core/oc-k8s
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

One file to rule them all

Browse Source
This commit is contained in:
mr
2026-01-08 21:15:34 +01:00
parent ec5c2972c3
commit 8098a86dae
982 changed files with 4169 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
cmd/opencloud-chart/templates/argo.yaml Normal file
View File

@@ -0,0 +1,73 @@
{{- if index .Values "argo-workflows" "enabled" }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: argo-workflow
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: custom-argo-clusterrole
rules:
# Default Argo permissions
- apiGroups: [""]
resources: ["configmaps", "pods", "pods/log", "secrets", "persistentvolumeclaims", "serviceaccounts"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "list", "watch"]
- apiGroups: ["argoproj.io"]
resources: ["workflows", "workflowtemplates", "cronworkflows", "workflowtasksets", "workfloweventbindings", "clusterworkflowtemplates"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["create", "delete", "get", "list", "update"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["create", "delete", "get", "list", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["create", "get"]
# Full power activated
- apiGroups: [""]
resources: ["bindings", "endpoints", "events", "limitranges", "namespaces", "nodes", "persistentvolumes", "replicationcontrollers", "resourcequotas"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["apps"]
resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["autoscaling"]
resources: ["horizontalpodautoscalers"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["batch"]
resources: ["cronjobs"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["networkpolicies", "ingresses"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["policy"]
resources: ["poddisruptionbudgets"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses", "volumeattachments"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["argoproj.io"]
resources: ["workflowtaskresults"]
verbs: ["create", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: custom-argo-clusterrolebinding
subjects:
- kind: ServiceAccount
name: argo-workflow
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: custom-argo-clusterrole
{{- end }}

31
cmd/opencloud-chart/templates/hydra.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{- if index .Values "hydra" "enabled" }}
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: hydra-ingress
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.host }}`) && PathPrefix(`/hydra`)
priority: 10
services:
- kind: Service
name: {{ .Release.Name }}-hydra-public.{{ .Release.Namespace }}
passHostHeader: true
port: 4444
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: hydra-secret
data:
dsn: bWVtb3J5
secretsCookie: U0prcFlUeDFZZWhPMFEyc3UweWlwcDdmZ1BaRmc2ajA=
secretsSystem: M3FwWnlpemIzbXc2cE80Q1l3Q1MyUVFmbXdOeVFpRzE=
{{- end }}

113
cmd/opencloud-chart/templates/ldapUserManager.yaml Normal file
View File

@@ -0,0 +1,113 @@
{{- if .Values.ldapUserManager.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: ldap-user-manager
name: {{ .Release.Name }}-ldap-user-manager
spec:
replicas: 1
selector:
matchLabels:
app: ldap-user-manager
strategy: {}
template:
metadata:
labels:
app: ldap-user-manager
spec:
containers:
- image: wheelybird/ldap-user-manager:v1.8
name: ldap-user-manager
env:
- name: SERVER_HOSTNAME
value: "{{ .Values.ldapUserManager.env.SERVER_HOSTNAME }}"
- name: LDAP_URI
value: "ldap://{{ .Release.Name }}-openldap.{{ .Release.Namespace }}.svc.cluster.local"
- name: LDAP_BASE_DN
value: "{{ .Values.ldapUserManager.env.LDAP_BASE_DN }}"
- name: LDAP_REQUIRE_STARTTLS
value: "{{ .Values.ldapUserManager.env.LDAP_REQUIRE_STARTTLS }}"
- name: LDAP_ADMINS_GROUP
value: "{{ .Values.ldapUserManager.env.LDAP_ADMINS_GROUP }}"
- name: LDAP_ADMIN_BIND_DN
value: "{{ .Values.ldapUserManager.env.LDAP_ADMIN_BIND_DN }}"
- name: LDAP_ADMIN_BIND_PWD
value: "{{ .Values.ldapUserManager.env.LDAP_ADMIN_BIND_PWD }}"
- name: LDAP_IGNORE_CERT_ERRORS
value: "{{ .Values.ldapUserManager.env.LDAP_IGNORE_CERT_ERRORS }}"
- name: NO_HTTPS
value: "{{ .Values.ldapUserManager.env.NO_HTTPS }}"
- name: EMAIL_DOMAIN
value: "{{ .Values.ldapUserManager.env.EMAIL_DOMAIN }}"
- name: ORGANISATION_NAME
value: "{{ .Values.ldapUserManager.env.ORGANISATION_NAME }}"
- name: LDAP_USER_OU
value: "{{ .Values.ldapUserManager.env.LDAP_USER_OU }}"
- name: LDAP_GROUP_OU
value: "{{ .Values.ldapUserManager.env.LDAP_GROUP_OU }}"
- name: SERVER_PATH
value: "{{ .Values.ldapUserManager.env.SERVER_PATH }}"
- name: LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES
value: "{{ .Values.ldapUserManager.env.LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES }}"
- name: LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES
value: "{{ .Values.ldapUserManager.env.LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES }}"
- name: LDAP_GROUP_ADDITIONAL_OBJECTCLASSES
value: "{{ .Values.ldapUserManager.env.LDAP_GROUP_ADDITIONAL_OBJECTCLASSES }}"
- name: LDAP_GROUP_ADDITIONAL_ATTRIBUTES
value: "{{ .Values.ldapUserManager.env.LDAP_GROUP_ADDITIONAL_ATTRIBUTES }}"
- name: ACCEPT_WEAK_PASSWORDS
value: "{{ .Values.ldapUserManager.env.ACCEPT_WEAK_PASSWORDS }}"
ports:
- name: http
containerPort: 80
protocol: TCP
- name: https
containerPort: 443
protocol: TCP
resources:
limits:
cpu: "{{ .Values.ldapUserManager.resources.limits.cpu }}"
memory: "{{ .Values.ldapUserManager.resources.limits.memory }}"
requests:
cpu: "{{ .Values.ldapUserManager.resources.requests.cpu }}"
memory: "{{ .Values.ldapUserManager.resources.requests.memory }}"
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}-ldap-user-manager-svc
labels:
app: ldap-user-manager-svc
spec:
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 80
- name: https
port: 8443
protocol: TCP
targetPort: 443
selector:
app: ldap-user-manager
type: ClusterIP
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ldap-user-manager-ingress
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.host }}`) && PathPrefix(`/users`)
priority: 10
services:
- kind: Service
name: {{ .Release.Name }}-ldap-user-manager-svc
passHostHeader: true
port: 8080
{{- end }}

16
cmd/opencloud-chart/templates/loki.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if index .Values.loki.enabled }}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ .Values.loki.singleBinary.persistence.claimName }}
namespace: {{ .Release.Namespace }}
annotations:
helm.sh/resource-policy: keep
spec:
accessModes:
- {{ .Values.loki.singleBinary.persistence.accessMode }}
resources:
requests:
storage: {{ .Values.loki.singleBinary.persistence.size }}
storageClassName: {{ .Values.loki.singleBinary.persistence.storageClassName }}
{{- end }}

15
cmd/opencloud-chart/templates/mongo.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if index .Values.mongodb.enabled }}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ index .Values.mongodb.persistence.existingClaim }}
namespace: {{ .Release.Namespace }}
annotations:
helm.sh/resource-policy: keep
spec:
accessModes: {{ index .Values.mongodb.persistence.accessModes }}
resources:
requests:
storage: {{ .Values.mongodb.persistence.size }}
storageClassName: {{ .Values.mongodb.persistence.storageClass }}
{{- end }}

18
cmd/opencloud-chart/templates/mongoExpress.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if index .Values "mongo-express" "enabled" }}
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: mongo-express-ingress
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.host }}`) && PathPrefix(`/mongoexpress`)
priority: 10
services:
- kind: Service
name: {{ .Release.Name }}-mongo-express.{{ .Release.Namespace }}
passHostHeader: true
port: 8081
{{- end }}

13
cmd/opencloud-chart/templates/nats.yaml Normal file
View File

@@ -0,0 +1,13 @@
{{- if index .Values.nats.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: nats-config
data:
nats.conf: |
port: 4222
http_port: 8222
max_connections: 200000 # optional but recommended
max_subscriptions: 200000
{{- end }}

60
cmd/opencloud-chart/templates/oc-auth/deployment.yaml Normal file
View File

@@ -0,0 +1,60 @@
{{- if .Values.ocAuth.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: oc-auth
name: {{ .Release.Name }}-oc-auth
spec:
replicas: {{ .Values.ocAuth.replicas }}
selector:
matchLabels:
app: oc-auth
template:
metadata:
labels:
app: oc-auth
spec:
volumes:
- name: public-key-volume
secret:
secretName: public-key-secret
- name: private-key-volume
secret:
secretName: private-key-secret
{{- if or (eq .Values.env "prod") (eq .Values.env "staging") }}
imagePullSecrets:
- name: regcred
{{- end }}
containers:
- image: "{{ .Values.ocAuth.image }}"
name: oc-auth
#command: ["tail", "-f", "/dev/null"]
volumeMounts:
- name: public-key-volume
mountPath: /keys/public/public.pem
subPath: public.pem
- name: private-key-volume
mountPath: /keys/private/private.pem
subPath: private.pem
envFrom:
- configMapRef:
name: opencloud-config
ports:
- name: http
containerPort: 8080
protocol: TCP
resources:
limits:
cpu: "{{ .Values.ocAuth.resources.limits.cpu }}"
memory: "{{ .Values.ocAuth.resources.limits.memory }}"
requests:
cpu: "{{ .Values.ocAuth.resources.requests.cpu }}"
memory: "{{ .Values.ocAuth.resources.requests.memory }}"
livenessProbe:
httpGet:
path: /oc/version
port: 8080
initialDelaySeconds: 10
periodSeconds: 30
{{- end }}

31
cmd/opencloud-chart/templates/oc-auth/ingress.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{- if index .Values.ocAuth.enabled }}
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: oc-auth-ingress
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.host }}`) && PathPrefix(`/auth`)
priority: 10
services:
- kind: Service
name: oc-auth-svc
port: 8080
middlewares:
#{{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
#- name: forward-auth
#{{- end }}
- name: strip-auth-prefix
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: strip-auth-prefix
spec:
replacePathRegex:
regex: ^/auth(.*)
replacement: /oc$1
{{- end }}

36
cmd/opencloud-chart/templates/oc-auth/openCloudOauth2.yaml Normal file
View File

@@ -0,0 +1,36 @@
{{- if index .Values.ocAuth.enabled }}
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
name: open-cloud-client
spec:
grantTypes:
- refresh_token
- authorization_code
- client_credentials
- implicit
responseTypes:
- id_token
- token
- code
scope: openid profile email roles
secretName: oc-oauth2-client-secret
redirectUris:
- https://{{ .Values.host }}/auth/callback
postLogoutRedirectUris:
- https://{{ .Values.host }}/auth/logout/
tokenEndpointAuthMethod: client_secret_post
allowedCorsOrigins:
- "http://0.0.0.0"
#---
#apiVersion: v1
#kind: Secret
#metadata:
# name: oc-auth-got-secret
# namespace: dev
#stringData:
# CLIENT_ID: {{ .Values.ocAuth.hydra.clientId }}
# CLIENT_SECRET: {{ .Values.ocAuth.hydra.clientSecret }}
{{- end }}

21
cmd/opencloud-chart/templates/oc-auth/pem.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- if index .Values.ocAuth.enabled }}
# peer public key: public-key-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: public-key-secret
type: Opaque
data:
public.pem: |
LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUNDZ0tDQWdFQXcycGRHNndNdHVMY1AwK2sxTEZ2SWIwRFFvL29IVzJ1TkphRUpLNzRwbFhxcDR6dHoyZFIKYitSUUhGTGVMdXFrNGkvemMzYjRLM2ZLUFhTbHduVlBKQ3d6UHJueVQ4allHT1pWbFdsRVRpVjl4ZUpodTZzLwpCaDZnMVBXejc1WGpqd1Y1MGl2L0NFaUxOQlQyM2YvM0o0NHdyUXp5Z3FOUUNpUVNBTGR4V0xBRWw0bDVrSFNhCjlvTXlWNzAvVXFsOTQvYXlNQVJac0hncDladnFRS2JrWlB3Nnl6Vk1mQ0J4UW96bE5sbzMxNU9IZXZ1ZGhuaHAKRFJqTjVJN3pXbXFZdDZyYlhKSkM3WTNJemR2em43UUk4OFJxalNSU1Q1SS83S3ozbmRDcXJPbkkrT1FVRTVOVApSRXlRZWJwaHZRZlREVEtsUlBYa2R5a3RkSzJESDI4Wmo2WkYzeWpRdk4zNVE0emhPemxxNzdkTzVJaGhvcEk3CmN0OGRaSDFUMW5Za3ZkeUNBL0VWTXRRc0FTbUJPaXRIMFkwQUNvWFFLNUtiNm5tL1RjTS85WlNKVU5pRU11eTUKZ0JaM1lLRTlvYTRjcFRwUFh3Y0ErUy9jVTdIUE5uUUFzdkQzaUppOEdUVzl1SnM4NHBuNC9XaHBRcW1YZDRydgpoS1dFQ0NOM2ZIeTAxZlVzL1UwUGFTajJqRFkva1FWZVhvaWtOTXpQVWpkWmQ5bTgxNlRJQmgzdjNhVlhDSC8wCmlUSEhBeGN0dkRnTVJiMmZwdlJKL3d3bllqRkc5UnBhbVZGRE12QzlOZmZ1WXpXQUE5SVJJWTRjcWdlcmZIclYKWjJISGlQVEREdkRBSXN2SW1YWmMvaDdtWE42bTNSQ1E0UXl3eTk5M3dkOWdVZGdnL3FueW5IY0NBd0VBQVE9PQotLS0tLUVORCBSU0EgUFVCTElDIEtFWS0tLS0tCg==
---
# peer private key: private-key-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: private-key-secret
type: Opaque
data:
private.pem: |
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0VBdzJwZEc2d010dUxjUDArazFMRnZJYjBEUW8vb0hXMnVOSmFFSks3NHBsWHFwNHp0CnoyZFJiK1JRSEZMZUx1cWs0aS96YzNiNEszZktQWFNsd25WUEpDd3pQcm55VDhqWUdPWlZsV2xFVGlWOXhlSmgKdTZzL0JoNmcxUFd6NzVYamp3VjUwaXYvQ0VpTE5CVDIzZi8zSjQ0d3JRenlncU5RQ2lRU0FMZHhXTEFFbDRsNQprSFNhOW9NeVY3MC9VcWw5NC9heU1BUlpzSGdwOVp2cVFLYmtaUHc2eXpWTWZDQnhRb3psTmxvMzE1T0hldnVkCmhuaHBEUmpONUk3eldtcVl0NnJiWEpKQzdZM0l6ZHZ6bjdRSTg4UnFqU1JTVDVJLzdLejNuZENxck9uSStPUVUKRTVOVFJFeVFlYnBodlFmVERUS2xSUFhrZHlrdGRLMkRIMjhaajZaRjN5alF2TjM1UTR6aE96bHE3N2RPNUloaApvcEk3Y3Q4ZFpIMVQxbllrdmR5Q0EvRVZNdFFzQVNtQk9pdEgwWTBBQ29YUUs1S2I2bm0vVGNNLzlaU0pVTmlFCk11eTVnQlozWUtFOW9hNGNwVHBQWHdjQStTL2NVN0hQTm5RQXN2RDNpSmk4R1RXOXVKczg0cG40L1docFFxbVgKZDRydmhLV0VDQ04zZkh5MDFmVXMvVTBQYVNqMmpEWS9rUVZlWG9pa05NelBVamRaZDltODE2VElCaDN2M2FWWApDSC8waVRISEF4Y3R2RGdNUmIyZnB2Ukovd3duWWpGRzlScGFtVkZETXZDOU5mZnVZeldBQTlJUklZNGNxZ2VyCmZIclZaMkhIaVBURER2REFJc3ZJbVhaYy9oN21YTjZtM1JDUTRReXd5OTkzd2Q5Z1VkZ2cvcW55bkhjQ0F3RUEKQVFLQ0FnQlNSYzI5Z01vNWxYbTFEZ3NQb1VSd3ArdGZjc2IrM05halBWdVZOalZwa25LZzZDeVhUYUJ6dzJRWApDS3lTaENlM013a0VhK3BBSXNiNjZNbUEvWEs4Zi85elFVWkxZUHZhUDk5NGNFRlp4VjhXbVNFY3FoUjJ0eDV2CmlxS2ZGRFFpV3VQWElMN1c5ZlBsa1kzK0dXNHRNU2c5TTE1R3NndFl1YWI2dGtENlhlRVJDOGdxa1cxTXJCL2QKNE1kd1BmdktwbXFPM01ZR0RoRmNYckJaVitxQXVkRG5EU0dPZ1BvdVVyT09GcDI4SFZqRTVucUR5dDR2clduQgorSTFzVzhUQVR5YmI2cGhTKzRhM1pRdEZDYjliSWk3YURaaTU5NUVDVERCVU9TNGlicXMyWHBBMVRhbVk3OE5ECi9MeDVvWG14N01pNEorNXdYTjNPYWQ3eXRRdkZPZE90dElMTnBBTUZiTFU1eUtzeGYrRURqQ0JjUjVmYU5BdHUKd0FNSDlUa3pGcG1ocDVOQndRZEFrQ0ZuaHlsYTM2M2xqbWxHQVdQdUcvRDliVlowcXRCZjNOQUY0aEVKL0w0bgp2WVFGRXJkNjR0UGFzQWdXUG93MkxMdnFpM2pUMjMyYURnYWhqMWxYMWVuSG9SNlRiUUU0cjN6eThEZUE3aTBDCmhBOEdGQXZNc3FJY2VlOVhpNHlEOFFGRUgwUHJKaDZ6UDFQV0tYUjRBUVZFeG5GR2FuejBzNk8xR1JxTFBySUsKMzFOaVJUd0lWcDB4YmV0OS9Hc0p4V3hxclRLUHFkNXlKdlVHRzNBNEVMOGUzUmRXUk01dlRIYk5DVkdpOUxoUwozT0lYVjkvWU9RSnRXeHpXVWpGTjNIcGFOdVdIVlNSMTQ5R0FZcFR4ZWgrL1pHb0FRUUtDQVFFQTlSekcwTHJCCi9vblNuemZBWEQ1SXdHVy9qU2I0ZThWTENaLzdXMENpRDFodDIzUTFwQVI0Ym9mU1lYZHgvcmhWaFJ0eSszOHEKR3p1Z0JQY2VqR2VHWXlLSVZpTzFlOFBzcmQ2ZHlkWW9hQTlmWDNZemNaMG9uazl0K3RZTnhWaHN0b2xmSUdnYwpLVzFxd0ROclYxUFAwTi9vUVU0UVB4TG13Y2YvQlNTbDNzZjUzbVZNemNuSGtqQ0Y1U2dFTjFydElBT1VaYU04CkI0dXJTU01aTUxwd21oWEY5ckFVUFhXZ0xTKzBma3JRem9hQlMyWmZxRWNGTnMxbG44c1RCZW9YQXo2a3laZW0KMFRvMW9ZaFRlTitUZzExcXVXaEpLaVRNWW1TR1QzQjduVnQyNW4wQnlwRGt0ZmFVVStMTVk5L0Jld1d3RTZ4eAppWDk3YmxkZ3Y2eTR1d0tDQVFFQXpCaDVJWWEwOXVKVHdyeFkwSUtWZmtYUnAyUys4ZnFoSjVxaEVQeWtDRis0CkpKQktQcDdJQTdyaGNmNXR3M05WcGEvWUUxaDJIMVA1WjRFUWt6Z0VURXhWb3RCbE9ZWU5ta0JrZDlldFVSR3MKb21BUEhwcm52VDdxK2RSL3JjOC9sUXQzWHp2ZWo0UDR6U1JibnpnL3EySzBJMXFzM3ZPd25aeU8zR1hrNmVuaQpRNTlrMHk4em9zS2RkZTdtMVlKK0tBajVNWmMzUGVIVGZiTGFMY2ZYblRTVVg2eHduWCtKczhrcjJQVlArd1NqCnNFeGFrUDZpZU51L1p6RmNZdjZhaVBneVhJV08vNXBqd0x0L0dUcVVQUWNPOVc3Nm0wdzI0bFduWUN4MWl5U3cKYWxybDJpckwycm5sWEppbjdxNEZ0dEhUV2JlSDkwUlZ0MzA1MG04ZGRRS0NBUUVBa2d5bGduWGxaYytsaW0xagoxeExkc3BadC9xTTc2RFAwdERWNVJqUkszQzNxdDVxVTQ3Z3VNbDRId3oreTB2M3ZKekxsM21rMUk2anhma1BwCkZld1JyVHhFVkY5T29nSnFJbWZGU1NDc1R1VHFCUzJmRlpGNVJHczdzdnljay94T09xMjcyc2x1RGxrK0JHd2YKQjVmTytqeVFYV2t3VVFUb0xvc0dyMy9ZdmRnV1VLZTNqZDh2WlRJNGRnVFVEay9GZncvaStuUzdMaHZRNGZGaAo3eUVJT3lmQ0gyMW5nZjkyZzdZckxCMVVNZHIvYTNnQ2czaGQ2UHVXRkJLaXNTRjh1Tmc0eEUzeWZqVGJBL2NCCkZjTFNXTEh2QjY3VithQ1hrQUVwN21ldG9HT0JnM0QxQWtnM254emY0T1FBdVhuNEJWK3NQT3pCY2haZDY2OXcKM0lVRVJRS0NBUUJ4UEU3UWpCV1JPS2N5VHgrVHFDL2JIRStpNlNHTHpmdGxwc1FnVVp1TXpkYXo2cDVXdWUvTgpLZjExS3EycG1DNzN1MlZON25HekZmczFNd1dJT0xjaHdlUnRiZVFMazFXdXRIVkpqSThyZ0h2Z3B4MGNaT09ZCk92VlI0VlZwa0tmOVFKeGRhVEVsUFJwb2J2aXFrU0c2TEF3MzVWSXViTlFiemtYeEFGT09lR1pDRUloM0p5UWwKOUlZNmJXOERIT0J6dys3R1ZkaWZhOURVVjh2M1JINWJTVlhjOHlhVUs3T3gzVGFIckN0UTRSVVVkbmgxSStIdQozalVHd3ZzNExYeDk2LzY5R0pqck5iU010VHBpTy84TkVRSjZwN1ZCUG5yZy9wYmJwQzhmSVI4RUV5U2Q4OHFnCnN5MFBQOTlFYktiYzlQT25QazJnb2ZoUTBwaW5LV0VWQW9JQkFRQzBoOEozbEdTRzlLaTlRSnZBT2RNcW5zU2cKdW9xakkweTZSbWVSN0xwWVgxQVNLTk5JbWpHMWh3THlaOFFnNWhDTmp5U0VxQkFHR2QzTUJOZklDNnd6QkRyVgp6U0pJcnhqdnUrMnNmejFuVUdkWVdqUWZoeDNjVCt5R3FUNk5FUXVwbXN0TnVreGl1MkhEdTc2cGk5NkFYMm1rClRYWVhsdWJJcGZMNTBkV1owd2lqMExpdkg2VFBhdnZqYlJablhOVnRoMXFsWk9VdHVCR3lFd2NYYjRDT3RxUnEKK25QOEFFZ3pLeGJNSkZWeTNQWTVFNUp5akI1ZDFaUFEyT2VZVVZiZkRFRVlxemtvcmpCeUNjTGR2N08xQ0hOcQpWalV5SnNkOEYxdHVDR1B4YmNiZ3lDZUlxZ0RNMUp4TzR6VE1TUCtDODJBcjdWWGtyNlE4aEFzQ2dIUS8KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
{{- end }}

31
cmd/opencloud-chart/templates/oc-auth/rbac.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{- if .Values.ocAuth.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: secret-reader-role
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: secret-reader-binding
namespace: default
subjects:
- kind: ServiceAccount
name: ocauth-sa
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: secret-reader-role
apiGroup: rbac.authorization.k8s.io
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: ocauth-sa
{{- end }}

40
cmd/opencloud-chart/templates/oc-auth/service.yaml Normal file
View File

@@ -0,0 +1,40 @@
{{- if .Values.ocAuth.enabled }}
apiVersion: v1
kind: Service
metadata:
name: oc-auth-svc
labels:
app: oc-auth-svc
spec:
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 8080
selector:
app: oc-auth
type: ClusterIP
{{- end }}
{{- if and .Values.ocAuth.enabled .Values.ocAuth.hpa.enabled }}
---
# Horizontal Pod Autoscaler
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ .Release.Name }}-oc-auth
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ .Release.Name }}-oc-auth
minReplicas: {{ .Values.ocAuth.hpa.minReplicas }}
maxReplicas: {{ .Values.ocAuth.hpa.maxReplicas }}
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.ocAuth.hpa.targetCPUUtilizationPercentage }}
{{- end }}

45
cmd/opencloud-chart/templates/oc-catalog/deployment.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{- if .Values.ocCatalog.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: oc-catalog
name: {{ .Release.Name }}-oc-catalog
spec:
replicas: {{ .Values.ocCatalog.replicas }}
selector:
matchLabels:
app: oc-catalog
template:
metadata:
labels:
app: oc-catalog
spec:
{{- if or (eq .Values.env "prod") (eq .Values.env "staging") }}
imagePullSecrets:
- name: regcred
{{- end }}
containers:
- image: "{{ .Values.ocCatalog.image }}"
name: oc-catalog
envFrom:
- configMapRef:
name: opencloud-config
ports:
- name: http
containerPort: 8080
protocol: TCP
resources:
limits:
cpu: "{{ .Values.ocCatalog.resources.limits.cpu }}"
memory: "{{ .Values.ocCatalog.resources.limits.memory }}"
requests:
cpu: "{{ .Values.ocCatalog.resources.requests.cpu }}"
memory: "{{ .Values.ocCatalog.resources.requests.memory }}"
livenessProbe:
httpGet:
path: /oc/version
port: 8080
initialDelaySeconds: 10
periodSeconds: 30
{{- end }}

32
cmd/opencloud-chart/templates/oc-catalog/ingress.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- if index .Values.ocCatalog.enabled }}
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: oc-catalog-ingress
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.host }}`) && PathPrefix(`/catalog`)
priority: 10
services:
- kind: Service
name: oc-catalog-svc
port: 8080
middlewares:
{{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
- name: forward-auth
{{- end }}
- name: strip-catalog-prefix
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: strip-catalog-prefix
spec:
replacePathRegex:
regex: ^/catalog(.*)
replacement: /oc$1
{{- end }}

40
cmd/opencloud-chart/templates/oc-catalog/service.yaml Normal file
View File

@@ -0,0 +1,40 @@
{{- if .Values.ocCatalog.enabled }}
apiVersion: v1
kind: Service
metadata:
name: oc-catalog-svc
labels:
app: oc-catalog-svc
spec:
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 8080
selector:
app: oc-catalog
type: ClusterIP
{{- end }}
{{- if and .Values.ocCatalog.enabled .Values.ocCatalog.hpa.enabled }}
---
# Horizontal Pod Autoscaler
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ .Release.Name }}-oc-catalog
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ .Release.Name }}-oc-catalog
minReplicas: {{ .Values.ocCatalog.hpa.minReplicas }}
maxReplicas: {{ .Values.ocCatalog.hpa.maxReplicas }}
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.ocCatalog.hpa.targetCPUUtilizationPercentage }}
{{- end }}

45
cmd/opencloud-chart/templates/oc-datacenter/deployment.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{- if .Values.ocDatacenter.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: oc-datacenter
name: {{ .Release.Name }}-oc-datacenter
spec:
replicas: {{ .Values.ocDatacenter.replicas }}
selector:
matchLabels:
app: oc-datacenter
template:
metadata:
labels:
app: oc-datacenter
spec:
{{- if or (eq .Values.env "prod") (eq .Values.env "staging") }}
imagePullSecrets:
- name: regcred
{{- end }}
containers:
- image: "{{ .Values.ocDatacenter.image }}"
name: oc-datacenter
envFrom:
- configMapRef:
name: opencloud-config
ports:
- name: http
containerPort: 8080
protocol: TCP
livenessProbe:
httpGet:
path: /oc/version
port: 8080
initialDelaySeconds: 10
periodSeconds: 30
resources:
limits:
cpu: "{{ .Values.ocDatacenter.resources.limits.cpu }}"
memory: "{{ .Values.ocDatacenter.resources.limits.memory }}"
requests:
cpu: "{{ .Values.ocDatacenter.resources.requests.cpu }}"
memory: "{{ .Values.ocDatacenter.resources.requests.memory }}"
{{- end }}

32
cmd/opencloud-chart/templates/oc-datacenter/ingress.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- if index .Values.ocDatacenter.enabled }}
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: oc-datacenter-ingress
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.host }}`) && PathPrefix(`/datacenter`)
priority: 10
services:
- kind: Service
name: oc-datacenter-svc
port: 8080
middlewares:
- name: strip-datacenter-prefix
{{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
- name: forward-auth
{{- end }}
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: strip-datacenter-prefix
spec:
replacePathRegex:
regex: ^/datacenter(.*)
replacement: /oc$1
{{- end }}

41
cmd/opencloud-chart/templates/oc-datacenter/service.yaml Normal file
View File

@@ -0,0 +1,41 @@
{{- if .Values.ocDatacenter.enabled }}
apiVersion: v1
kind: Service
metadata:
name: oc-datacenter-svc
labels:
app: oc-datacenter-svc
spec:
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 8080
selector:
app: oc-datacenter
type: ClusterIP
{{- end }}
{{- if and .Values.ocDatacenter.enabled .Values.ocDatacenter.hpa.enabled }}
---
# Horizontal Pod Autoscaler
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ .Release.Name }}-oc-datacenter
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ .Release.Name }}-oc-datacenter
minReplicas: {{ .Values.ocDatacenter.hpa.minReplicas }}
maxReplicas: {{ .Values.ocDatacenter.hpa.maxReplicas }}
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.ocDatacenter.hpa.targetCPUUtilizationPercentage }}
{{- end }}

50
cmd/opencloud-chart/templates/oc-front/deployment.yaml Normal file
View File

@@ -0,0 +1,50 @@
{{- if .Values.ocFront.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: oc-front
name: {{ .Release.Name }}-oc-front
spec:
replicas: {{ .Values.ocFront.replicas }}
selector:
matchLabels:
app: oc-front
template:
metadata:
labels:
app: oc-front
spec:
volumes:
- name: config-volume
configMap:
name: front-config
{{- if or (eq .Values.env "prod") (eq .Values.env "staging") }}
imagePullSecrets:
- name: regcred
{{- end }}
containers:
- image: "{{ .Values.ocFront.image }}"
name: oc-front
ports:
- name: http
containerPort: 80
protocol: TCP
livenessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 10
periodSeconds: 30
resources:
limits:
cpu: "{{ .Values.ocFront.resources.limits.cpu }}"
memory: "{{ .Values.ocFront.resources.limits.memory }}"
requests:
cpu: "{{ .Values.ocFront.resources.requests.cpu }}"
memory: "{{ .Values.ocFront.resources.requests.memory }}"
volumeMounts:
- name: config-volume
mountPath: /usr/share/nginx/html/assets/assets/config/front.json
subPath: config.json
{{- end }}

17
cmd/opencloud-chart/templates/oc-front/ingress.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- if index .Values.ocFront.enabled }}
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: oc-front-ingress
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.host }}`) && PathPrefix(`/`)
priority: 5
services:
- kind: Service
name: oc-front-svc
port: 8080
{{- end }}

40
cmd/opencloud-chart/templates/oc-front/service.yaml Normal file
View File

@@ -0,0 +1,40 @@
{{- if .Values.ocFront.enabled }}
apiVersion: v1
kind: Service
metadata:
name: oc-front-svc
labels:
app: oc-front-svc
spec:
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 80
selector:
app: oc-front
type: ClusterIP
{{- end }}
{{- if and .Values.ocFront.enabled .Values.ocFront.hpa.enabled }}
---
# Horizontal Pod Autoscaler
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ .Release.Name }}-oc-front
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ .Release.Name }}-oc-front
minReplicas: {{ .Values.ocFront.hpa.minReplicas }}
maxReplicas: {{ .Values.ocFront.hpa.maxReplicas }}
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.ocFront.hpa.targetCPUUtilizationPercentage }}
{{- end }}

45
cmd/opencloud-chart/templates/oc-peer/deployment.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{- if .Values.ocPeer.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: oc-peer
name: {{ .Release.Name }}-oc-peer
spec:
replicas: {{ .Values.ocPeer.replicas }}
selector:
matchLabels:
app: oc-peer
template:
metadata:
labels:
app: oc-peer
spec:
{{- if or (eq .Values.env "prod") (eq .Values.env "staging") }}
imagePullSecrets:
- name: regcred
{{- end }}
containers:
- image: "{{ .Values.ocPeer.image }}"
name: oc-peer
envFrom:
- configMapRef:
name: opencloud-config
livenessProbe:
httpGet:
path: /oc/version
port: 8080
initialDelaySeconds: 10
periodSeconds: 30
ports:
- name: http
containerPort: 8080
protocol: TCP
resources:
limits:
cpu: "{{ .Values.ocPeer.resources.limits.cpu }}"
memory: "{{ .Values.ocPeer.resources.limits.memory }}"
requests:
cpu: "{{ .Values.ocPeer.resources.requests.cpu }}"
memory: "{{ .Values.ocPeer.resources.requests.memory }}"
{{- end }}

33
cmd/opencloud-chart/templates/oc-peer/ingress.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{- if index .Values.ocPeer.enabled }}
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: oc-peer-ingress
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.host }}`) && PathPrefix(`/peer`)
priority: 10
services:
- kind: Service
name: oc-peer-svc
port: 8080
middlewares:
{{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
- name: forward-auth
{{- end }}
- name: strip-peer-prefix
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: strip-peer-prefix
spec:
replacePathRegex:
regex: ^/peer(.*)
replacement: /oc$1
{{- end }}

40
cmd/opencloud-chart/templates/oc-peer/service.yaml Normal file
View File

@@ -0,0 +1,40 @@
{{- if index .Values.ocPeer.enabled }}
apiVersion: v1
kind: Service
metadata:
name: oc-peer-svc
labels:
app: oc-peer-svc
spec:
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 8080
selector:
app: oc-peer
type: ClusterIP
{{- end }}
{{- if and .Values.ocPeer.enabled .Values.ocPeer.hpa.enabled }}
---
# Horizontal Pod Autoscaler
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ .Release.Name }}-oc-peer
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ .Release.Name }}-oc-peer
minReplicas: {{ .Values.ocPeer.hpa.minReplicas }}
maxReplicas: {{ .Values.ocPeer.hpa.maxReplicas }}
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.ocPeer.hpa.targetCPUUtilizationPercentage }}
{{- end }}

46
cmd/opencloud-chart/templates/oc-scheduler/deployment.yaml Normal file
View File

@@ -0,0 +1,46 @@
{{- if index .Values.ocScheduler.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: oc-scheduler
name: {{ .Release.Name }}-oc-scheduler
spec:
replicas: {{ .Values.ocScheduler.replicas }}
selector:
matchLabels:
app: oc-scheduler
template:
metadata:
labels:
app: oc-scheduler
spec:
serviceAccountName: scheduler-sa
{{- if or (eq .Values.env "prod") (eq .Values.env "staging") }}
imagePullSecrets:
- name: regcred
{{- end }}
containers:
- image: "{{ .Values.ocScheduler.image }}"
name: oc-scheduler
envFrom:
- configMapRef:
name: opencloud-config
livenessProbe:
httpGet:
path: /oc/version
port: 8080
initialDelaySeconds: 10
periodSeconds: 30
ports:
- name: http
containerPort: 8080
protocol: TCP
resources:
limits:
cpu: "{{ .Values.ocScheduler.resources.limits.cpu }}"
memory: "{{ .Values.ocScheduler.resources.limits.memory }}"
requests:
cpu: "{{ .Values.ocScheduler.resources.requests.cpu }}"
memory: "{{ .Values.ocScheduler.resources.requests.memory }}"
{{- end }}

33
cmd/opencloud-chart/templates/oc-scheduler/ingress.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{- if index .Values.ocScheduler.enabled }}
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: oc-scheduler-ingress
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.host }}`) && PathPrefix(`/scheduler`)
priority: 10
services:
- kind: Service
name: oc-scheduler-svc
port: 8080
middlewares:
- name: strip-scheduler-prefix
{{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
- name: forward-auth
{{- end }}
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: strip-scheduler-prefix
spec:
replacePathRegex:
regex: ^/scheduler(.*)
replacement: /oc$1
{{- end }}

41
cmd/opencloud-chart/templates/oc-scheduler/sa.yaml Normal file
View File

@@ -0,0 +1,41 @@
{{- if index .Values.ocScheduler.enabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: scheduler-sa
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: scheduler-sa-clusterrole
rules:
# Permissions for Argo Workflow resources
- apiGroups: ["argoproj.io"]
resources:
- workflows
- workflowtemplates
- cronworkflows
- clusterworkflowtemplates
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: scheduler-sa-clusterrolebinding
subjects:
- kind: ServiceAccount
name: scheduler-sa
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: scheduler-sa-clusterrole
{{- end }}

40
cmd/opencloud-chart/templates/oc-scheduler/service.yaml Normal file
View File

@@ -0,0 +1,40 @@
{{- if index .Values.ocScheduler.enabled }}
apiVersion: v1
kind: Service
metadata:
name: oc-scheduler-svc
labels:
app: oc-scheduler-svc
spec:
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 8080
selector:
app: oc-scheduler
type: ClusterIP
{{- end }}
{{- if and .Values.ocScheduler.enabled .Values.ocScheduler.hpa.enabled }}
---
# Horizontal Pod Autoscaler
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ .Release.Name }}-oc-scheduler
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ .Release.Name }}-oc-scheduler
minReplicas: {{ .Values.ocScheduler.hpa.minReplicas }}
maxReplicas: {{ .Values.ocScheduler.hpa.maxReplicas }}
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.ocScheduler.hpa.targetCPUUtilizationPercentage }}
{{- end }}

35
cmd/opencloud-chart/templates/oc-schedulerd/deployment.yaml Normal file
View File

@@ -0,0 +1,35 @@
{{- if index .Values.ocSchedulerd.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: oc-schedulerd
name: {{ .Release.Name }}-oc-schedulerd
spec:
replicas: {{ .Values.ocSchedulerd.replicas }}
selector:
matchLabels:
app: oc-schedulerd
template:
metadata:
labels:
app: oc-schedulerd
spec:
{{- if or (eq .Values.env "prod") (eq .Values.env "staging") }}
imagePullSecrets:
- name: regcred
{{- end }}
containers:
- image: "{{ .Values.ocSchedulerd.image }}"
name: oc-schedulerd
envFrom:
- configMapRef:
name: opencloud-config
resources:
limits:
cpu: "{{ .Values.ocSchedulerd.resources.limits.cpu }}"
memory: "{{ .Values.ocSchedulerd.resources.limits.memory }}"
requests:
cpu: "{{ .Values.ocSchedulerd.resources.requests.cpu }}"
memory: "{{ .Values.ocSchedulerd.resources.requests.memory }}"
{{- end }}

40
cmd/opencloud-chart/templates/oc-schedulerd/service.yaml Normal file
View File

@@ -0,0 +1,40 @@
{{- if index .Values.ocSchedulerd.enabled }}
apiVersion: v1
kind: Service
metadata:
name: oc-schedulerd-svc
labels:
app: oc-schedulerd-svc
spec:
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 8080
selector:
app: oc-scheduler
type: ClusterIP
{{- end }}
{{- if and .Values.ocSchedulerd.enabled .Values.ocSchedulerd.hpa.enabled }}
---
# Horizontal Pod Autoscaler
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ .Release.Name }}-oc-schedulerd
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ .Release.Name }}-oc-schedulerd
minReplicas: {{ .Values.ocSchedulerd.hpa.minReplicas }}
maxReplicas: {{ .Values.ocSchedulerd.hpa.maxReplicas }}
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.ocSchedulerd.hpa.targetCPUUtilizationPercentage }}
{{- end }}

45
cmd/opencloud-chart/templates/oc-shared/deployment.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{- if .Values.ocShared.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: oc-shared
name: {{ .Release.Name }}-oc-shared
spec:
replicas: {{ .Values.ocShared.replicas }}
selector:
matchLabels:
app: oc-shared
template:
metadata:
labels:
app: oc-shared
spec:
{{- if or (eq .Values.env "prod") (eq .Values.env "staging") }}
imagePullSecrets:
- name: regcred
{{- end }}
containers:
- image: "{{ .Values.ocShared.image }}"
name: oc-shared
envFrom:
- configMapRef:
name: opencloud-config
livenessProbe:
httpGet:
path: /oc/version
port: 8080
initialDelaySeconds: 10
periodSeconds: 30
ports:
- name: http
containerPort: 8080
protocol: TCP
resources:
limits:
cpu: "{{ .Values.ocShared.resources.limits.cpu }}"
memory: "{{ .Values.ocShared.resources.limits.memory }}"
requests:
cpu: "{{ .Values.ocShared.resources.requests.cpu }}"
memory: "{{ .Values.ocShared.resources.requests.memory }}"
{{- end }}

32
cmd/opencloud-chart/templates/oc-shared/ingress.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- if index .Values.ocShared.enabled }}
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: oc-shared-ingress
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.host }}`) && PathPrefix(`/shared`)
priority: 10
services:
- kind: Service
name: oc-shared-svc
port: 8080
middlewares:
- name: strip-shared-prefix
{{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
- name: forward-auth
{{- end }}
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: strip-shared-prefix
spec:
replacePathRegex:
regex: ^/shared(.*)
replacement: /oc$1
{{- end }}

40
cmd/opencloud-chart/templates/oc-shared/service.yaml Normal file
View File

@@ -0,0 +1,40 @@
{{- if index .Values.ocShared.enabled }}
apiVersion: v1
kind: Service
metadata:
name: oc-shared-svc
labels:
app: oc-shared-svc
spec:
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 8080
selector:
app: oc-shared
type: ClusterIP
{{- end }}
{{- if and .Values.ocShared.enabled .Values.ocShared.hpa.enabled }}
---
# Horizontal Pod Autoscaler
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ .Release.Name }}-oc-shared
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ .Release.Name }}-oc-shared
minReplicas: {{ .Values.ocShared.hpa.minReplicas }}
maxReplicas: {{ .Values.ocShared.hpa.maxReplicas }}
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.ocShared.hpa.targetCPUUtilizationPercentage }}
{{- end }}

45
cmd/opencloud-chart/templates/oc-workflow/deployment.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{- if .Values.ocWorkflow.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: oc-workflow
name: {{ .Release.Name }}-oc-workflow
spec:
replicas: {{ .Values.ocWorkflow.replicas }}
selector:
matchLabels:
app: oc-workflow
template:
metadata:
labels:
app: oc-workflow
spec:
{{- if or (eq .Values.env "prod") (eq .Values.env "staging") }}
imagePullSecrets:
- name: regcred
{{- end }}
containers:
- image: "{{ .Values.ocWorkflow.image }}"
name: oc-shared
envFrom:
- configMapRef:
name: opencloud-config
ports:
- name: http
containerPort: 8080
protocol: TCP
livenessProbe:
httpGet:
path: /oc/version
port: 8080
initialDelaySeconds: 10
periodSeconds: 30
resources:
limits:
cpu: "{{ .Values.ocWorkflow.resources.limits.cpu }}"
memory: "{{ .Values.ocWorkflow.resources.limits.memory }}"
requests:
cpu: "{{ .Values.ocWorkflow.resources.requests.cpu }}"
memory: "{{ .Values.ocWorkflow.resources.requests.memory }}"
{{- end }}

33
cmd/opencloud-chart/templates/oc-workflow/ingress.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{- if index .Values.ocWorkflow.enabled }}
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: oc-workflow-ingress
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.host }}`) && PathPrefix(`/workflow`)
priority: 10
services:
- kind: Service
name: oc-workflow-svc
port: 8080
middlewares:
- name: strip-workflow-prefix
{{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
- name: forward-auth
{{- end }}
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: strip-workflow-prefix
spec:
replacePathRegex:
regex: ^/workflow(.*)
replacement: /oc$1
{{- end }}

40
cmd/opencloud-chart/templates/oc-workflow/service.yaml Normal file
View File

@@ -0,0 +1,40 @@
{{- if .Values.ocWorkflow.enabled }}
apiVersion: v1
kind: Service
metadata:
name: oc-workflow-svc
labels:
app: oc-workflow-svc
spec:
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 8080
selector:
app: oc-workflow
type: ClusterIP
{{- end }}
{{- if and .Values.ocWorkflow.enabled .Values.ocWorkflow.hpa.enabled }}
---
# Horizontal Pod Autoscaler
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ .Release.Name }}-oc-workflow
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ .Release.Name }}-oc-workflow
minReplicas: {{ .Values.ocWorkflow.hpa.minReplicas }}
maxReplicas: {{ .Values.ocWorkflow.hpa.maxReplicas }}
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.ocWorkflow.hpa.targetCPUUtilizationPercentage }}
{{- end }}

46
cmd/opencloud-chart/templates/oc-workspace/deployment.yaml Normal file
View File

@@ -0,0 +1,46 @@
{{- if index .Values.ocWorkspace.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: oc-workspace
name: {{ .Release.Name }}-oc-workspace
spec:
replicas: {{ .Values.ocWorkspace.replicas }}
selector:
matchLabels:
app: oc-workspace
template:
metadata:
labels:
app: oc-workspace
spec:
containers:
- image: "{{ .Values.ocWorkspace.image }}"
name: oc-workspace
envFrom:
- configMapRef:
name: opencloud-config
ports:
- name: http
containerPort: 8080
protocol: TCP
livenessProbe:
httpGet:
path: /oc/version
port: 8080
initialDelaySeconds: 10
periodSeconds: 30
resources:
limits:
cpu: "{{ .Values.ocWorkspace.resources.limits.cpu }}"
memory: "{{ .Values.ocWorkspace.resources.limits.memory }}"
requests:
cpu: "{{ .Values.ocWorkspace.resources.requests.cpu }}"
memory: "{{ .Values.ocWorkspace.resources.requests.memory }}"
{{- if or (eq .Values.env "prod") (eq .Values.env "staging") }}
imagePullSecrets:
- name: regcred
{{- end }}
{{- end }}

32
cmd/opencloud-chart/templates/oc-workspace/ingress.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- if index .Values.ocWorkspace.enabled }}
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: oc-workspace-ingress
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.host }}`) && PathPrefix(`/workspace`)
priority: 10
services:
- kind: Service
name: oc-workspace-svc
port: 8080
middlewares:
- name: strip-workspace-prefix
{{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
- name: forward-auth
{{- end }}
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: strip-workspace-prefix
spec:
replacePathRegex:
regex: ^/workspace(.*)
replacement: /oc$1
{{- end }}

40
cmd/opencloud-chart/templates/oc-workspace/service.yaml Normal file
View File

@@ -0,0 +1,40 @@
{{- if index .Values.ocWorkspace.enabled }}
apiVersion: v1
kind: Service
metadata:
name: oc-workspace-svc
labels:
app: oc-workspace-svc
spec:
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 8080
selector:
app: oc-workspace
type: ClusterIP
{{- end }}
{{- if and .Values.ocWorkspace.enabled .Values.ocWorkspace.hpa.enabled }}
---
# Horizontal Pod Autoscaler
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ .Release.Name }}-oc-workspace
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ .Release.Name }}-oc-workspace
minReplicas: {{ .Values.ocWorkspace.hpa.minReplicas }}
maxReplicas: {{ .Values.ocWorkspace.hpa.maxReplicas }}
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.ocWorkspace.hpa.targetCPUUtilizationPercentage }}
{{- end }}

29
cmd/opencloud-chart/templates/openCloudConf.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: opencloud-config
data:
OC_NAMESPACE: "{{ .Release.Namespace }}"
OC_ADMIN_ROLE: "{{ .Values.ocAuth.keto.adminRole }}"
OC_PUBLIC_KEY_PATH: "/keys/public/public.pem"
OC_PRIVATE_KEY_PATH: "/keys/private/private.pem"
OC_OAUTH2_CLIENT_SECRET_NAME: "{{ .Values.ocAuth.hydra.openCloudOauth2ClientSecretName }}"
OC_AUTH: "{{ .Values.ocAuth.authType }}"
OC_AUTH_CONNECTOR_HOST: "{{ .Release.Name }}-hydra-admin.{{ .Release.Namespace }}"
OC_AUTH_CONNECTOR_PUBLIC_HOST: "{{ .Release.Name }}-hydra-public.{{ .Release.Namespace }}"
OC_AUTH_CONNECTOR_PORT: "4444"
OC_AUTH_CONNECTOR_ADMIN_PORT: "4445/admin"
OC_PERMISSION_CONNECTOR_READ_HOST: "{{ .Release.Name }}-keto-read.{{ .Release.Namespace }}"
OC_PERMISSION_CONNECTOR_WRITE_HOST: "{{ .Release.Name }}-keto-write.{{ .Release.Namespace }}"
OC_PERMISSION_CONNECTOR_PORT: "80"
OC_PERMISSION_CONNECTOR_ADMIN_PORT: "80/admin"
OC_LDAP_ENDPOINTS: "{{ .Release.Name }}-openldap.{{ .Release.Namespace }}.svc.cluster.local:389"
OC_LDAP_BINDDN: "{{ index .Values.ocAuth.ldap.bindDn }}"
OC_LDAP_BINDPW: "{{ index .Values.ocAuth.ldap.binPwd }}"
OC_LDAP_BASEDN: "{{ index .Values.ocAuth.ldap.baseDn }}"
OC_LDAP_ROLE_BASEDN: "{{ index .Values.ocAuth.ldap.roleBaseDn }}"
OC_MONGO_URL: "mongodb://{{ index .Values.mongodb.auth.rootUser }}:{{ index .Values.mongodb.auth.rootPassword }}@{{ .Release.Name }}-mongodb.{{ .Release.Namespace }}:27017/{{ index .Values.mongodb.auth.databases 0 }}"
OC_MONGO_DATABASE: "{{ index .Values.mongodb.auth.databases 0 }}"
OC_NATS_URL: "nats://{{ .Release.Name }}-nats.{{ .Release.Namespace }}.svc.cluster.local:4222"
OC_LOKI_URL: "http://loki-headless.{{ .Release.Namespace }}.svc.cluster.local:3100"
OC_PROMETHEUS_URL: "http://{{ .Release.Name }}-monitor.{{ .Release.Namespace }}:9090"

27
cmd/opencloud-chart/templates/openldap.yaml Normal file
View File

@@ -0,0 +1,27 @@
{{- if .Values.openldap.externalLDAP.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: oc-openldap
name: {{ .Release.Name }}-oc-openldap
spec:
replicas: 1
template:
spec:
containers:
- name: oc-openldap
image: {{ .Values.openldap.image.repository }}
env:
- name: LDAP_ORGANISATION
value: {{ .Values.openldap.env.LDAP_ORGANISATION }}
- name: LDAP_DOMAIN
value: {{ .Values.openldap.env.LDAP_DOMAIN }}
volumeMounts:
- name: ldif
mountPath: /container/service/slapd/assets/config/bootstrap/ldif/external
volumes:
- name: ldif
configMap:
name: openldap-ldif
{{- end }}

18
cmd/opencloud-chart/templates/prometheus.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if index .Values "prometheus" "enabled" }}
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: prometheus-ingress
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.host }}`) && PathPrefix(`/monitor`)
priority: 10
services:
- kind: Service
name: {{ .Release.Name }}-monitor.{{ .Release.Namespace }}
passHostHeader: true
port: 9090
{{- end }}

86
cmd/opencloud-chart/templates/registry/docker-registry.yaml Normal file
View File

@@ -0,0 +1,86 @@
{{- if index .Values "docker-registry-ui" "enabled" }}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ index .Values "docker-registry-ui" "registry" "dataVolume" "persistentVolumeClaim" "claimName" }}
namespace: {{ .Release.Namespace }}
annotations:
helm.sh/resource-policy: keep
spec:
accessModes:
- {{ index .Values "docker-registry-ui" "registry" "persistence" "accessMode" }}
resources:
requests:
storage: {{ index .Values "docker-registry-ui" "registry" "persistence" "storage" }}
storageClassName: {{ index .Values "docker-registry-ui" "registry" "persistence" "storageClassName" }}
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: registry-ingress
namespace: {{ .Release.Namespace }}
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.registryHost }}`)
priority: 5
services:
- kind: Service
name: {{ .Values.env }}-docker-registry-ui-registry-server
namespace: {{ .Release.Namespace }}
port: 5000
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: registry-ingress-ui
namespace: {{ .Release.Namespace }}
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.registryHost }}`) && PathPrefix(`/ui`)
priority: 10
services:
- kind: Service
name: {{ .Values.env }}-docker-registry-ui-user-interface
namespace: {{ .Release.Namespace }}
port: 80
middlewares:
- name: strip-ui-prefix
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: strip-ui-prefix
namespace: {{ .Release.Namespace }}
spec:
stripPrefix:
prefixes:
- "/ui"
---
#for htpasswd:
#htpasswd -nbB opencloud_registry Cei9phee | tr -d '\n' | base64 -w 0
#for password in dockerconfigjson:
#echo "opencloud_registry:Cei9phee" | tr -d '\n' | base64 -w 0
apiVersion: v1
kind: Secret
metadata:
name: registry-basic-auth-secret #To configure docker server authentication
namespace: {{ .Release.Namespace }}
data:
htpasswd: b3BlbmNsb3VkX3JlZ2lzdHJ5OiQyeSQwNSQ0cjFtV0h0Q3IzTmNPLjhqZjV2TkNPdkUvcFBkTDBmd1NFMkJ6bnI2azlmLjZhaVRHLzE1cQ==
---
apiVersion: v1
kind: Secret
type: kubernetes.io/dockerconfigjson
metadata:
name: {{ index .Values "docker-registry-ui" "registry" "secretName" }} #To configure docker client authentication against the server
namespace: {{ .Release.Namespace }}
data:
.dockerconfigjson: ewoJImF1dGhzIjogewoJCSJyZWdpc3RyeS12YWFzLnBmLmlydC1zYWludGV4dXBlcnkuY29tIjogewoJCQkiYXV0aCI6ICJkbUZoYzE5eVpXZHBjM1J5ZVRva01ua2tNRFVrYjJFeFRFaERjVGw2TWs1WE55NVJjMlZFYVZjMFpUQjVSSGxsTDIxTFp5NUxValJPYkVGR1pqTlpkbnBaZW0weVdFRXlNaTQ9IgoJCX0KCX0KfQ==
{{- end }}

7
cmd/opencloud-chart/templates/registry/dockerconfigjson Normal file
View File

@@ -0,0 +1,7 @@
{
"auths": {
"registry-vaas.pf.irt-saintexupery.com": {
"auth": "dmFhc19yZWdpc3RyeTokMnkkMDUkb2ExTEhDcTl6Mk5XNy5Rc2VEaVc0ZTB5RHllL21LZy5LUjRObEFGZjNZdnpZem0yWEEyMi4="
}
}
}

10
cmd/opencloud-chart/templates/sc-longhorn-nor1.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: longhorn-nor1
provisioner: driver.longhorn.io
parameters:
numberOfReplicas: "2" # set 1 for single-node testing
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: Immediate

11
cmd/opencloud-chart/templates/storageClass.yaml Normal file
View File

@@ -0,0 +1,11 @@
{{- if eq .Values.env "dev" }}
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: kind-sc
annotations:
helm.sh/resource-policy: keep
provisioner: rancher.io/local-path
reclaimPolicy: Retain
volumeBindingMode: WaitForFirstConsumer
{{- end }}

8
cmd/opencloud-chart/templates/traefik.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: forward-auth
spec:
forwardAuth:
address: "http://oc-auth-svc.{{ .Release.Namespace }}:8080/oc/forward"
trustForwardHeader: true