||
hostAliases: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,4 @@
|
||||
{{ range .Values.extraObjects }}
|
||||
---
|
||||
{{ tpl . $ }}
|
||||
{{ end }}
|
||||
@@ -0,0 +1,19 @@
|
||||
{{- if .Values.webhook.networkPolicy.enabled }}
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}-allow-egress
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
spec:
|
||||
egress:
|
||||
{{- with .Values.webhook.networkPolicy.egress }}
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
policyTypes:
|
||||
- Egress
|
||||
{{- end }}
|
||||
@@ -0,0 +1,21 @@
|
||||
{{- if .Values.webhook.networkPolicy.enabled }}
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}-allow-ingress
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
spec:
|
||||
ingress:
|
||||
{{- with .Values.webhook.networkPolicy.ingress }}
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
policyTypes:
|
||||
- Ingress
|
||||
|
||||
{{- end }}
|
||||
@@ -0,0 +1,29 @@
|
||||
{{- if .Values.podDisruptionBudget.enabled }}
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ include "cert-manager.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
|
||||
{{- if not (or (hasKey .Values.podDisruptionBudget "minAvailable") (hasKey .Values.podDisruptionBudget "maxUnavailable")) }}
|
||||
minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
|
||||
{{- end }}
|
||||
{{- if hasKey .Values.podDisruptionBudget "minAvailable" }}
|
||||
minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
|
||||
{{- end }}
|
||||
{{- if hasKey .Values.podDisruptionBudget "maxUnavailable" }}
|
||||
maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,63 @@
|
||||
{{- if and .Values.prometheus.enabled (and .Values.prometheus.podmonitor.enabled .Values.prometheus.servicemonitor.enabled) }}
|
||||
{{- fail "Either .Values.prometheus.podmonitor.enabled or .Values.prometheus.servicemonitor.enabled can be enabled at a time, but not both." }}
|
||||
{{- else if and .Values.prometheus.enabled .Values.prometheus.podmonitor.enabled }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: PodMonitor
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}
|
||||
{{- if .Values.prometheus.podmonitor.namespace }}
|
||||
namespace: {{ .Values.prometheus.podmonitor.namespace }}
|
||||
{{- else }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
prometheus: {{ .Values.prometheus.podmonitor.prometheusInstance }}
|
||||
{{- with .Values.prometheus.podmonitor.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.prometheus.podmonitor.annotations }}
|
||||
annotations:
|
||||
{{- with .Values.prometheus.podmonitor.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
jobLabel: {{ template "cert-manager.fullname" . }}
|
||||
selector:
|
||||
matchExpressions:
|
||||
- key: app.kubernetes.io/name
|
||||
operator: In
|
||||
values:
|
||||
- {{ include "cainjector.name" . }}
|
||||
- {{ template "cert-manager.name" . }}
|
||||
- {{ include "webhook.name" . }}
|
||||
- key: app.kubernetes.io/instance
|
||||
operator: In
|
||||
values:
|
||||
- {{ .Release.Name }}
|
||||
- key: app.kubernetes.io/component
|
||||
operator: In
|
||||
values:
|
||||
- cainjector
|
||||
- controller
|
||||
- webhook
|
||||
{{- if .Values.prometheus.podmonitor.namespace }}
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
podMetricsEndpoints:
|
||||
- port: http-metrics
|
||||
path: {{ .Values.prometheus.podmonitor.path }}
|
||||
interval: {{ .Values.prometheus.podmonitor.interval }}
|
||||
scrapeTimeout: {{ .Values.prometheus.podmonitor.scrapeTimeout }}
|
||||
honorLabels: {{ .Values.prometheus.podmonitor.honorLabels }}
|
||||
{{- with .Values.prometheus.podmonitor.endpointAdditionalProperties }}
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,18 @@
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
- {{ template "cert-manager.fullname" . }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,20 @@
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-psp
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,49 @@
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
|
||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
{{- end }}
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
allowedCapabilities: [] # default set of capabilities are implicitly allowed
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
hostNetwork: false
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
{{- end }}
|
||||
@@ -0,0 +1,617 @@
|
||||
{{- if .Values.global.rbac.create }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}:leaderelection
|
||||
namespace: {{ .Values.global.leaderElection.namespace }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
resourceNames: ["cert-manager-controller"]
|
||||
verbs: ["get", "update", "patch"]
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
verbs: ["create"]
|
||||
|
||||
---
|
||||
|
||||
# grant cert-manager permission to manage the leaderelection configmap in the
|
||||
# leader election namespace
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "cert-manager.fullname" . }}:leaderelection
|
||||
namespace: {{ .Values.global.leaderElection.namespace }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ template "cert-manager.fullname" . }}:leaderelection
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
|
||||
---
|
||||
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "cert-manager.serviceAccountName" . }}-tokenrequest
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["serviceaccounts/token"]
|
||||
resourceNames: ["{{ template "cert-manager.serviceAccountName" . }}"]
|
||||
verbs: ["create"]
|
||||
|
||||
---
|
||||
|
||||
# grant cert-manager permission to create tokens for the serviceaccount
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "cert-manager.fullname" . }}-{{ template "cert-manager.serviceAccountName" . }}-tokenrequest
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ template "cert-manager.serviceAccountName" . }}-tokenrequest
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
|
||||
---
|
||||
|
||||
# Issuer controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-issuers
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["issuers", "issuers/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
---
|
||||
|
||||
# ClusterIssuer controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["clusterissuers", "clusterissuers/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["clusterissuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
|
||||
---
|
||||
|
||||
# Certificates controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-certificates
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates/finalizers", "certificaterequests/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders"]
|
||||
verbs: ["create", "delete", "get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
|
||||
---
|
||||
|
||||
# Orders controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-orders
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders", "orders/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders", "challenges"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["clusterissuers", "issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges"]
|
||||
verbs: ["create", "delete"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
|
||||
---
|
||||
|
||||
# Challenges controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-challenges
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
# Use to update challenge resource status
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges", "challenges/status"]
|
||||
verbs: ["update", "patch"]
|
||||
# Used to watch challenge resources
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# Used to watch challenges, issuer and clusterissuer resources
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["issuers", "clusterissuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# Need to be able to retrieve ACME account private key to complete challenges
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# Used to create events
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
# HTTP01 rules
|
||||
- apiGroups: [""]
|
||||
resources: ["pods", "services"]
|
||||
verbs: ["get", "list", "watch", "create", "delete"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
||||
- apiGroups: [ "gateway.networking.k8s.io" ]
|
||||
resources: [ "httproutes" ]
|
||||
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
||||
# We require the ability to specify a custom hostname when we are creating
|
||||
# new ingress resources.
|
||||
# See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
|
||||
- apiGroups: ["route.openshift.io"]
|
||||
resources: ["routes/custom-host"]
|
||||
verbs: ["create"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges/finalizers"]
|
||||
verbs: ["update"]
|
||||
# DNS01 rules (duplicated above)
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
---
|
||||
|
||||
# ingress-shim controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests"]
|
||||
verbs: ["create", "update", "delete"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["gateway.networking.k8s.io"]
|
||||
resources: ["gateways", "httproutes"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["gateway.networking.k8s.io"]
|
||||
resources: ["gateways/finalizers", "httproutes/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-issuers
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-issuers
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-certificates
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-certificates
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-orders
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-orders
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-challenges
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-challenges
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
{{- if .Values.global.rbac.aggregateClusterRoles }}
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-cluster-view
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["clusterissuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
{{- end }}
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-view
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- if .Values.global.rbac.aggregateClusterRoles }}
|
||||
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges", "orders"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-edit
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- if .Values.global.rbac.aggregateClusterRoles }}
|
||||
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "issuers"]
|
||||
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates/status"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges", "orders"]
|
||||
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
||||
|
||||
---
|
||||
|
||||
{{- if not .Values.disableAutoApproval -}}
|
||||
|
||||
# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cert-manager"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["signers"]
|
||||
verbs: ["approve"]
|
||||
{{- with .Values.approveSignerNames }}
|
||||
resourceNames:
|
||||
{{- range . }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cert-manager"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
{{- end -}}
|
||||
|
||||
# Permission to:
|
||||
# - Update and sign CertificateSigningRequests referencing cert-manager.io Issuers and ClusterIssuers
|
||||
# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cert-manager"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources: ["certificatesigningrequests"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources: ["certificatesigningrequests/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources: ["signers"]
|
||||
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
|
||||
verbs: ["sign"]
|
||||
- apiGroups: ["authorization.k8s.io"]
|
||||
resources: ["subjectaccessreviews"]
|
||||
verbs: ["create"]
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cert-manager"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
{{- end }}
|
||||
@@ -0,0 +1,37 @@
|
||||
{{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.serviceAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml . | indent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceLabels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
{{- if .Values.serviceIPFamilyPolicy }}
|
||||
ipFamilyPolicy: {{ .Values.serviceIPFamilyPolicy }}
|
||||
{{- end }}
|
||||
{{- if .Values.serviceIPFamilies }}
|
||||
ipFamilies: {{ .Values.serviceIPFamilies | toYaml | nindent 2 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 9402
|
||||
name: tcp-prometheus-servicemonitor
|
||||
targetPort: {{ .Values.prometheus.servicemonitor.targetPort }}
|
||||
selector:
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- end }}
|
||||
@@ -0,0 +1,27 @@
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
|
||||
metadata:
|
||||
name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- range $k, $v := . }}
|
||||
{{- printf "%s: %s" (tpl $k $) (tpl $v $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,63 @@
|
||||
{{- if and .Values.prometheus.enabled (and .Values.prometheus.podmonitor.enabled .Values.prometheus.servicemonitor.enabled) }}
|
||||
{{- fail "Either .Values.prometheus.podmonitor.enabled or .Values.prometheus.servicemonitor.enabled can be enabled at a time, but not both." }}
|
||||
{{- else if and .Values.prometheus.enabled .Values.prometheus.servicemonitor.enabled }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}
|
||||
{{- if .Values.prometheus.servicemonitor.namespace }}
|
||||
namespace: {{ .Values.prometheus.servicemonitor.namespace }}
|
||||
{{- else }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
prometheus: {{ .Values.prometheus.servicemonitor.prometheusInstance }}
|
||||
{{- with .Values.prometheus.servicemonitor.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.prometheus.servicemonitor.annotations }}
|
||||
annotations:
|
||||
{{- with .Values.prometheus.servicemonitor.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
jobLabel: {{ template "cert-manager.fullname" . }}
|
||||
selector:
|
||||
matchExpressions:
|
||||
- key: app.kubernetes.io/name
|
||||
operator: In
|
||||
values:
|
||||
- {{ include "cainjector.name" . }}
|
||||
- {{ template "cert-manager.name" . }}
|
||||
- {{ include "webhook.name" . }}
|
||||
- key: app.kubernetes.io/instance
|
||||
operator: In
|
||||
values:
|
||||
- {{ .Release.Name }}
|
||||
- key: app.kubernetes.io/component
|
||||
operator: In
|
||||
values:
|
||||
- cainjector
|
||||
- controller
|
||||
- webhook
|
||||
{{- if .Values.prometheus.servicemonitor.namespace }}
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
endpoints:
|
||||
- targetPort: {{ .Values.prometheus.servicemonitor.targetPort }}
|
||||
path: {{ .Values.prometheus.servicemonitor.path }}
|
||||
interval: {{ .Values.prometheus.servicemonitor.interval }}
|
||||
scrapeTimeout: {{ .Values.prometheus.servicemonitor.scrapeTimeout }}
|
||||
honorLabels: {{ .Values.prometheus.servicemonitor.honorLabels }}
|
||||
{{- with .Values.prometheus.servicemonitor.endpointAdditionalProperties }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,95 @@
|
||||
{{- if .Values.startupapicheck.enabled }}
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ include "startupapicheck.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.jobAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
backoffLimit: {{ .Values.startupapicheck.backoffLimit }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 8 }}
|
||||
{{- with .Values.startupapicheck.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
restartPolicy: OnFailure
|
||||
serviceAccountName: {{ template "startupapicheck.serviceAccountName" . }}
|
||||
{{- if hasKey .Values.startupapicheck "automountServiceAccountToken" }}
|
||||
automountServiceAccountToken: {{ .Values.startupapicheck.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
enableServiceLinks: {{ .Values.startupapicheck.enableServiceLinks }}
|
||||
{{- with .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.securityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}-startupapicheck
|
||||
image: "{{ template "image" (tuple .Values.startupapicheck.image $.Chart.AppVersion) }}"
|
||||
imagePullPolicy: {{ .Values.startupapicheck.image.pullPolicy }}
|
||||
args:
|
||||
- check
|
||||
- api
|
||||
- --wait={{ .Values.startupapicheck.timeout }}
|
||||
{{- with .Values.startupapicheck.extraArgs }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
{{- with .Values.startupapicheck.extraEnv }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.volumeMounts }}
|
||||
volumeMounts:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.volumes }}
|
||||
volumes:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,24 @@
|
||||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ template "startupapicheck.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
- {{ template "startupapicheck.fullname" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
+26
@@ -0,0 +1,26 @@
|
||||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "startupapicheck.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "startupapicheck.fullname" . }}-psp
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "startupapicheck.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,51 @@
|
||||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ template "startupapicheck.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
|
||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
allowedCapabilities: [] # default set of capabilities are implicitly allowed
|
||||
volumes:
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
hostNetwork: false
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,48 @@
|
||||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.global.rbac.create }}
|
||||
# create certificate role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "startupapicheck.fullname" . }}:create-cert
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificaterequests"]
|
||||
verbs: ["create"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "startupapicheck.fullname" . }}:create-cert
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ template "startupapicheck.fullname" . }}:create-cert
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "startupapicheck.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,27 @@
|
||||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.startupapicheck.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
automountServiceAccountToken: {{ .Values.startupapicheck.serviceAccount.automountServiceAccountToken }}
|
||||
metadata:
|
||||
name: {{ template "startupapicheck.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.startupapicheck.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.serviceAccount.labels }}
|
||||
{{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,19 @@
|
||||
{{- if .Values.webhook.config -}}
|
||||
{{- $config := .Values.webhook.config -}}
|
||||
{{- $_ := set $config "apiVersion" (default "webhook.config.cert-manager.io/v1alpha1" $config.apiVersion) -}}
|
||||
{{- $_ := set $config "kind" (default "WebhookConfiguration" $config.kind) -}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
data:
|
||||
config.yaml: |
|
||||
{{- $config | toYaml | nindent 4 }}
|
||||
{{- end -}}
|
||||
@@ -0,0 +1,217 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.webhook.deploymentAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
replicas: {{ .Values.webhook.replicaCount }}
|
||||
{{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
|
||||
{{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
|
||||
revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- with .Values.webhook.strategy }}
|
||||
strategy:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 8 }}
|
||||
{{- with .Values.webhook.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if and .Values.prometheus.enabled (not (or .Values.prometheus.servicemonitor.enabled .Values.prometheus.podmonitor.enabled)) }}
|
||||
{{- if not .Values.webhook.podAnnotations }}
|
||||
annotations:
|
||||
{{- end }}
|
||||
prometheus.io/path: "/metrics"
|
||||
prometheus.io/scrape: 'true'
|
||||
prometheus.io/port: '9402'
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if not .Values.webhook.serviceAccount.create }}
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ template "webhook.serviceAccountName" . }}
|
||||
{{- if hasKey .Values.webhook "automountServiceAccountToken" }}
|
||||
automountServiceAccountToken: {{ .Values.webhook.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
enableServiceLinks: {{ .Values.webhook.enableServiceLinks }}
|
||||
{{- with .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.securityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.hostNetwork }}
|
||||
hostNetwork: true
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.hostNetwork }}
|
||||
dnsPolicy: ClusterFirstWithHostNet
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}-webhook
|
||||
image: "{{ template "image" (tuple .Values.webhook.image $.Chart.AppVersion) }}"
|
||||
imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
|
||||
args:
|
||||
{{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
|
||||
{{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
|
||||
- --v={{ .Values.global.logLevel }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.config }}
|
||||
- --config=/var/cert-manager/config/config.yaml
|
||||
{{- end }}
|
||||
{{- $config := default .Values.webhook.config "" }}
|
||||
{{ if not $config.securePort -}}
|
||||
- --secure-port={{ .Values.webhook.securePort }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.featureGates }}
|
||||
- --feature-gates={{ .Values.webhook.featureGates }}
|
||||
{{- end }}
|
||||
{{- $tlsConfig := default $config.tlsConfig "" }}
|
||||
{{ if or (not $config.tlsConfig) (and (not $tlsConfig.dynamic) (not $tlsConfig.filesystem) ) -}}
|
||||
- --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
|
||||
- --dynamic-serving-ca-secret-name={{ template "webhook.fullname" . }}-ca
|
||||
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }}
|
||||
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE)
|
||||
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE).svc
|
||||
{{ if .Values.webhook.url.host }}
|
||||
- --dynamic-serving-dns-names={{ .Values.webhook.url.host }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.extraArgs }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if not .Values.prometheus.enabled }}
|
||||
- --metrics-listen-address=0
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: https
|
||||
protocol: TCP
|
||||
{{- if $config.securePort }}
|
||||
containerPort: {{ $config.securePort }}
|
||||
{{- else if .Values.webhook.securePort }}
|
||||
containerPort: {{ .Values.webhook.securePort }}
|
||||
{{- else }}
|
||||
containerPort: 6443
|
||||
{{- end }}
|
||||
- name: healthcheck
|
||||
protocol: TCP
|
||||
{{- if $config.healthzPort }}
|
||||
containerPort: {{ $config.healthzPort }}
|
||||
{{- else }}
|
||||
containerPort: 6080
|
||||
{{- end }}
|
||||
{{- if .Values.prometheus.enabled }}
|
||||
- containerPort: 9402
|
||||
name: http-metrics
|
||||
protocol: TCP
|
||||
{{- end }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /livez
|
||||
{{- if $config.healthzPort }}
|
||||
port: {{ $config.healthzPort }}
|
||||
{{- else }}
|
||||
port: 6080
|
||||
{{- end }}
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: {{ .Values.webhook.livenessProbe.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.webhook.livenessProbe.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.webhook.livenessProbe.timeoutSeconds }}
|
||||
successThreshold: {{ .Values.webhook.livenessProbe.successThreshold }}
|
||||
failureThreshold: {{ .Values.webhook.livenessProbe.failureThreshold }}
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
{{- if $config.healthzPort }}
|
||||
port: {{ $config.healthzPort }}
|
||||
{{- else }}
|
||||
port: 6080
|
||||
{{- end }}
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: {{ .Values.webhook.readinessProbe.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.webhook.readinessProbe.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.webhook.readinessProbe.timeoutSeconds }}
|
||||
successThreshold: {{ .Values.webhook.readinessProbe.successThreshold }}
|
||||
failureThreshold: {{ .Values.webhook.readinessProbe.failureThreshold }}
|
||||
{{- with .Values.webhook.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
{{- with .Values.webhook.extraEnv }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.webhook.config .Values.webhook.volumeMounts }}
|
||||
volumeMounts:
|
||||
{{- if .Values.webhook.config }}
|
||||
- name: config
|
||||
mountPath: /var/cert-manager/config
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.volumeMounts }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.topologySpreadConstraints }}
|
||||
topologySpreadConstraints:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.webhook.config .Values.webhook.volumes }}
|
||||
volumes:
|
||||
{{- if .Values.webhook.config }}
|
||||
- name: config
|
||||
configMap:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.volumes }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,48 @@
|
||||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: MutatingWebhookConfiguration
|
||||
metadata:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from-secret: {{ printf "%s/%s-ca" (include "cert-manager.namespace" .) (include "webhook.fullname" .) | quote }}
|
||||
{{- with .Values.webhook.mutatingWebhookConfigurationAnnotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
webhooks:
|
||||
- name: webhook.cert-manager.io
|
||||
{{- with .Values.webhook.mutatingWebhookConfiguration.namespaceSelector }}
|
||||
namespaceSelector:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "cert-manager.io"
|
||||
apiVersions:
|
||||
- "v1"
|
||||
operations:
|
||||
- CREATE
|
||||
resources:
|
||||
- "certificaterequests"
|
||||
admissionReviewVersions: ["v1"]
|
||||
# This webhook only accepts v1 cert-manager resources.
|
||||
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
|
||||
# this webhook (after the resources have been converted to v1).
|
||||
matchPolicy: Equivalent
|
||||
timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
|
||||
failurePolicy: Fail
|
||||
# Only include 'sideEffects' field in Kubernetes 1.12+
|
||||
sideEffects: None
|
||||
clientConfig:
|
||||
{{- if .Values.webhook.url.host }}
|
||||
url: https://{{ .Values.webhook.url.host }}/mutate
|
||||
{{- else }}
|
||||
service:
|
||||
name: {{ template "webhook.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
path: /mutate
|
||||
{{- end }}
|
||||
@@ -0,0 +1,29 @@
|
||||
{{- if .Values.webhook.podDisruptionBudget.enabled }}
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
|
||||
{{- if not (or (hasKey .Values.webhook.podDisruptionBudget "minAvailable") (hasKey .Values.webhook.podDisruptionBudget "maxUnavailable")) }}
|
||||
minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
|
||||
{{- end }}
|
||||
{{- if hasKey .Values.webhook.podDisruptionBudget "minAvailable" }}
|
||||
minAvailable: {{ .Values.webhook.podDisruptionBudget.minAvailable }}
|
||||
{{- end }}
|
||||
{{- if hasKey .Values.webhook.podDisruptionBudget "maxUnavailable" }}
|
||||
maxUnavailable: {{ .Values.webhook.podDisruptionBudget.maxUnavailable }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,18 @@
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
- {{ template "webhook.fullname" . }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,20 @@
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "webhook.fullname" . }}-psp
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "webhook.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,54 @@
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
|
||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
{{- end }}
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
allowedCapabilities: [] # default set of capabilities are implicitly allowed
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
hostNetwork: {{ .Values.webhook.hostNetwork }}
|
||||
{{- if .Values.webhook.hostNetwork }}
|
||||
hostPorts:
|
||||
- max: {{ .Values.webhook.securePort }}
|
||||
min: {{ .Values.webhook.securePort }}
|
||||
{{- end }}
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
{{- end }}
|
||||
@@ -0,0 +1,90 @@
|
||||
{{- if .Values.global.rbac.create }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}:dynamic-serving
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
resourceNames:
|
||||
- '{{ template "webhook.fullname" . }}-ca'
|
||||
{{- $certmanagerNamespace := include "cert-manager.namespace" . }}
|
||||
{{- with (.Values.webhook.config.metricsTLSConfig).dynamic }}
|
||||
{{- if $certmanagerNamespace | eq .secretNamespace }}
|
||||
# Allow webhook to read and update the metrics CA Secret when dynamic TLS is
|
||||
# enabled for the metrics server and if the Secret is configured to be in the
|
||||
# same namespace as cert-manager.
|
||||
- {{ .secretName | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
# It's not possible to grant CREATE permission on a single resourceName.
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["create"]
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}:dynamic-serving
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ template "webhook.fullname" . }}:dynamic-serving
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "webhook.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}:subjectaccessreviews
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["authorization.k8s.io"]
|
||||
resources: ["subjectaccessreviews"]
|
||||
verbs: ["create"]
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}:subjectaccessreviews
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "webhook.fullname" . }}:subjectaccessreviews
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "webhook.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,44 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.webhook.serviceAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml . | indent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.webhook.serviceLabels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: {{ .Values.webhook.serviceType }}
|
||||
{{- if .Values.webhook.serviceIPFamilyPolicy }}
|
||||
ipFamilyPolicy: {{ .Values.webhook.serviceIPFamilyPolicy }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.serviceIPFamilies }}
|
||||
ipFamilies: {{ .Values.webhook.serviceIPFamilies | toYaml | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.loadBalancerIP }}
|
||||
loadBalancerIP: {{ . }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: https
|
||||
port: 443
|
||||
protocol: TCP
|
||||
targetPort: "https"
|
||||
{{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }}
|
||||
- name: metrics
|
||||
port: 9402
|
||||
protocol: TCP
|
||||
targetPort: "http-metrics"
|
||||
{{- end }}
|
||||
selector:
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
@@ -0,0 +1,25 @@
|
||||
{{- if .Values.webhook.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automountServiceAccountToken }}
|
||||
metadata:
|
||||
name: {{ template "webhook.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.webhook.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.webhook.serviceAccount.labels }}
|
||||
{{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,49 @@
|
||||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: ValidatingWebhookConfiguration
|
||||
metadata:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from-secret: {{ printf "%s/%s-ca" (include "cert-manager.namespace" .) (include "webhook.fullname" .) | quote}}
|
||||
{{- with .Values.webhook.validatingWebhookConfigurationAnnotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
webhooks:
|
||||
- name: webhook.cert-manager.io
|
||||
{{- with .Values.webhook.validatingWebhookConfiguration.namespaceSelector }}
|
||||
namespaceSelector:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "cert-manager.io"
|
||||
- "acme.cert-manager.io"
|
||||
apiVersions:
|
||||
- "v1"
|
||||
operations:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
resources:
|
||||
- "*/*"
|
||||
admissionReviewVersions: ["v1"]
|
||||
# This webhook only accepts v1 cert-manager resources.
|
||||
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
|
||||
# this webhook (after the resources have been converted to v1).
|
||||
matchPolicy: Equivalent
|
||||
timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
|
||||
failurePolicy: Fail
|
||||
sideEffects: None
|
||||
clientConfig:
|
||||
{{- if .Values.webhook.url.host }}
|
||||
url: https://{{ .Values.webhook.url.host }}/validate
|
||||
{{- else }}
|
||||
service:
|
||||
name: {{ template "webhook.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
path: /validate
|
||||
{{- end }}
|
||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,11 @@
|
||||
annotations:
|
||||
catalog.cattle.io/certified: rancher
|
||||
catalog.cattle.io/hidden: "true"
|
||||
catalog.cattle.io/namespace: cattle-resources-system
|
||||
catalog.cattle.io/release-name: rancher-backup-crd
|
||||
apiVersion: v2
|
||||
appVersion: v7.0.5
|
||||
description: Installs the CRDs for rancher-backup.
|
||||
name: rancher-backup-crd
|
||||
type: application
|
||||
version: 106.0.6+up7.0.5
|
||||
@@ -0,0 +1,3 @@
|
||||
# Rancher Backup CRD
|
||||
|
||||
A Rancher chart that installs the CRDs used by `rancher-backup`.
|
||||
@@ -0,0 +1,151 @@
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: backups.resources.cattle.io
|
||||
spec:
|
||||
group: resources.cattle.io
|
||||
names:
|
||||
kind: Backup
|
||||
plural: backups
|
||||
singular: backup
|
||||
scope: Cluster
|
||||
versions:
|
||||
- additionalPrinterColumns:
|
||||
- jsonPath: .status.storageLocation
|
||||
name: Location
|
||||
type: string
|
||||
- jsonPath: .status.backupType
|
||||
name: Type
|
||||
type: string
|
||||
- jsonPath: .status.filename
|
||||
name: Latest-Backup
|
||||
type: string
|
||||
- jsonPath: .spec.resourceSetName
|
||||
name: ResourceSet
|
||||
type: string
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
name: Age
|
||||
type: date
|
||||
- jsonPath: .status.conditions[?(@.type=="Ready")].message
|
||||
name: Status
|
||||
type: string
|
||||
name: v1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
properties:
|
||||
spec:
|
||||
properties:
|
||||
encryptionConfigSecretName:
|
||||
description: Name of the Secret containing the encryption config
|
||||
nullable: true
|
||||
type: string
|
||||
resourceSetName:
|
||||
description: Name of the ResourceSet CR to use for backup
|
||||
nullable: true
|
||||
type: string
|
||||
retentionCount:
|
||||
minimum: 1
|
||||
type: integer
|
||||
schedule:
|
||||
description: Cron schedule for recurring backups
|
||||
example:
|
||||
Descriptors: '@midnight'
|
||||
Standard crontab specs: 0 0 * * *
|
||||
nullable: true
|
||||
type: string
|
||||
storageLocation:
|
||||
nullable: true
|
||||
properties:
|
||||
s3:
|
||||
nullable: true
|
||||
properties:
|
||||
bucketName:
|
||||
nullable: true
|
||||
type: string
|
||||
clientConfig:
|
||||
nullable: true
|
||||
properties:
|
||||
aws:
|
||||
nullable: true
|
||||
properties:
|
||||
dualStack:
|
||||
type: boolean
|
||||
type: object
|
||||
type: object
|
||||
credentialSecretName:
|
||||
nullable: true
|
||||
type: string
|
||||
credentialSecretNamespace:
|
||||
nullable: true
|
||||
type: string
|
||||
endpoint:
|
||||
nullable: true
|
||||
type: string
|
||||
endpointCA:
|
||||
nullable: true
|
||||
type: string
|
||||
folder:
|
||||
nullable: true
|
||||
type: string
|
||||
insecureTLSSkipVerify:
|
||||
type: boolean
|
||||
region:
|
||||
nullable: true
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
required:
|
||||
- resourceSetName
|
||||
type: object
|
||||
status:
|
||||
properties:
|
||||
backupType:
|
||||
nullable: true
|
||||
type: string
|
||||
conditions:
|
||||
items:
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
nullable: true
|
||||
type: string
|
||||
lastUpdateTime:
|
||||
nullable: true
|
||||
type: string
|
||||
message:
|
||||
nullable: true
|
||||
type: string
|
||||
reason:
|
||||
nullable: true
|
||||
type: string
|
||||
status:
|
||||
nullable: true
|
||||
type: string
|
||||
type:
|
||||
nullable: true
|
||||
type: string
|
||||
type: object
|
||||
nullable: true
|
||||
type: array
|
||||
filename:
|
||||
nullable: true
|
||||
type: string
|
||||
lastSnapshotTs:
|
||||
nullable: true
|
||||
type: string
|
||||
nextSnapshotAt:
|
||||
nullable: true
|
||||
type: string
|
||||
observedGeneration:
|
||||
type: integer
|
||||
storageLocation:
|
||||
nullable: true
|
||||
type: string
|
||||
summary:
|
||||
nullable: true
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
||||
@@ -0,0 +1,124 @@
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: resourcesets.resources.cattle.io
|
||||
spec:
|
||||
group: resources.cattle.io
|
||||
names:
|
||||
kind: ResourceSet
|
||||
plural: resourcesets
|
||||
singular: resourceset
|
||||
scope: Cluster
|
||||
versions:
|
||||
- name: v1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
properties:
|
||||
controllerReferences:
|
||||
items:
|
||||
properties:
|
||||
apiVersion:
|
||||
nullable: true
|
||||
type: string
|
||||
name:
|
||||
nullable: true
|
||||
type: string
|
||||
namespace:
|
||||
nullable: true
|
||||
type: string
|
||||
replicas:
|
||||
type: integer
|
||||
resource:
|
||||
nullable: true
|
||||
type: string
|
||||
type: object
|
||||
nullable: true
|
||||
type: array
|
||||
resourceSelectors:
|
||||
items:
|
||||
properties:
|
||||
apiVersion:
|
||||
nullable: true
|
||||
type: string
|
||||
excludeKinds:
|
||||
items:
|
||||
nullable: true
|
||||
type: string
|
||||
nullable: true
|
||||
type: array
|
||||
excludeResourceNameRegexp:
|
||||
nullable: true
|
||||
type: string
|
||||
fieldSelectors:
|
||||
additionalProperties:
|
||||
nullable: true
|
||||
type: string
|
||||
nullable: true
|
||||
type: object
|
||||
kinds:
|
||||
items:
|
||||
nullable: true
|
||||
type: string
|
||||
nullable: true
|
||||
type: array
|
||||
kindsRegexp:
|
||||
nullable: true
|
||||
type: string
|
||||
labelSelectors:
|
||||
nullable: true
|
||||
properties:
|
||||
matchExpressions:
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
nullable: true
|
||||
type: string
|
||||
operator:
|
||||
nullable: true
|
||||
type: string
|
||||
values:
|
||||
items:
|
||||
nullable: true
|
||||
type: string
|
||||
nullable: true
|
||||
type: array
|
||||
type: object
|
||||
nullable: true
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
nullable: true
|
||||
type: string
|
||||
nullable: true
|
||||
type: object
|
||||
type: object
|
||||
namespaceRegexp:
|
||||
nullable: true
|
||||
type: string
|
||||
namespaces:
|
||||
items:
|
||||
nullable: true
|
||||
type: string
|
||||
nullable: true
|
||||
type: array
|
||||
resourceNameRegexp:
|
||||
nullable: true
|
||||
type: string
|
||||
resourceNames:
|
||||
items:
|
||||
nullable: true
|
||||
type: string
|
||||
nullable: true
|
||||
type: array
|
||||
type: object
|
||||
nullable: true
|
||||
required:
|
||||
- apiVersion
|
||||
type: array
|
||||
required:
|
||||
- resourceSelectors
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
||||
@@ -0,0 +1,132 @@
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: restores.resources.cattle.io
|
||||
spec:
|
||||
group: resources.cattle.io
|
||||
names:
|
||||
kind: Restore
|
||||
plural: restores
|
||||
singular: restore
|
||||
scope: Cluster
|
||||
versions:
|
||||
- additionalPrinterColumns:
|
||||
- jsonPath: .status.backupSource
|
||||
name: Backup-Source
|
||||
type: string
|
||||
- jsonPath: .spec.backupFilename
|
||||
name: Backup-File
|
||||
type: string
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
name: Age
|
||||
type: date
|
||||
- jsonPath: .status.conditions[?(@.type=="Ready")].message
|
||||
name: Status
|
||||
type: string
|
||||
name: v1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
properties:
|
||||
spec:
|
||||
properties:
|
||||
backupFilename:
|
||||
nullable: true
|
||||
type: string
|
||||
deleteTimeoutSeconds:
|
||||
maximum: 10
|
||||
type: integer
|
||||
encryptionConfigSecretName:
|
||||
nullable: true
|
||||
type: string
|
||||
ignoreErrors:
|
||||
type: boolean
|
||||
prune:
|
||||
nullable: true
|
||||
type: boolean
|
||||
storageLocation:
|
||||
nullable: true
|
||||
properties:
|
||||
s3:
|
||||
nullable: true
|
||||
properties:
|
||||
bucketName:
|
||||
nullable: true
|
||||
type: string
|
||||
clientConfig:
|
||||
nullable: true
|
||||
properties:
|
||||
aws:
|
||||
nullable: true
|
||||
properties:
|
||||
dualStack:
|
||||
type: boolean
|
||||
type: object
|
||||
type: object
|
||||
credentialSecretName:
|
||||
nullable: true
|
||||
type: string
|
||||
credentialSecretNamespace:
|
||||
nullable: true
|
||||
type: string
|
||||
endpoint:
|
||||
nullable: true
|
||||
type: string
|
||||
endpointCA:
|
||||
nullable: true
|
||||
type: string
|
||||
folder:
|
||||
nullable: true
|
||||
type: string
|
||||
insecureTLSSkipVerify:
|
||||
type: boolean
|
||||
region:
|
||||
nullable: true
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
required:
|
||||
- backupFilename
|
||||
type: object
|
||||
status:
|
||||
properties:
|
||||
backupSource:
|
||||
nullable: true
|
||||
type: string
|
||||
conditions:
|
||||
items:
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
nullable: true
|
||||
type: string
|
||||
lastUpdateTime:
|
||||
nullable: true
|
||||
type: string
|
||||
message:
|
||||
nullable: true
|
||||
type: string
|
||||
reason:
|
||||
nullable: true
|
||||
type: string
|
||||
status:
|
||||
nullable: true
|
||||
type: string
|
||||
type:
|
||||
nullable: true
|
||||
type: string
|
||||
type: object
|
||||
nullable: true
|
||||
type: array
|
||||
observedGeneration:
|
||||
type: integer
|
||||
restoreCompletionTs:
|
||||
nullable: true
|
||||
type: string
|
||||
summary:
|
||||
nullable: true
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
||||
@@ -0,0 +1,26 @@
|
||||
annotations:
|
||||
catalog.cattle.io/auto-install: rancher-backup-crd=match
|
||||
catalog.cattle.io/certified: rancher
|
||||
catalog.cattle.io/display-name: Rancher Backups
|
||||
catalog.cattle.io/kube-version: '>= 1.30.0-0 < 1.33.0-0'
|
||||
catalog.cattle.io/namespace: cattle-resources-system
|
||||
catalog.cattle.io/os: linux
|
||||
catalog.cattle.io/permits-os: linux,windows
|
||||
catalog.cattle.io/provides-gvr: resources.cattle.io.resourceset/v1
|
||||
catalog.cattle.io/rancher-version: '>= 2.11.0-0 < 2.12.0-0'
|
||||
catalog.cattle.io/release-name: rancher-backup
|
||||
catalog.cattle.io/scope: management
|
||||
catalog.cattle.io/type: cluster-tool
|
||||
catalog.cattle.io/ui-component: rancher-backup
|
||||
catalog.cattle.io/upstream-version: 7.0.5
|
||||
apiVersion: v2
|
||||
appVersion: v7.0.5
|
||||
description: Provides ability to back up and restore the Rancher application running
|
||||
on any Kubernetes cluster
|
||||
icon: file://assets/logos/rancher-backup.svg
|
||||
keywords:
|
||||
- applications
|
||||
- infrastructure
|
||||
kubeVersion: '>= 1.30.0-0'
|
||||
name: rancher-backup
|
||||
version: 106.0.6+up7.0.5
|
||||
@@ -0,0 +1,79 @@
|
||||
# Rancher Backup
|
||||
|
||||
This chart provides ability to back up and restore the Rancher application running on any Kubernetes cluster.
|
||||
|
||||
Refer [this](https://github.com/rancher/backup-restore-operator) repository for implementation details.
|
||||
|
||||
-----
|
||||
|
||||
### Get Repo Info
|
||||
```bash
|
||||
helm repo add rancher-chart https://charts.rancher.io
|
||||
helm repo update
|
||||
```
|
||||
|
||||
-----
|
||||
|
||||
### Install Chart
|
||||
```bash
|
||||
helm install rancher-backup-crd rancher-chart/rancher-backup-crd -n cattle-resources-system --create-namespace
|
||||
helm install rancher-backup rancher-chart/rancher-backup -n cattle-resources-system
|
||||
```
|
||||
|
||||
-----
|
||||
|
||||
### Configuration
|
||||
The following table lists the configurable parameters of the rancher-backup chart and their default values:
|
||||
|
||||
| Parameter | Description | Default |
|
||||
|----------|---------------|-------|
|
||||
| image.repository | Container image repository | rancher/backup-restore-operator |
|
||||
| image.tag | Container image tag | v0.1.0-rc1 |
|
||||
| s3.enabled | Configure S3 compatible default storage location. Current version supports S3 and MinIO | false |
|
||||
| s3.credentialSecretName | Name of the Secret containing S3 credentials. This is an optional field. Skip this field in order to use IAM Role authentication. The Secret must contain following two keys, `accessKey` and `secretKey` | "" |
|
||||
| s3.credentialSecretNamespace | Namespace of the Secret containing S3 credentials. This can be any namespace. | "" |
|
||||
| s3.region | Region of the S3 Bucket (Required for S3, not valid for MinIO) | "" |
|
||||
| s3.bucketName | Name of the Bucket | "" |
|
||||
| s3.folder | Base folder within the Bucket (optional) | "" |
|
||||
| s3.endpoint | Endpoint for the S3 storage provider | "" |
|
||||
| s3.endpointCA | Base64 encoded CA cert for the S3 storage provider (optional) | "" |
|
||||
| s3.insecureTLSSkipVerify | Skip SSL verification | false |
|
||||
| persistence.enabled | Configure a Persistent Volume as the default storage location. It accepts either a StorageClass name to create a PVC, or directly accepts the PV to use. The Persistent Volume is mounted at `/var/lib/backups` in the operator pod | false |
|
||||
| persistence.storageClass | StorageClass to use for dynamically provisioning the Persistent Volume, which will be used for storing backups | "" |
|
||||
| persistence.volumeName | Persistent Volume to use for storing backups | "" |
|
||||
| persistence.size | Requested size of the Persistent Volume (Applicable when using dynamic provisioning) | "" |
|
||||
| debug | Set debug flag for backup-restore deployment | false |
|
||||
| trace | Set trace flag for backup-restore deployment | false |
|
||||
| nodeSelector | https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | {} |
|
||||
| tolerations | https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration | [] |
|
||||
| affinity | https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | {} |
|
||||
| serviceAccount.annotations | Annotations to apply to created service account | {} |
|
||||
| global.cattle.psp.enabled | Enable or disable PSPs in the chart | false |
|
||||
|
||||
-----
|
||||
|
||||
### PSPs
|
||||
|
||||
We have added a configuration to the chart `values.yaml` which allows you to enable or disable PSPs to align with the PSP deprecation in Kubernetes `v1.25` and above.
|
||||
|
||||
-----
|
||||
|
||||
### CRDs
|
||||
|
||||
Refer [this](https://github.com/rancher/backup-restore-operator#crds) section for information on CRDs that this chart installs. Also refer [this](https://github.com/rancher/backup-restore-operator/tree/master/examples) folder containing sample manifests for the CRDs.
|
||||
|
||||
-----
|
||||
### Upgrading Chart
|
||||
```bash
|
||||
helm upgrade rancher-backup-crd -n cattle-resources-system
|
||||
helm upgrade rancher-backup -n cattle-resources-system
|
||||
```
|
||||
|
||||
-----
|
||||
### Uninstall Chart
|
||||
|
||||
```bash
|
||||
helm uninstall rancher-backup -n cattle-resources-system
|
||||
helm uninstall rancher-backup-crd -n cattle-resources-system
|
||||
```
|
||||
|
||||
@@ -0,0 +1,33 @@
|
||||
# Rancher Backup
|
||||
|
||||
This chart enables ability to capture backups of the Rancher application and restore from these backups. This chart can be used to migrate Rancher from one Kubernetes cluster to a different Kubernetes cluster.
|
||||
|
||||
For more information on how to use the feature, refer to our [docs](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/backup-restore-and-disaster-recovery).
|
||||
|
||||
This chart installs the following components:
|
||||
|
||||
- [backup-restore-operator](https://github.com/rancher/backup-restore-operator)
|
||||
- The operator handles backing up all Kubernetes resources and CRDs that Rancher creates and manages from the local cluster. It gathers these resources by querying the Kubernetes API server, packages all the resources to create a tarball file and saves it in the configured backup storage location.
|
||||
- The operator can be configured to store backups in S3-compatible object stores such as AWS S3 and MinIO, and in persistent volumes. During deployment, you can create a default storage location, but there is always the option to override the default storage location with each backup, but will be limited to using an S3-compatible object store.
|
||||
- It preserves the ownerReferences on all resources, hence maintaining dependencies between objects.
|
||||
- This operator provides encryption support, to encrypt user specified resources before saving them in the backup file. It uses the same encryption configuration that is used to enable [Kubernetes Encryption at Rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
|
||||
- Backup - A backup is a CRD (`Backup`) that defines when to take backups, where to store the backup and what encryption to use (optional). Backups can be taken ad hoc or scheduled to be taken in intervals.
|
||||
- Restore - A restore is a CRD (`Restore`) that defines which backup to use to restore the Rancher application to.
|
||||
|
||||
## Upgrading to Kubernetes v1.25+
|
||||
|
||||
Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API.
|
||||
|
||||
As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`.
|
||||
|
||||
> **Note:**
|
||||
> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`.
|
||||
|
||||
> **Note:**
|
||||
> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).**
|
||||
>
|
||||
> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets.
|
||||
|
||||
Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart.
|
||||
|
||||
As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards.
|
||||
@@ -0,0 +1,25 @@
|
||||
- apiVersion: "apiextensions.k8s.io/v1"
|
||||
kindsRegexp: "."
|
||||
resourceNameRegexp: "aks.cattle.io$"
|
||||
- apiVersion: "aks.cattle.io/v1"
|
||||
kindsRegexp: "."
|
||||
- apiVersion: "apps/v1"
|
||||
kindsRegexp: "^deployments$"
|
||||
namespaces:
|
||||
- "cattle-system"
|
||||
resourceNames:
|
||||
- "aks-config-operator"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterroles$"
|
||||
resourceNames:
|
||||
- "aks-operator"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterrolebindings$"
|
||||
resourceNames:
|
||||
- "aks-operator"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^serviceaccounts$"
|
||||
namespaces:
|
||||
- "cattle-system"
|
||||
resourceNames:
|
||||
- "aks-operator"
|
||||
@@ -0,0 +1,17 @@
|
||||
- apiVersion: "eks.cattle.io/v1"
|
||||
kindsRegexp: "."
|
||||
- apiVersion: "apps/v1"
|
||||
kindsRegexp: "^deployments$"
|
||||
resourceNames:
|
||||
- "eks-config-operator"
|
||||
- apiVersion: "apiextensions.k8s.io/v1"
|
||||
kindsRegexp: "."
|
||||
resourceNameRegexp: "eks.cattle.io$"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterroles$"
|
||||
resourceNames:
|
||||
- "eks-operator"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterrolebindings$"
|
||||
resourceNames:
|
||||
- "eks-operator"
|
||||
@@ -0,0 +1,49 @@
|
||||
- apiVersion: "apiextensions.k8s.io/v1"
|
||||
kindsRegexp: "."
|
||||
resourceNameRegexp: "elemental.cattle.io$"
|
||||
- apiVersion: "apps/v1"
|
||||
kindsRegexp: "^deployments$"
|
||||
namespaces:
|
||||
- "cattle-elemental-system"
|
||||
resourceNames:
|
||||
- "elemental-operator"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterroles$"
|
||||
resourceNames:
|
||||
- "elemental-operator"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterrolebindings$"
|
||||
resourceNames:
|
||||
- "elemental-operator"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^serviceaccounts$"
|
||||
namespaces:
|
||||
- "cattle-elemental-system"
|
||||
resourceNames:
|
||||
- "elemental-operator"
|
||||
- apiVersion: "management.cattle.io/v3"
|
||||
kindsRegexp: "^globalrole$"
|
||||
resourceNames:
|
||||
- "elemental-operator"
|
||||
- apiVersion: "management.cattle.io/v3"
|
||||
kindsRegexp: "^apiservice$"
|
||||
resourceNameRegexp: "elemental.cattle.io$"
|
||||
- apiVersion: "elemental.cattle.io/v1beta1"
|
||||
kindsRegexp: "."
|
||||
namespaceRegexp: "^cattle-fleet-|^fleet-|^cattle-elemental-system$"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^roles$|^rolebindings$"
|
||||
labelSelectors:
|
||||
matchExpressions:
|
||||
- key: "elemental.cattle.io/managed"
|
||||
operator: "In"
|
||||
values: ["true"]
|
||||
namespaceRegexp: "^cattle-fleet-|^fleet-"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^serviceaccounts$"
|
||||
labelSelectors:
|
||||
matchExpressions:
|
||||
- key: "elemental.cattle.io/managed"
|
||||
operator: "In"
|
||||
values: ["true"]
|
||||
namespaceRegexp: "^cattle-fleet-|^fleet-"
|
||||
@@ -0,0 +1,48 @@
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^namespaces$"
|
||||
resourceNameRegexp: "^fleet-"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^namespaces$"
|
||||
labelSelectors:
|
||||
matchExpressions:
|
||||
- key: "app.kubernetes.io/managed-by"
|
||||
operator: "In"
|
||||
values: ["rancher"]
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^serviceaccounts$"
|
||||
namespaceRegexp: "^cattle-fleet-|^fleet-"
|
||||
excludeResourceNameRegexp: "^default$"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^configmaps$"
|
||||
namespaceRegexp: "^cattle-fleet-|^fleet-"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^roles$|^rolebindings$"
|
||||
namespaceRegexp: "^cattle-fleet-|^fleet-"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterrolebindings$"
|
||||
resourceNameRegexp: "^fleet-|^gitjob-"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterroles$"
|
||||
resourceNameRegexp: "^fleet-"
|
||||
resourceNames:
|
||||
- "gitjob"
|
||||
- apiVersion: "apiextensions.k8s.io/v1"
|
||||
kindsRegexp: "."
|
||||
resourceNameRegexp: "fleet.cattle.io$|gitjob.cattle.io$"
|
||||
- apiVersion: "fleet.cattle.io/v1alpha1"
|
||||
kindsRegexp: "."
|
||||
excludeKinds:
|
||||
- "bundledeployments"
|
||||
- apiVersion: "gitjob.cattle.io/v1"
|
||||
kindsRegexp: "."
|
||||
- apiVersion: "apps/v1"
|
||||
kindsRegexp: "^deployments$"
|
||||
namespaceRegexp: "^cattle-fleet-|^fleet-"
|
||||
resourceNameRegexp: "^fleet-"
|
||||
resourceNames:
|
||||
- "gitjob"
|
||||
- apiVersion: "apps/v1"
|
||||
kindsRegexp: "^services$"
|
||||
namespaceRegexp: "^cattle-fleet-|^fleet-"
|
||||
resourceNames:
|
||||
- "gitjob"
|
||||
@@ -0,0 +1,17 @@
|
||||
- apiVersion: "apiextensions.k8s.io/v1"
|
||||
kindsRegexp: "."
|
||||
resourceNameRegexp: "gke.cattle.io$"
|
||||
- apiVersion: "gke.cattle.io/v1"
|
||||
kindsRegexp: "."
|
||||
- apiVersion: "apps/v1"
|
||||
kindsRegexp: "^deployments$"
|
||||
resourceNames:
|
||||
- "gke-config-operator"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterroles$"
|
||||
resourceNames:
|
||||
- "gke-operator"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterrolebindings$"
|
||||
resourceNames:
|
||||
- "gke-operator"
|
||||
+18
@@ -0,0 +1,18 @@
|
||||
- apiVersion: "apiextensions.k8s.io/v1"
|
||||
kindsRegexp: "."
|
||||
resourceNameRegexp: "provisioning.cattle.io$|rke-machine-config.cattle.io$|rke-machine.cattle.io$|rke.cattle.io$|cluster.x-k8s.io$"
|
||||
- apiVersion: "provisioning.cattle.io/v1"
|
||||
kindsRegexp: "."
|
||||
- apiVersion: "rke-machine-config.cattle.io/v1"
|
||||
kindsRegexp: "."
|
||||
- apiVersion: "rke-machine.cattle.io/v1"
|
||||
kindsRegexp: "."
|
||||
- apiVersion: "rke.cattle.io/v1"
|
||||
kindsRegexp: "."
|
||||
- apiVersion: "cluster.x-k8s.io/v1beta1"
|
||||
kindsRegexp: "."
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^configmaps$"
|
||||
resourceNames:
|
||||
- "provisioning-log"
|
||||
namespaceRegexp: "^c-m-"
|
||||
+28
@@ -0,0 +1,28 @@
|
||||
- apiVersion: "rancher.cattle.io/v1"
|
||||
kindsRegexp: "."
|
||||
- apiVersion: "apps/v1"
|
||||
kindsRegexp: "^deployments$"
|
||||
resourceNames:
|
||||
- "rancher-operator"
|
||||
namespaces:
|
||||
- "rancher-operator-system"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^serviceaccounts$"
|
||||
namespaces:
|
||||
- "rancher-operator-system"
|
||||
excludeResourceNameRegexp: "^default$"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterrolebindings$"
|
||||
resourceNames:
|
||||
- "rancher-operator"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterroles$"
|
||||
resourceNames:
|
||||
- "rancher-operator"
|
||||
- apiVersion: "apiextensions.k8s.io/v1"
|
||||
kindsRegexp: "."
|
||||
resourceNameRegexp: "rancher.cattle.io$"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^namespaces$"
|
||||
resourceNames:
|
||||
- "rancher-operator-system"
|
||||
@@ -0,0 +1,52 @@
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^namespaces$"
|
||||
resourceNameRegexp: "^cattle-|^p-|^c-|^user-|^u-|^local-"
|
||||
resourceNames:
|
||||
- "local"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^serviceaccounts$"
|
||||
namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-"
|
||||
excludeResourceNameRegexp: "^default$|^rancher-csp-adapter$"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^configmaps$"
|
||||
namespaces:
|
||||
- "cattle-system"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^roles$|^rolebindings$"
|
||||
namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-"
|
||||
excludeResourceNameRegexp: "^rancher-csp-adapter"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterrolebindings$"
|
||||
resourceNameRegexp: "^cattle-|^clusterrolebinding-|^globaladmin-user-|^grb-u-|^crb-"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterroles$"
|
||||
resourceNameRegexp: "^cattle-|^p-|^c-|^local-|^user-|^u-|^project-|^create-ns$"
|
||||
excludeResourceNameRegexp: "^rancher-csp-adapter-"
|
||||
- apiVersion: "scheduling.k8s.io/v1"
|
||||
kindsRegexp: "^priorityclasses$"
|
||||
resourceNameRegexp: "^rancher-critical$"
|
||||
- apiVersion: "apiextensions.k8s.io/v1"
|
||||
kindsRegexp: "."
|
||||
resourceNameRegexp: "management.cattle.io$|project.cattle.io$|catalog.cattle.io$|resources.cattle.io$"
|
||||
- apiVersion: "management.cattle.io/v3"
|
||||
kindsRegexp: "."
|
||||
excludeKinds:
|
||||
- "tokens"
|
||||
- "rancherusernotifications"
|
||||
- apiVersion: "management.cattle.io/v3"
|
||||
kindsRegexp: "^tokens$"
|
||||
labelSelectors:
|
||||
matchExpressions:
|
||||
- key: "authn.management.cattle.io/kind"
|
||||
operator: "NotIn"
|
||||
values: [ "provisioning" ]
|
||||
- apiVersion: "project.cattle.io/v3"
|
||||
kindsRegexp: "."
|
||||
- apiVersion: "catalog.cattle.io/v1"
|
||||
kindsRegexp: "^clusterrepos$"
|
||||
- apiVersion: "resources.cattle.io/v1"
|
||||
kindsRegexp: "^ResourceSet$"
|
||||
- apiVersion: catalog.cattle.io/v1
|
||||
kindsRegexp: ^UIPlugin$
|
||||
namespaces:
|
||||
- cattle-ui-plugin-system
|
||||
@@ -0,0 +1,25 @@
|
||||
- apiVersion: "apiextensions.k8s.io/v1"
|
||||
kindsRegexp: "."
|
||||
resourceNameRegexp: "aks.cattle.io$"
|
||||
- apiVersion: "aks.cattle.io/v1"
|
||||
kindsRegexp: "."
|
||||
- apiVersion: "apps/v1"
|
||||
kindsRegexp: "^deployments$"
|
||||
namespaces:
|
||||
- "cattle-system"
|
||||
resourceNames:
|
||||
- "aks-config-operator"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterroles$"
|
||||
resourceNames:
|
||||
- "aks-operator"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterrolebindings$"
|
||||
resourceNames:
|
||||
- "aks-operator"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^serviceaccounts$"
|
||||
namespaces:
|
||||
- "cattle-system"
|
||||
resourceNames:
|
||||
- "aks-operator"
|
||||
@@ -0,0 +1,17 @@
|
||||
- apiVersion: "eks.cattle.io/v1"
|
||||
kindsRegexp: "."
|
||||
- apiVersion: "apps/v1"
|
||||
kindsRegexp: "^deployments$"
|
||||
resourceNames:
|
||||
- "eks-config-operator"
|
||||
- apiVersion: "apiextensions.k8s.io/v1"
|
||||
kindsRegexp: "."
|
||||
resourceNameRegexp: "eks.cattle.io$"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterroles$"
|
||||
resourceNames:
|
||||
- "eks-operator"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterrolebindings$"
|
||||
resourceNames:
|
||||
- "eks-operator"
|
||||
+49
@@ -0,0 +1,49 @@
|
||||
- apiVersion: "apiextensions.k8s.io/v1"
|
||||
kindsRegexp: "."
|
||||
resourceNameRegexp: "elemental.cattle.io$"
|
||||
- apiVersion: "apps/v1"
|
||||
kindsRegexp: "^deployments$"
|
||||
namespaces:
|
||||
- "cattle-elemental-system"
|
||||
resourceNames:
|
||||
- "elemental-operator"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterroles$"
|
||||
resourceNames:
|
||||
- "elemental-operator"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterrolebindings$"
|
||||
resourceNames:
|
||||
- "elemental-operator"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^serviceaccounts$"
|
||||
namespaces:
|
||||
- "cattle-elemental-system"
|
||||
resourceNames:
|
||||
- "elemental-operator"
|
||||
- apiVersion: "management.cattle.io/v3"
|
||||
kindsRegexp: "^globalrole$"
|
||||
resourceNames:
|
||||
- "elemental-operator"
|
||||
- apiVersion: "management.cattle.io/v3"
|
||||
kindsRegexp: "^apiservice$"
|
||||
resourceNameRegexp: "elemental.cattle.io$"
|
||||
- apiVersion: "elemental.cattle.io/v1beta1"
|
||||
kindsRegexp: "."
|
||||
namespaceRegexp: "^cattle-fleet-|^fleet-|^cattle-elemental-system$"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^roles$|^rolebindings$"
|
||||
labelSelectors:
|
||||
matchExpressions:
|
||||
- key: "elemental.cattle.io/managed"
|
||||
operator: "In"
|
||||
values: ["true"]
|
||||
namespaceRegexp: "^cattle-fleet-|^fleet-"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^secrets$|^serviceaccounts$"
|
||||
labelSelectors:
|
||||
matchExpressions:
|
||||
- key: "elemental.cattle.io/managed"
|
||||
operator: "In"
|
||||
values: ["true"]
|
||||
namespaceRegexp: "^cattle-fleet-|^fleet-"
|
||||
@@ -0,0 +1,60 @@
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^namespaces$"
|
||||
resourceNameRegexp: "^fleet-"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^namespaces$"
|
||||
labelSelectors:
|
||||
matchExpressions:
|
||||
- key: "app.kubernetes.io/managed-by"
|
||||
operator: "In"
|
||||
values: ["rancher"]
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^secrets$"
|
||||
namespaceRegexp: "^cattle-fleet-|^fleet-"
|
||||
excludeResourceNameRegexp: "^import-token"
|
||||
labelSelectors:
|
||||
matchExpressions:
|
||||
- key: "owner"
|
||||
operator: "NotIn"
|
||||
values: ["helm"]
|
||||
- key: "fleet.cattle.io/managed"
|
||||
operator: "In"
|
||||
values: ["true"]
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^serviceaccounts$"
|
||||
namespaceRegexp: "^cattle-fleet-|^fleet-"
|
||||
excludeResourceNameRegexp: "^default$"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^configmaps$"
|
||||
namespaceRegexp: "^cattle-fleet-|^fleet-"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^roles$|^rolebindings$"
|
||||
namespaceRegexp: "^cattle-fleet-|^fleet-"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterrolebindings$"
|
||||
resourceNameRegexp: "^fleet-|^gitjob-"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterroles$"
|
||||
resourceNameRegexp: "^fleet-"
|
||||
resourceNames:
|
||||
- "gitjob"
|
||||
- apiVersion: "apiextensions.k8s.io/v1"
|
||||
kindsRegexp: "."
|
||||
resourceNameRegexp: "fleet.cattle.io$|gitjob.cattle.io$"
|
||||
- apiVersion: "fleet.cattle.io/v1alpha1"
|
||||
kindsRegexp: "."
|
||||
excludeKinds:
|
||||
- "bundledeployments"
|
||||
- apiVersion: "gitjob.cattle.io/v1"
|
||||
kindsRegexp: "."
|
||||
- apiVersion: "apps/v1"
|
||||
kindsRegexp: "^deployments$"
|
||||
namespaceRegexp: "^cattle-fleet-|^fleet-"
|
||||
resourceNameRegexp: "^fleet-"
|
||||
resourceNames:
|
||||
- "gitjob"
|
||||
- apiVersion: "apps/v1"
|
||||
kindsRegexp: "^services$"
|
||||
namespaceRegexp: "^cattle-fleet-|^fleet-"
|
||||
resourceNames:
|
||||
- "gitjob"
|
||||
@@ -0,0 +1,17 @@
|
||||
- apiVersion: "apiextensions.k8s.io/v1"
|
||||
kindsRegexp: "."
|
||||
resourceNameRegexp: "gke.cattle.io$"
|
||||
- apiVersion: "gke.cattle.io/v1"
|
||||
kindsRegexp: "."
|
||||
- apiVersion: "apps/v1"
|
||||
kindsRegexp: "^deployments$"
|
||||
resourceNames:
|
||||
- "gke-config-operator"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterroles$"
|
||||
resourceNames:
|
||||
- "gke-operator"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterrolebindings$"
|
||||
resourceNames:
|
||||
- "gke-operator"
|
||||
+41
@@ -0,0 +1,41 @@
|
||||
- apiVersion: "apiextensions.k8s.io/v1"
|
||||
kindsRegexp: "."
|
||||
resourceNameRegexp: "provisioning.cattle.io$|rke-machine-config.cattle.io$|rke-machine.cattle.io$|rke.cattle.io$|cluster.x-k8s.io$"
|
||||
- apiVersion: "provisioning.cattle.io/v1"
|
||||
kindsRegexp: "."
|
||||
- apiVersion: "rke-machine-config.cattle.io/v1"
|
||||
kindsRegexp: "."
|
||||
- apiVersion: "rke-machine.cattle.io/v1"
|
||||
kindsRegexp: "."
|
||||
- apiVersion: "rke.cattle.io/v1"
|
||||
kindsRegexp: "."
|
||||
- apiVersion: "cluster.x-k8s.io/v1beta1"
|
||||
kindsRegexp: "."
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^secrets$"
|
||||
resourceNameRegexp: "machine-driver-secret$|machine-provision$|admission-configuration-psact$|^harvesterconfig|^registryconfig-auth|^harvester-cloud-provider-config"
|
||||
namespaces:
|
||||
- "fleet-default"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^configmaps$"
|
||||
resourceNames:
|
||||
- "provisioning-log"
|
||||
namespaceRegexp: "^c-m-"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^secrets$"
|
||||
namespaces:
|
||||
- "fleet-default"
|
||||
fieldSelectors:
|
||||
"type": "rke.cattle.io/machine-plan"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^secrets$"
|
||||
namespaces:
|
||||
- "fleet-default"
|
||||
fieldSelectors:
|
||||
"type": "rke.cattle.io/cluster-state"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^secrets$"
|
||||
namespaces:
|
||||
- "fleet-default"
|
||||
fieldSelectors:
|
||||
"type": "rke.cattle.io/machine-state"
|
||||
+28
@@ -0,0 +1,28 @@
|
||||
- apiVersion: "rancher.cattle.io/v1"
|
||||
kindsRegexp: "."
|
||||
- apiVersion: "apps/v1"
|
||||
kindsRegexp: "^deployments$"
|
||||
resourceNames:
|
||||
- "rancher-operator"
|
||||
namespaces:
|
||||
- "rancher-operator-system"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^serviceaccounts$"
|
||||
namespaces:
|
||||
- "rancher-operator-system"
|
||||
excludeResourceNameRegexp: "^default$"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterrolebindings$"
|
||||
resourceNames:
|
||||
- "rancher-operator"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterroles$"
|
||||
resourceNames:
|
||||
- "rancher-operator"
|
||||
- apiVersion: "apiextensions.k8s.io/v1"
|
||||
kindsRegexp: "."
|
||||
resourceNameRegexp: "rancher.cattle.io$"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^namespaces$"
|
||||
resourceNames:
|
||||
- "rancher-operator-system"
|
||||
@@ -0,0 +1,69 @@
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^namespaces$"
|
||||
resourceNameRegexp: "^cattle-|^p-|^c-|^user-|^u-|^local-"
|
||||
resourceNames:
|
||||
- "local"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^secrets$"
|
||||
namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-"
|
||||
labelSelectors:
|
||||
matchExpressions:
|
||||
- key: "owner"
|
||||
operator: "NotIn"
|
||||
values: ["helm"]
|
||||
excludeResourceNameRegexp: "^bootstrap-secret$|^rancher-csp-adapter|^csp-adapter-cache$"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^serviceaccounts$"
|
||||
namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-"
|
||||
excludeResourceNameRegexp: "^default$|^rancher-csp-adapter$"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^configmaps$"
|
||||
namespaces:
|
||||
- "cattle-system"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^roles$|^rolebindings$"
|
||||
namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-"
|
||||
excludeResourceNameRegexp: "^rancher-csp-adapter"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterrolebindings$"
|
||||
resourceNameRegexp: "^cattle-|^clusterrolebinding-|^globaladmin-user-|^grb-u-|^crb-"
|
||||
- apiVersion: "rbac.authorization.k8s.io/v1"
|
||||
kindsRegexp: "^clusterroles$"
|
||||
resourceNameRegexp: "^cattle-|^p-|^c-|^local-|^user-|^u-|^project-|^create-ns$"
|
||||
excludeResourceNameRegexp: "^rancher-csp-adapter-"
|
||||
- apiVersion: "scheduling.k8s.io/v1"
|
||||
kindsRegexp: "^priorityclasses$"
|
||||
resourceNameRegexp: "^rancher-critical$"
|
||||
- apiVersion: "apiextensions.k8s.io/v1"
|
||||
kindsRegexp: "."
|
||||
resourceNameRegexp: "management.cattle.io$|project.cattle.io$|catalog.cattle.io$|resources.cattle.io$"
|
||||
- apiVersion: "management.cattle.io/v3"
|
||||
kindsRegexp: "."
|
||||
excludeKinds:
|
||||
- "tokens"
|
||||
- "rancherusernotifications"
|
||||
- apiVersion: "management.cattle.io/v3"
|
||||
kindsRegexp: "^tokens$"
|
||||
labelSelectors:
|
||||
matchExpressions:
|
||||
- key: "authn.management.cattle.io/kind"
|
||||
operator: "NotIn"
|
||||
values: [ "provisioning" ]
|
||||
- apiVersion: "project.cattle.io/v3"
|
||||
kindsRegexp: "."
|
||||
- apiVersion: "catalog.cattle.io/v1"
|
||||
kindsRegexp: "^clusterrepos$"
|
||||
- apiVersion: "resources.cattle.io/v1"
|
||||
kindsRegexp: "^ResourceSet$"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^secrets$"
|
||||
namespaceRegexp: "^.*$"
|
||||
labelSelectors:
|
||||
matchExpressions:
|
||||
- key: "resources.cattle.io/backup"
|
||||
operator: "In"
|
||||
values: ["true"]
|
||||
- apiVersion: catalog.cattle.io/v1
|
||||
kindsRegexp: ^UIPlugin$
|
||||
namespaces:
|
||||
- cattle-ui-plugin-system
|
||||
+8
@@ -0,0 +1,8 @@
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^secrets$"
|
||||
labelSelectors:
|
||||
matchExpressions:
|
||||
- key: "elemental.cattle.io/managed"
|
||||
operator: "In"
|
||||
values: ["true"]
|
||||
namespaceRegexp: "^cattle-fleet-|^fleet-"
|
||||
@@ -0,0 +1,12 @@
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^secrets$"
|
||||
namespaceRegexp: "^cattle-fleet-|^fleet-"
|
||||
excludeResourceNameRegexp: "^import-token"
|
||||
labelSelectors:
|
||||
matchExpressions:
|
||||
- key: "owner"
|
||||
operator: "NotIn"
|
||||
values: ["helm"]
|
||||
- key: "fleet.cattle.io/managed"
|
||||
operator: "In"
|
||||
values: ["true"]
|
||||
+23
@@ -0,0 +1,23 @@
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^secrets$"
|
||||
resourceNameRegexp: "machine-driver-secret$|machine-provision$|admission-configuration-psact$|^harvesterconfig|^registryconfig-auth|^harvester-cloud-provider-config"
|
||||
namespaces:
|
||||
- "fleet-default"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^secrets$"
|
||||
namespaces:
|
||||
- "fleet-default"
|
||||
fieldSelectors:
|
||||
"type": "rke.cattle.io/machine-plan"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^secrets$"
|
||||
namespaces:
|
||||
- "fleet-default"
|
||||
fieldSelectors:
|
||||
"type": "rke.cattle.io/cluster-state"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^secrets$"
|
||||
namespaces:
|
||||
- "fleet-default"
|
||||
fieldSelectors:
|
||||
"type": "rke.cattle.io/machine-state"
|
||||
+17
@@ -0,0 +1,17 @@
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^secrets$"
|
||||
namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-"
|
||||
labelSelectors:
|
||||
matchExpressions:
|
||||
- key: "owner"
|
||||
operator: "NotIn"
|
||||
values: ["helm"]
|
||||
excludeResourceNameRegexp: "^bootstrap-secret$|^rancher-csp-adapter|^csp-adapter-cache$"
|
||||
- apiVersion: "v1"
|
||||
kindsRegexp: "^secrets$"
|
||||
namespaceRegexp: "^.*$"
|
||||
labelSelectors:
|
||||
matchExpressions:
|
||||
- key: "resources.cattle.io/backup"
|
||||
operator: "In"
|
||||
values: ["true"]
|
||||
@@ -0,0 +1,87 @@
|
||||
{{- define "system_default_registry" -}}
|
||||
{{- if .Values.global.cattle.systemDefaultRegistry -}}
|
||||
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
|
||||
{{- else -}}
|
||||
{{- "" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Windows cluster will add default taint for linux nodes,
|
||||
add below linux tolerations to workloads could be scheduled to those linux nodes
|
||||
*/}}
|
||||
{{- define "linux-node-tolerations" -}}
|
||||
- key: "cattle.io/os"
|
||||
value: "linux"
|
||||
effect: "NoSchedule"
|
||||
operator: "Equal"
|
||||
{{- end -}}
|
||||
|
||||
{{- define "linux-node-selector" -}}
|
||||
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
|
||||
beta.kubernetes.io/os: linux
|
||||
{{- else -}}
|
||||
kubernetes.io/os: linux
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
*/}}
|
||||
{{- define "backupRestore.fullname" -}}
|
||||
{{- .Chart.Name | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "backupRestore.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "backupRestore.labels" -}}
|
||||
helm.sh/chart: {{ include "backupRestore.chart" . }}
|
||||
{{ include "backupRestore.selectorLabels" . }}
|
||||
{{- if .Chart.AppVersion }}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
{{- end }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "backupRestore.selectorLabels" -}}
|
||||
app.kubernetes.io/name: {{ include "backupRestore.fullname" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
resources.cattle.io/operator: backup-restore
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "backupRestore.serviceAccountName" -}}
|
||||
{{ include "backupRestore.fullname" . }}
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{- define "backupRestore.s3SecretName" -}}
|
||||
{{- printf "%s-%s" .Chart.Name "s3" | replace "+" "_" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create PVC name using release and revision number, unless a volumeName is given.
|
||||
*/}}
|
||||
{{- define "backupRestore.pvcName" -}}
|
||||
{{- if and .Values.persistence.volumeName }}
|
||||
{{- printf "%s" .Values.persistence.volumeName }}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%d" .Release.Name .Release.Revision }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@@ -0,0 +1,14 @@
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "backupRestore.fullname" . }}
|
||||
labels:
|
||||
{{- include "backupRestore.labels" . | nindent 4 }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "backupRestore.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
@@ -0,0 +1,89 @@
|
||||
{{- if and .Values.s3.enabled .Values.persistence.enabled }}
|
||||
{{- fail "\n\nCannot configure both s3 and PV for storing backups" }}
|
||||
{{- end }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "backupRestore.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "backupRestore.labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "backupRestore.selectorLabels" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "backupRestore.selectorLabels" . | nindent 8 }}
|
||||
annotations:
|
||||
checksum/s3: {{ include (print $.Template.BasePath "/s3-secret.yaml") . | sha256sum }}
|
||||
checksum/pvc: {{ include (print $.Template.BasePath "/pvc.yaml") . | sha256sum }}
|
||||
{{- if .Values.monitoring.metrics.enabled }}
|
||||
prometheus.io/port: "metrics"
|
||||
prometheus.io/scrape: "true"
|
||||
{{ end }}
|
||||
spec:
|
||||
serviceAccountName: {{ include "backupRestore.serviceAccountName" . }}
|
||||
{{- if .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{ toYaml .Values.imagePullSecrets | indent 6 }}
|
||||
{{- end }}
|
||||
{{- if .Values.priorityClassName }}
|
||||
priorityClassName: {{ .Values.priorityClassName }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
|
||||
imagePullPolicy: {{ default "Always" .Values.imagePullPolicy }}
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
args:
|
||||
{{- if .Values.debug }}
|
||||
- "--debug"
|
||||
{{- end }}
|
||||
{{- if .Values.trace }}
|
||||
- "--trace"
|
||||
{{- end }}
|
||||
env:
|
||||
- name: CHART_NAMESPACE
|
||||
value: {{ .Release.Namespace }}
|
||||
{{- if .Values.s3.enabled }}
|
||||
- name: DEFAULT_S3_BACKUP_STORAGE_LOCATION
|
||||
value: {{ include "backupRestore.s3SecretName" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.proxy }}
|
||||
- name: HTTP_PROXY
|
||||
value: {{ .Values.proxy }}
|
||||
- name: HTTPS_PROXY
|
||||
value: {{ .Values.proxy }}
|
||||
- name: NO_PROXY
|
||||
value: {{ .Values.noProxy }}
|
||||
{{- end }}
|
||||
{{- if .Values.monitoring.metrics.enabled }}
|
||||
- name: METRICS_SERVER
|
||||
value: "true"
|
||||
{{ end }}
|
||||
{{- if .Values.persistence.enabled }}
|
||||
- name: DEFAULT_PERSISTENCE_ENABLED
|
||||
value: "persistence-enabled"
|
||||
volumeMounts:
|
||||
- mountPath: "/var/lib/backups"
|
||||
name: pv-storage
|
||||
volumes:
|
||||
- name: pv-storage
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ include "backupRestore.pvcName" . }}
|
||||
{{- end }}
|
||||
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
|
||||
{{- if .Values.nodeSelector }}
|
||||
{{ toYaml .Values.nodeSelector | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
|
||||
{{- if .Values.tolerations }}
|
||||
{{ toYaml .Values.tolerations | indent 8 }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,126 @@
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ include "backupRestore.fullname" . }}-patch-sa
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels: {{ include "backupRestore.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
"helm.sh/hook": post-install, post-upgrade
|
||||
"helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
|
||||
spec:
|
||||
backoffLimit: 1
|
||||
template:
|
||||
spec:
|
||||
serviceAccountName: {{ include "backupRestore.fullname" . }}-patch-sa
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
restartPolicy: Never
|
||||
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
|
||||
{{- if .Values.nodeSelector }}
|
||||
{{ toYaml .Values.nodeSelector | indent 8 }}
|
||||
{{- end }}
|
||||
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
|
||||
{{- if .Values.tolerations }}
|
||||
{{ toYaml .Values.tolerations | indent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ include "backupRestore.fullname" . }}-patch-sa
|
||||
image: {{ include "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}
|
||||
imagePullPolicy: IfNotPresent
|
||||
command: ["kubectl", "-n", {{ .Release.Namespace | quote }}, "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "backupRestore.fullname" . }}-patch-sa
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels: {{ include "backupRestore.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
"helm.sh/hook": post-install, post-upgrade
|
||||
"helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ include "backupRestore.fullname" . }}-patch-sa
|
||||
labels: {{ include "backupRestore.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
"helm.sh/hook": post-install, post-upgrade
|
||||
"helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["serviceaccounts"]
|
||||
verbs: ["get", "patch"]
|
||||
{{- if .Values.global.cattle.psp.enabled}}
|
||||
- apiGroups: ["policy"]
|
||||
resources: ["podsecuritypolicies"]
|
||||
verbs: ["use"]
|
||||
resourceNames:
|
||||
- {{ include "backupRestore.fullname" . }}-patch-sa
|
||||
{{- end}}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ include "backupRestore.fullname" . }}-patch-sa
|
||||
labels: {{ include "backupRestore.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
"helm.sh/hook": post-install, post-upgrade
|
||||
"helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ include "backupRestore.fullname" . }}-patch-sa
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "backupRestore.fullname" . }}-patch-sa
|
||||
namespace: {{ .Release.Namespace }}
|
||||
---
|
||||
{{- if .Values.global.cattle.psp.enabled}}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ include "backupRestore.fullname" . }}-patch-sa
|
||||
labels: {{ include "backupRestore.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
"helm.sh/hook": post-install, post-upgrade
|
||||
"helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
|
||||
spec:
|
||||
privileged: false
|
||||
hostNetwork: false
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'MustRunAsNonRoot'
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1
|
||||
max: 65535
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1
|
||||
max: 65535
|
||||
readOnlyRootFilesystem: false
|
||||
volumes:
|
||||
- 'secret'
|
||||
{{- end}}
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ include "backupRestore.fullname" . }}-default-allow-all
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
podSelector: {}
|
||||
ingress:
|
||||
- {}
|
||||
egress:
|
||||
- {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
@@ -0,0 +1,31 @@
|
||||
{{- if .Values.global.cattle.psp.enabled -}}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ include "backupRestore.fullname" . }}-psp
|
||||
labels: {{ include "backupRestore.labels" . | nindent 4 }}
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
hostNetwork: false
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'MustRunAsNonRoot'
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1
|
||||
max: 65535
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1
|
||||
max: 65535
|
||||
readOnlyRootFilesystem: false
|
||||
volumes:
|
||||
- 'persistentVolumeClaim'
|
||||
- 'secret'
|
||||
{{- end -}}
|
||||
@@ -0,0 +1,27 @@
|
||||
{{- if and .Values.persistence.enabled -}}
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: {{ include "backupRestore.pvcName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "backupRestore.labels" . | nindent 4 }}
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
{{- with .Values.persistence }}
|
||||
requests:
|
||||
storage: {{ .size | quote }}
|
||||
{{- if .storageClass }}
|
||||
{{- if (eq "-" .storageClass) }}
|
||||
storageClassName: ""
|
||||
{{- else }}
|
||||
storageClassName: {{ .storageClass | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .volumeName }}
|
||||
volumeName: {{ .volumeName | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,13 @@
|
||||
apiVersion: resources.cattle.io/v1
|
||||
kind: ResourceSet
|
||||
metadata:
|
||||
name: rancher-resource-set-basic
|
||||
controllerReferences:
|
||||
- apiVersion: "apps/v1"
|
||||
resource: "deployments"
|
||||
name: "rancher"
|
||||
namespace: "cattle-system"
|
||||
resourceSelectors:
|
||||
{{- range $path, $_ := .Files.Glob "files/basic-resourceset-contents/*.yaml" -}}
|
||||
{{- $.Files.Get $path | nindent 2 -}}
|
||||
{{- end -}}
|
||||
@@ -0,0 +1,16 @@
|
||||
apiVersion: resources.cattle.io/v1
|
||||
kind: ResourceSet
|
||||
metadata:
|
||||
name: rancher-resource-set-full
|
||||
controllerReferences:
|
||||
- apiVersion: "apps/v1"
|
||||
resource: "deployments"
|
||||
name: "rancher"
|
||||
namespace: "cattle-system"
|
||||
resourceSelectors:
|
||||
{{- range $path, $_ := .Files.Glob "files/basic-resourceset-contents/*.yaml" -}}
|
||||
{{- $.Files.Get $path | nindent 2 -}}
|
||||
{{- end -}}
|
||||
{{- range $path, $_ := .Files.Glob "files/sensitive-resourceset-contents/*.yaml" -}}
|
||||
{{- $.Files.Get $path | nindent 2 -}}
|
||||
{{- end -}}
|
||||
@@ -0,0 +1,15 @@
|
||||
apiVersion: resources.cattle.io/v1
|
||||
kind: ResourceSet
|
||||
metadata:
|
||||
name: rancher-resource-set
|
||||
annotations:
|
||||
helm.sh/resource-policy: keep
|
||||
controllerReferences:
|
||||
- apiVersion: "apps/v1"
|
||||
resource: "deployments"
|
||||
name: "rancher"
|
||||
namespace: "cattle-system"
|
||||
resourceSelectors:
|
||||
{{- range $path, $_ := .Files.Glob "files/default-resourceset-contents/*.yaml" -}}
|
||||
{{- $.Files.Get $path | nindent 2 -}}
|
||||
{{- end -}}
|
||||
@@ -0,0 +1,34 @@
|
||||
{{- if .Values.s3.enabled -}}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ include "backupRestore.s3SecretName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "backupRestore.labels" . | nindent 4 }}
|
||||
type: Opaque
|
||||
stringData:
|
||||
{{- with .Values.s3 }}
|
||||
{{- if .credentialSecretName }}
|
||||
credentialSecretName: {{ .credentialSecretName }}
|
||||
credentialSecretNamespace: {{ required "When providing a Secret containing S3 credentials, a valid .Values.credentialSecretNamespace must be provided" .credentialSecretNamespace }}
|
||||
{{- end }}
|
||||
{{- if .region }}
|
||||
region: {{ .region | quote }}
|
||||
{{- end }}
|
||||
bucketName: {{ required "A valid .Values.bucketName is required for configuring S3 compatible storage as the default backup storage location" .bucketName | quote }}
|
||||
{{- if .folder }}
|
||||
folder: {{ .folder | quote }}
|
||||
{{- end }}
|
||||
endpoint: {{ required "A valid .Values.endpoint is required for configuring S3 compatible storage as the default backup storage location" .endpoint | quote }}
|
||||
{{- if .endpointCA }}
|
||||
endpointCA: {{ .endpointCA }}
|
||||
{{- end }}
|
||||
{{- if .insecureTLSSkipVerify }}
|
||||
insecureTLSSkipVerify: {{ .insecureTLSSkipVerify | quote }}
|
||||
{{- end }}
|
||||
{{- if .clientConfig }}
|
||||
clientConfig: {{ .clientConfig | toJson | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{ end }}
|
||||
@@ -0,0 +1,30 @@
|
||||
{{ if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.monitoring.serviceMonitor.enabled }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: {{ include "backupRestore.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "backupRestore.labels" . | nindent 4 }}
|
||||
{{- with .Values.monitoring.serviceMonitor.additionalLabels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "backupRestore.labels" . | nindent 6 }}
|
||||
endpoints:
|
||||
- port: http
|
||||
path: /metrics
|
||||
{{- with .Values.monitoring.serviceMonitor.metricRelabelings }}
|
||||
metricRelabelings:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- with .Values.monitoring.serviceMonitor.relabelings }}
|
||||
relabelings:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,24 @@
|
||||
{{ if .Values.monitoring.metrics.enabled }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "backupRestore.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "backupRestore.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
prometheus.io/path: /metrics
|
||||
prometheus.io/port: /8080
|
||||
prometheus.io/scrape: "true"
|
||||
spec:
|
||||
type: ClusterIP
|
||||
clusterIP: None
|
||||
ports:
|
||||
- port: 8080
|
||||
targetPort: 8080
|
||||
protocol: TCP
|
||||
name: http
|
||||
selector:
|
||||
app.kubernetes.io/name: {{ .Release.Name }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{ end }}
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user