core/oc-k8s
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: core:oc-auth
Branches Tags
core:main core:oc-front core:oc-auth core:openldap core:oryhydra core:mongo core:nats core:bootstraping
...
compare: core:3d416169e31f61f9ec960a513d7fc9225d5691fb
Branches Tags
core:main core:oc-front core:oc-auth core:openldap core:oryhydra core:mongo core:nats core:bootstraping

27 Commits
oc-auth ... 3d416169e3

Author SHA1 Message Date
mr
3d416169e3 Running all stack 2026-01-06 08:23:16 +01:00
mr
5a0651106d ReadMe Update 2025-11-12 13:37:04 +01:00
mr
9f9b1849eb Update K8S to include an auto generator of values template 2025-11-12 13:13:43 +01:00
mr
7ad4bf0b5d add prometheus 2025-06-24 09:40:45 +02:00
mr
3ca23c0645 -openldap. 2025-04-01 10:20:55 +02:00
mr
8596fde233 Add import datas for K8s 2025-03-31 09:43:43 +02:00
mr
8487b3c43d scripted 2025-03-28 13:24:06 +01:00
mr
16eb38ca06 Add delete cluster 2025-03-27 13:18:24 +01:00
mr
cb3d135d6c adjustment script clone 2025-03-27 13:12:23 +01:00
mr
c79db0b3de adjust script 2025-03-27 13:10:23 +01:00
mr
4ef9bb399f Adjustments 2025-03-27 13:04:29 +01:00
plm
1ef92e5975 Fixing stuff for production deployment 2025-02-24 10:00:06 +01:00
plm
ab70717458 Updating procedure 2025-01-22 15:19:29 +01:00
plm
c36aead379 Fixing typo 2025-01-22 15:10:35 +01:00
plm
80ae0b79e7 add missing oc-shared 2025-01-22 15:08:18 +01:00
plm
f31c12a7b9 Updating doc, and deployment procedure 2025-01-22 14:21:31 +01:00
plm
30b04e62c0 Fixing oc-auth service, and hydra and keto integration 2025-01-21 15:25:25 +01:00
plm
2738dd614c Create service account for scheduler web service to enable workflow creation 2025-01-16 13:20:10 +01:00
plm
f6fa0e22d2 Integrating argo 2025-01-16 13:11:31 +01:00
plm
c66de05c57 scheduler, aggregator, discovery integration 2025-01-15 16:34:02 +01:00
plm
5b90f637e3 Fix typo in name 2025-01-14 18:35:47 +01:00
plm
93e2d809cf Configuring loki as simpleBinary, deploying, configuring and integrating schedulerd 2025-01-14 18:35:12 +01:00
plm
7d5931045d Adding datacenter and peer support in k8s 2025-01-10 21:20:16 +01:00
plm
0b362983a3 Integrating catalog 2025-01-10 16:41:41 +01:00
plm
fb5aed882f Integrating workflow microservice 2025-01-10 11:43:01 +01:00
plm
5825c89a23 Adding collaborative area support 2025-01-09 16:24:43 +01:00
plm
f868400b7a Integrating front and workspace service 2025-01-08 23:05:38 +01:00
258 changed files with 24131 additions and 669 deletions
Expand all files Collapse all files

2
.gitignore vendored
View File

@@ -1 +1,3 @@
opencloud/Chart.lock
deployed_config
kind-logs

123
README.md
View File

@@ -6,28 +6,135 @@ or to ease opencloud dependencies (dex, mongo, mongo-express, ...) deployment.
Kind (https://kind.sigs.k8s.io/) is used here as a lightweight kubernetes deployment. Obviously, any kubenetes compliant
environment is a legitimate target.
HOW TO:
# Locally built microservices deployment procedure
1. Install kind
## Install OC-K8S
```
git clone https://cloud.o-forge.io/plm/oc-k8s.git
sudo cp oc-k8s.sh /usr/bin/oc-k8s
sudo chmod +x /usr/bin/oc-k8s
```
## Install kind
Follow instructions here https://kind.sigs.k8s.io/
2. Install helm
or
```
go install sigs.k8s.io/kind@v0.30.0 && kind create cluster
```
## Install helm
Download suitable helm client here https://helm.sh/docs/intro/install/
3. Fire up a kind cluster
# Generate values (optionnal)
Execute following script
Use command :
```
oc-k8s create values [release] [env_file (optionnal)]
```
or
```
./oc-k8s.sh create values [release] [env_file (optionnal)]
```
Map in a env file, any Variable you wish to override and give the path.
## Resume for a first start
```
oc-k8s start
```
or
```
./oc-k8s.sh start
```
To stop :
```
oc-k8s stop
```
or
```
./oc-k8s.sh start
```
## Fire up a kind cluster
WARNING APACHE & NGINX ARE NOT RUNNING:
- `sudo /etc/init.d/apache2 stop`
- `sudo nginx -s stop`
Execute following script to create a single node development k8s cluster
```
create_kind_cluster.sh
oc-k8s create cluster
```
or
```
./oc-k8s.sh create cluster
```
It will create a *opencloud* docker container running kubernetes services.
4. Deploy the opencloud chart
## Build everything
You need to build and publish all the opencloud microservices images in the kind cluster before deploying the Helm package.
Proceed as following:
```
install_development.sh
oc-k8s build services [branch(default:mail)] [target(default:all)]
```
or
```
./oc-k8s.sh build services [branch(default:mail)] [target(default:all)]
```
## Deploy the opencloud chart
```
oc-k8s create helm [env(default:dev)]
```
or
```
./oc-k8s.sh create helm [env(default:dev)]
```
Feel free to modify/create a new opencloud/dev-values.yaml. Provided setup should work out of the box, but is not suitable for production usage.
## Hostname settings
Edit your /etc/hosts file, and add following line:
```
127.0.0.1 beta.opencloud.com
```
## Done
Everything should be operational now, go to http://beta.opencloud.com and enjoy the ride
# First steps
Go to http://beta.opencloud.com/users
Log in using default user/password combo ldapadmin/ldapadmin
Create a new user, or change the default one
Go to http://beta.opencloud.com
Log in using your fresh credentials
Do stuff
You can go to http://beta.opencloud.com/mongoexpress
... for mongo express web client access (default login/password is test/testme)
You can go to http://localhost/dashboard/
... for access to Traefik reverse proxy front-end

30
create_kind_cluster.sh
View File

@@ -1,30 +0,0 @@
cat <<EOF | kind create cluster --name opencloud --config=-
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
extraPortMappings:
- containerPort: 30950
hostPort: 80
protocol: TCP
- containerPort: 30951
hostPort: 443
protocol: TCP
containerdConfigPatches:
- |-
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."locahost:5000"]
endpoint = ["http://dev-docker-registry-ui-registry-server.opencloud.svc.cluster.local:5000"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."dev-docker-registry-ui-registry-server.opencloud.svc.cluster.local:5000"]
endpoint = ["http://dev-docker-registry-ui-registry-server.opencloud.svc.cluster.local:5000"]
[plugins."io.containerd.grpc.v1.cri".registry.configs."dev-docker-registry-ui-registry-server.opencloud.svc.cluster.local:5000".tls]
insecure_skip_verify = true
cert_file = ""
key_file = ""
ca_file = ""
EOF

19
deployed_config Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJSzVaV2xBVVpyYnN3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TmpBeE1EVXhOak14TlRoYUZ3MHpOakF4TURNeE5qTTJOVGhhTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUMyV0piMTVvMUorQk81RGVTbmpvVVpTSkRqdkxFaUc5VjZyQ3pFZG1KYjkxU3Q4RjRKSUhZUmdTNSsKdkljQ1A2UHI3WThUSGl0VlB6UWdlMjh5VjdHK245NDhpaHc5SkVBTDBQK2poYW9SYXJnOHRvLzV3LzZjbm5OUwpzTGZTTUYvdS8yVkE1YWFwb1RMbXFMbjgwbmI3MThaM0VQRUtydlhqSnpLOStCUm5lMUpVeFF0MmdJUTVubXBHCmtmK2E2bXhiRUI3OXFGaUJCWFEwN2JkSFppZFRxWEFydGY0RGkrWit1VE9BM0dCU1hsR3FMNGREU1hKSkM3MkUKajJWZk02K1d4SE9SSUE5TUx1cVd6OWxlem4wd1J3YURuME9iWG5EWUhXVWlxbmZoY2NsS3k0bnhjRWxqYTZhNwpuQ1VYc3ZpcCtsZUZHenQvWE9jOWhDWlU4SUpmQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJSVUVkYVhJMHJ4TXl6REgrTk9MRWF1S1UvV3dUQVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQW5yenJmRHNHcApZMTkvdyt3TFJmalgvREFkcmFsNWRtdGZuZFF0T213VmZETW5XRUNLV09RTXZYcWZlZUUyTDFjalBPVDQrVUNqCmltM0RrcksvSEpSa0NGWGdwVVl1R0JKaVYzbTBsUzJHUkNDckZ5QTdKQS9CYnVUaVBsWmFGOURPNzc5WVd4UkYKaDc0dFowQ09mY0l0dDJlbit1TGh5N29JVUx0ZzJjN3RLSzNKYmRvZFU1SGlSSjBjOG9DNVp6S2sreUdZZVFqTgozYm1rQW1nS1Z5L25yQSt1SXJXRC81T28rdTVhZXEvU1VjcGJFV3A1OWUxcDNQWEFtS1pRczlXZ0ZzVVEvWk1EClVEcjhkMlc0Tmw0MXBIVWpvTEhObldVUmdoNTcwbW9xcFNldGxTemFZL29BYVErV2Z4cjZlaUpIVER0NmhoZFoKMU9qVEJCQUJYMCsvCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server: https://127.0.0.1:40481
name: kind-opencloud
contexts:
- context:
cluster: kind-opencloud
user: kind-opencloud
name: kind-opencloud
current-context: kind-opencloud
kind: Config
users:
- name: kind-opencloud
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLVENDQWhHZ0F3SUJBZ0lJTCtxbzhTOXAzckV3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TmpBeE1EVXhOak14TlRoYUZ3MHlOekF4TURVeE5qTTJOVGhhTUR3eApIekFkQmdOVkJBb1RGbXQxWW1WaFpHMDZZMngxYzNSbGNpMWhaRzFwYm5NeEdUQVhCZ05WQkFNVEVHdDFZbVZ5CmJtVjBaWE10WVdSdGFXNHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFET2tLbUIKcGxBOE4wYktYaFF3YmRGd3ptMC9BT1NvUFg4R0hSSTZDRktXYU1LZjJKNjZDWk9LV0hEMjFiVFFCZ2VXOU5qdwpZNjBqbXlCcE5wS3MrYW1Say9ZWWdnVFg5Qm4ydEFSSDdQNEF6MlVRTktlZ0tNYkVyZFgyYzVVRzg1MldJbk8rCmxyb0sxWUY1OG8zb0IyUmxTZ3NaZ2RyZWh5WlFBekVHUjUxZFdER2hwS3kwNExHNXhUSGNsV0lONUpkRC9qemYKbUIzSkozNUFTRFlLU25ia3g5Rjk4bjYvMm9MVDgvNnF5bmhSTm9tNUVHZUNpSVUyY0ZHQVNESk1Scm1TQ3pNcwpwQm0wWk5sdi91ZDNmU2lzelQwc1JGVG1OUVdSL29sOTlGVVFNQzZWTkFsMGgrY0J4M0poZEExUHc3R0l5WTBDCk05NHN4MzU4YmJqWmt3RW5BZ01CQUFHalZqQlVNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUsKQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjhHQTFVZEl3UVlNQmFBRkZRUjFwY2pTdkV6TE1NZgo0MDRzUnE0cFQ5YkJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJHazlZLytQbGl2VXk4ajRxWnJKMFpaVUZqCk1XWHNQeEtveUh4SHdnMXpYczBIY29oSWFhNVYyblVUb1dqRFNZYWppak5ZbTg4U3czdms1YVlDUEphaVRZWFoKZVZPY05qY09FRVVZZE5zRU0zNFNSWTArVHlpNXk2OS9Bc20zckJyRTZRZlc3YThzTHZOS2ZNZmdsT1BRWmxhcwpIQmpNVGFjS0tmWmo0RnlFMm41dzRQblM0WU9PdmkzTmcxYmFRcVNneHJNOGpKSG1BRFluU0xwMnhyU0NBWEdZCkZBMSsrNlA1STVLVEpGWHUzRWE3RTBZYkxyQXJoQkNrbWVLTWtmcEJVTXhoUVBPcTV4RzlwajMvL0NoRXk0aGUKekdyMVAvQml1a1FEZHRSMXRKb0dVLzQ1WXlSczZtclJZWU42eWtkaEV6dUlVUzhBY05SY2dhd3ZhcDArCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBenBDcGdhWlFQRGRHeWw0VU1HM1JjTTV0UHdEa3FEMS9CaDBTT2doU2xtakNuOWllCnVnbVRpbGh3OXRXMDBBWUhsdlRZOEdPdEk1c2dhVGFTclBtcGtaUDJHSUlFMS9RWjlyUUVSK3orQU05bEVEU24Kb0NqR3hLM1Y5bk9WQnZPZGxpSnp2cGE2Q3RXQmVmS042QWRrWlVvTEdZSGEzb2NtVUFNeEJrZWRYVmd4b2FTcwp0T0N4dWNVeDNKVmlEZVNYUS80ODM1Z2R5U2QrUUVnMkNrcDI1TWZSZmZKK3Y5cUMwL1ArcXNwNFVUYUp1UkJuCmdvaUZObkJSZ0VneVRFYTVrZ3N6TEtRWnRHVFpiLzduZDMwb3JNMDlMRVJVNWpVRmtmNkpmZlJWRURBdWxUUUoKZElmbkFjZHlZWFFOVDhPeGlNbU5BalBlTE1kK2ZHMjQyWk1CSndJREFRQUJBb0lCQUFnaUtSSjZUbmw0Z2JpUgpLTUZaYWFCRCtJZzlERVBWbkExTkVyMG5PNzFCWmJ4dWhwMXpxQlFQOUc2N3JuRnNjMXNOekFiM0hjZWpvWXlUCkFnWitsQjh2ME1aWlJFQ09rNEVqeUhGZWt3Zk1Jc0lYR0t5VlBuSmJGK3dxMCtqZ3FjbFNGUFdoc0xTaGdJWWgKTjFZMkNFMTJzMll2TjBPQTFkRGJ0MC8wZk8xQ2JDSGd0a0IrQkRCQlBVbUkva201dUVTOTRKTmpJWE1pbW5KdwpZWU01OHhXSWF2RGs5eUVyQ0JUcHhmTW5wNzZnN3duT0dxb3lXU2ZlZFdsbXRUNlliTlBid1MwbzRBSmhhT3NQCnNvdm44ekhOa0VacmEvVTZuSVREdTJlTEUzUDdsME8rTGFMRXhhY2VlalM0aW12eG53T0l1Q1l0NW10cDVONlYKeXduVXk3a0NnWUVBNWV2NEhyTlZnaE9aRTJ4cG9HUmlNdDJKRS9xOTVYQXlGM3QwZVFDbi8vK3lZeFgvVXZsOAo1TGd0VklKb3l1OEIwejlIUWdNQnlOMnZhK0xSd1c3NlY3UkFPMVgrMnpHa1RCbWRERkdRRXFSSE12Zk50UkltCmc5K0tJT1dzbWRSYVRLaXNEQS91RkpjdFdFMEJpRnk3cTNTVk16NHhuR0NsUklWdlFSVW40RzhDZ1lFQTVmNkIKb3F1T01hZnFaQnBVakNzcmxvQzdrSEEzUGRPNFljRTVJWjhYY2xWSStKNDVnV0JFWlFWcmFMMGhRTk1WaTdIRgo3TjhjRGdWY0lEVzdPYm5FRk5yTys0Ui9oNEF1U3g3ZGdVNm1mY2I1QXVvODhzeUNtaW5mbFZ2ZHJsVElCTStyCkJYdkdSaG5WOExFRTFWdGtNSjlxbVJHaDNuWWtGVTk0SVpoSjFza0NnWUVBMVFsVG1YNnBHQ0Y0a0pxL05ESlAKR3JwU0xRVUR0dmZDTWlmZHY5QnYyYS9lWmhrWHZwWVV0d2hBV0RHTlQ1c3RvY0xjRDdvaGlUQi9QZ09vUHdiSgpSMEpvMFpIWTF0aWtWeTdVYVhtWmVPeG1YRDluaHdNT1ZOcG5iaHZoVlplQkk4NlZ1NGQzSGZVRnV1OS9JQTVzCmhXMDhZWUtiRFQ0dlk5SVBSOHFHYkZrQ2dZRUFtZVdVUHhKR2dxbVdhTWRKbmNWaFZFTHR2dmVucjBKVmxXdmkKMjhHRndlYVpmbXI1bGIyaDVtc2E5U25nNzJ5UGRUdE9jbkxVWmZsbUxOTm5aWGdOWWRzTU56YncwdTJOakl5cApzVlc4aUZzMDBxT0Vodjhid1NhVnltNS9ScURLZXBXdkhXczJRRUFYYlFnMmNNSEhwOVYwVWRwL2tzbEEyZFdrClQrNkVNaWtDZ1lCMkI3UmV2WEtZZjY2V09mQ3B1cFY0emhHUTJncDU1Qk1scTFTcVZMZktwMkJCS0V5TW9Pa1QKVnoyMWllRHowbXhjY1QwbFA4YzNVbG9uUkhuZWhNTFhnR0dXRlhad2hjZkl3Y2h3RjRwU3VoVldVL01kdEs1Vgo2cmNlVU1tUFFaSkVNeVJ1MkQ0M1IwV1ZRRnpYSHVXc29EbXREa3NjUUtQMlBXT25vdy9vWkE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

5
install_development.sh
View File

@@ -1,5 +0,0 @@
#!/bin/bash
RELEASE_NAME=dev
RELEASE_NAMESPACE=dev
helm install ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} --create-namespace -f opencloud/dev-values.yaml

426
oc-k8s.sh Executable file
View File

@@ -0,0 +1,426 @@
#!/bin/bash
REPOS=(
"oc-auth"
"oc-catalog"
"oc-datacenter"
"oc-front"
"oc-monitord"
"oc-peer"
"oc-shared"
"oc-scheduler"
"oc-schedulerd"
"oc-workflow"
"oc-workspace"
)
main_replace_db() {
FILES=$(ls $1 | grep .json)
RELEASE=${2:-dev}
DB_NAME=${3:-opencloud}
POD_NAME=$(kubectl get pods --all-namespaces -o=name | grep $RELEASE-mongodb-*)
main_delete_db
main_install_db
}
main_delete_db() {
FILES=$(ls $1 | grep .json)
RELEASE=${2:-dev}
DB_NAME=${3:-opencloud}
POD_NAME=$(kubectl get pods --all-namespaces -o=name | grep $RELEASE-mongodb-*)
kubectl exec ${POD_NAME/pod\//}: -- mongosh --eval "db.getSiblingDB('$DB_NAME').dropDatabase()"
}
main_install_db() {
FILES=$(ls $1 | grep .json)
RELEASE=${2:-dev}
DB_NAME=${3:-opencloud}
POD_NAME=$(kubectl get pods --all-namespaces -o=name | grep $RELEASE-mongodb-*)
for file in "${FILES[@]}"; do
echo "ADD file $file in collection ${file/.json/} : ${POD_NAME/pod\//}"
kubectl cp $file ${POD_NAME/pod\//}:/tmp/$file
kubectl exec ${POD_NAME/pod\//}: -- mongoimport --db $DB_NAME --collection ${file/.json/} --file /tmp/$file --jsonArray
done
}
main_install() {
main_install_k3s
main_install_kind ${@:1}
main_install_helm
}
main_install_k3s() {
sudo /usr/local/bin/k3s-uninstall.sh | true
sudo rm -rf /etc/rancher /var/lib/rancher ~/.kube | true
curl -sfL https://get.k3s.io | sh -s - --write-kubeconfig-mode 644
sudo systemctl status k3s
}
main_install_helm() {
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash # install helm
helm version
}
main_install_kind() {
ARCH=${1:-linux-amd64} # linux-amd64 linux-arm64 darwin-amd64 darwin-arm64 windows-amd64.exe
VERSION=${2:-v0.30.0}
if [[ "$ARCH" =~ *windows* ]]; then
ARCH=${ARCH}.exe
fi
curl -Lo kind-linux-amd64 https://kind.sigs.k8s.io/dl/${VERSION}/kind-${ARCH}
}
# values template
main_create_values() {
set -euo pipefail
if [[ -z "${1:-}" ]]; then
echo "Error: No RELEASE PROVIDED."
main_help_values
exit 1
fi
TEMPLATE_FILE=./opencloud/values.yaml.template
ENV_FILE=${2:-}
OUTPUT_FILE="./opencloud/values/$1-values.yaml"
# Load environment variables from env file
if [[ -f "$ENV_FILE" ]]; then
set -a
source "$ENV_FILE"
set +a
fi
export RELEASE=$1
# Process the template
awk '
{
line = $0
# match ${VAR:-default} patterns
while (match(line, /\$\{([A-Za-z_][A-Za-z0-9_]*):-([^}]+)\}/, arr)) {
varname = arr[1]
defaultval = arr[2]
# get environment value or default
cmd = "bash -c '\''echo ${" varname ":-" defaultval "}'\''"
cmd | getline value
close(cmd)
line = substr(line, 1, RSTART-1) value substr(line, RSTART+RLENGTH)
}
print line
}' "$TEMPLATE_FILE" > "$OUTPUT_FILE"
echo "Rendered $OUTPUT_FILE from $TEMPLATE_FILE using $ENV_FILE"
}
# HELM SERVICE
main_create_helm() {
RELEASE_NAME=${1:-dev}
RELEASE_NAMESPACE=${1:-dev}
main_delete_helm "${1:-dev}" | true
helm dependency update
helm dependency build
kubectl delete sc longhorn-nor1
#kubectl apply -f ./opencloud/templates/sc-longhorn-nor1.yaml
#kubectl label storageclass longhorn-nor1 app.kubernetes.io/managed-by=Helm
#kubectl annotate storageclass longhorn-nor1 \
# meta.helm.sh/release-name=${RELEASE_NAMESPACE} \
# meta.helm.sh/release-namespace=${RELEASE_NAMESPACE}
ulimit -n 1000000
helm install ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} --create-namespace -f ./opencloud/values/${RELEASE_NAME}-values.yaml --debug
kind get kubeconfig --name opencloud > ./deployed_config
kind export logs ./kind-logs
}
main_upgrade_helm() {
RELEASE_NAME=${1:-dev}
RELEASE_NAMESPACE=${1:-dev}
helm upgrade ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} --create-namespace -f ./opencloud/values/${RELEASE_NAME}-values.yaml
}
main_delete_helm() {
RELEASE_NAME=${1:-dev}
RELEASE_NAMESPACE=${1:-dev}
helm uninstall ${RELEASE_NAME} -n ${RELEASE_NAMESPACE}
kubectl delete namespace ${RELEASE_NAMESPACE} &
export KUBECONFIG=$(realpath ~/.kube/config)
}
# CLUSTER SERVICE
build_service() {
local repo_url="https://cloud.o-forge.io/core/$1.git"
local branch=${2:-main}
local target=${3:-all}
local repo_name=$(basename "$repo_url" .git)
server=$(grep 'server:' ~/.kube/config | awk '{print $2}')
host=$(ip -4 addr show $(ip route | awk '/default/ {print $5}') | awk '/inet / {print $2}' | cut -d/ -f1)
port=6443
ca=$(kubectl config view --raw --minify -o jsonpath='{.clusters[0].cluster.certificate-authority-data}')
cert=$(kubectl config view --raw --minify -o jsonpath='{.users[0].user.client-certificate-data}')
key=$(kubectl config view --raw --minify -o jsonpath='{.users[0].user.client-key-data}')
echo "Processing repository: $repo_name"
if [ ! -d "$1" ]; then
echo "Cloning repository: $repo_name"
git clone "$repo_url"
if [ $? -ne 0 ]; then
echo "Error cloning $repo_url"
exit 1
fi
fi
echo "Repository '$repo_name' now exists. Pulling latest changes..."
cd "$repo_name" && git checkout $branch && git pull
echo "Running 'make $target' in $repo_name"
export HOST="${2:-http://beta.opencloud.com/}" && export KUBERNETES_SERVICE_HOST=$host && export KUBERNETES_SERVICE_PORT=$port \
&& export KUBE_CA=$ca && export KUBE_CERT=$cert && export KUBE_DATA=$key && make "$target"
if [ $? -ne 0 ]; then
echo "Error: make $target failed in $dir"
exit 1
fi
cd ..
}
main_build_services() {
branch=${1:-main}
target=${2:-all}
# docker system prune -af
cd ..
# Iterate through each repository in the list
for repo in "${REPOS[@]}"; do
build_service "$repo" "$branch" "$target"
done
echo "All repositories processed successfully."
}
# CLUSTER CONTROLLER
main_delete_cluster() {
kind delete cluster --name opencloud | true
}
main_create_cluster() {
main_delete_cluster | true
kubectl apply -f https://raw.githubusercontent.com/longhorn/longhorn/v1.9.0/deploy/longhorn.yaml
cat <<EOF | kind create cluster --name opencloud --config=-
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
extraPortMappings:
- containerPort: 30950
hostPort: 80
protocol: TCP
- containerPort: 30951
hostPort: 443
protocol: TCP
containerdConfigPatches:
- |-
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."locahost:5000"]
endpoint = ["http://dev-docker-registry-ui-registry-server.opencloud.svc.cluster.local:5000"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."dev-docker-registry-ui-registry-server.opencloud.svc.cluster.local:5000"]
endpoint = ["http://dev-docker-registry-ui-registry-server.opencloud.svc.cluster.local:5000"]
[plugins."io.containerd.grpc.v1.cri".registry.configs."dev-docker-registry-ui-registry-server.opencloud.svc.cluster.local:5000".tls]
insecure_skip_verify = true
cert_file = ""
key_file = ""
ca_file = ""
EOF
echo "[WARNING] New cluster shoulw be merged into your current config !"
# Export the kind cluster kubeconfig to a temporary file
kind get kubeconfig --name opencloud > /tmp/kind-opencloud.kubeconfig
# Merge the temporary kubeconfig with your existing one safely
KUBECONFIG=~/.kube/config:/tmp/kind-opencloud.kubeconfig kubectl config view --flatten --merge --minify > /tmp/merged-kubeconfig.yaml
# Replace the original kubeconfig safely
mv /tmp/merged-kubeconfig.yaml ~/.kube/config
chmod 600 ~/.kube/config
# Verify the contexts
kubectl config get-contexts
# Switch to the new kind cluster context
kubectl config use-context kind-opencloud
}
main_help_k3s() {
echo "
Cluster commands: oc-k8s <action> k3s
install - Install k3s
help - Show this help message
Usage:
oc-k8s install k3s
oc-k8s help values
"
}
main_help_kind() {
echo "
Cluster commands: oc-k8s <action> kind
install - Install kind
help - Show this help message
Usage:
oc-k8s install kind [arch] [version]
arch - Arch of OS (required)
kind_version - version of kind (required)
oc-k8s help values
"
}
main_help_values() {
echo "
Cluster commands: oc-k8s <action> values
create - Create a new values release yaml
help - Show this help message
Usage:
oc-k8s create values [release] [env_file (optionnal)]
release - Release values name (required)
env_file - env to map (optionnal)
oc-k8s help values
"
}
main_help_db() {
echo "
Cluster commands: oc-k8s <action> cluster
create - Add datas in db
replace - Replace datas in db
delete - Delete datas in db
help - Show this help message
Usage:
oc-k8s create db [file_path] [release] [db_name]
file_path - Datas folder files path (required)
release - Release values name (default: dev)
db_name - db name (default: opencloud)
oc-k8s replace db [file_path] [release] [db_name]
file_path - Datas folder files path (required)
release - Release values name (default: dev)
db_name - db name (default: opencloud)
oc-k8s delete db [file_path] [release] [db_name]
file_path - Datas folder files path (required)
release - Release values name (default: dev)
db_name - db name (default: opencloud)
oc-k8s help db
"
}
main_help_cluster() {
echo "
Cluster commands: oc-k8s <action> cluster
create - Create a new kind cluster named 'opencloud'
delete - Delete the kind cluster named 'opencloud'
help - Show this help message
Usage:
oc-k8s create cluster
oc-k8s delete cluster
oc-k8s help cluster
"
}
main_help_services() {
echo "
Service commands: oc-k8s <action> services
build - Build all opencloud services
help - Show this help message
Usage:
oc-k8s build services [branch] [target]
branch - Git branch to build (default: main)
target - make target (default: all)
oc-k8s help services
"
}
main_help_helm() {
echo "
Helm commands: oc-k8s <action> helm
install - Install Helm
create - Install a helm release for the given environment (default: dev)
delete - Uninstall a helm release for the given environment (default: dev)
help - Show this help message
Usage:
oc-k8s install helm
oc-k8s create helm [env]
env - environnement selected (default: dev)
oc-k8s upgrade helm [env]
env - environnement selected (default: dev)
oc-k8s delete helm [env]
env - environnement selected (default: dev)
oc-k8sh help helm
"
}
main_help_all() {
echo "
Main commands: oc-k8s <action>
install - Install opencloud dependancies [arch] [version]
start - Start opencloud k8s
stop - Stop opencloud k8s
Usage:
oc-k8s install [arch] [version]
arch - Arch of OS (required)
kind_version - version of kind (required)
oc-k8s start [env] [branch] [target]
env - environnement selected (default: dev)
branch - Git branch to build (default: main)
target - make target (default: all)
oc-k8s stop
"
main_help_cluster
main_help_services
main_help_helm
main_help_values
main_help_k3s
main_help_kind
main_help_db
}
main_start() {
sudo sysctl -w fs.inotify.max_user_instances=256
sudo /etc/init.d/apache2 stop
sudo nginx -s stop
main_create_cluster
main_build_services "${@:2}"
cd ./oc-k8s
main_create_helm $1
}
main_stop() {
main_delete_helm "${@:1}" | true
main_delete_cluster "${@:1}" | true
}
if declare -f main_${1} > /dev/null; then
main_${1} "${@:2}"
elif declare -f main_${1}_${2} > /dev/null; then
main_${1}_${2} "${@:3}"
else
echo "Function does not exist"
main_help_all
fi

3
opencloud/.helmignore
View File

@@ -21,3 +21,6 @@
.idea/
*.tmproj
.vscode/
#custom
templates/registry/dockerconfigjson

15
opencloud/Chart.yaml
View File

@@ -5,7 +5,6 @@ type: application
version: 0.0.1
appVersion: "0.0.1"
# TODO: grafana, loki
dependencies:
- name: openldap
repository: https://jp-gouin.github.io/helm-openldap/
@@ -28,7 +27,7 @@ dependencies:
repository: "https://cowboysysop.github.io/charts/"
condition: mongo-express.enabled
- name: hydra
version: "0.50.2"
version: "0.50.6"
repository: "https://k8s.ory.sh/helm/charts"
condition: hydra.enabled
- name: keto
@@ -43,3 +42,15 @@ dependencies:
version: "8.6.4"
repository: "https://grafana.github.io/helm-charts"
condition: grafana.enabled
- name: argo-workflows
version: "0.45.4"
repository: "https://argoproj.github.io/argo-helm"
condition: argo-workflows.enabled
- name: docker-registry-ui
version: 1.1.3
repository: "https://helm.joxit.dev/"
condition: docker-registry-ui.enabled
- name: prometheus
version: "27.45.0"
repository: "https://prometheus-community.github.io/helm-charts"
condition: prometheus.enabled

129
opencloud/README.md Normal file
View File

@@ -0,0 +1,129 @@
# HOW TO MAKE YOUR PROPER VALUES.YAML
Use command :
```
oc-k8s create values [release] [env_file (optionnal)]
```
or
```
./oc-k8s.sh create values [release] [env_file (optionnal)]
```
Map in a env file, any Variable you wish to override and give the path.
## ENV VARIABLE
| Variable | Default | Purpose / Explanation |
| -------------- | ---------------------- | --------------------------------------------------------------------------------- |
| `HOST` | `exemple.com` | Domain for reverse proxy rules (Traefik). |
| `REGISTRY_HOST` | `registry.exemple.com` | Docker registry URL for reverse proxy and pull secrets. |
## MONGO VARIABLE
| Variable | Default | Purpose / Explanation |
| ------------------- | ----------- | ------------------------------------------ |
| `OC_MONGO_ENABLED` | `true` | Enable/disable MongoDB deployment. |
| `OC_MONGO_ADMIN` | `admin` | Root username for MongoDB. |
| `OC_MONGO_PWD` | `admin` | Root password. |
| `OC_MONGO_DATABASE` | `opencloud` | Default database to create. |
| `OC_MONGO_SIZE` | `5000Mi` | Persistent storage size for MongoDB. |
## MONGO EXPRESS VARIABLE
| Variable | Default | Purpose / Explanation |
| ----------------------------------------- | -------------------------------------------------------- | ------------------------------------------- |
| `OC_MONGOEXPRESS_ENABLED` | `true` | Enable mongo-express UI. |
| `OC_MONGOEXPRESS_ADMIN` | `${OC_MONGO_ADMIN:-admin}` | Admin username to connect to MongoDB. |
| `OC_MONGOEXPRESS_PWD` | `${OC_MONGO_PWD:-admin}` | Admin password. |
## NATS VARIABLE
| Variable | Default | Explanation |
| ----------------- | ------- | -------------------------------------- |
| `OC_NATS_ENABLED` | `true` | Deploy NATS cluster. |
| `OC_NATS_SIZE` | `20Mi` | Storage size for JetStream file store. |
## OpenLDAP VARIABLE
| Variable | Default | Explanation |
| --------------------------- | ---------------------------- | -------------------------------------------------------- |
| `OC_LDAP_ENABLED` | `true` | Deploy OpenLDAP server. |
| `OC_LDAP_IMAGE` | `osixia/openldap` | Docker image for OpenLDAP. |
| `OC_LDAP_ORGANISATION` | `Opencloud` | LDAP organization name. |
| `OC_LDAP_DOMAIN` | `opencloud.com` | LDAP domain. |
| `OC_LDAP_TLS` | `false` | Enable TLS for LDAP. |
| `OC_LDAP_ADMIN_PWD` | `admin` | LDAP admin password. |
| `OC_LDAP_CONFIG_PWD` | `config` | Password for configuration account. |
| `OC_LDAP_EXTERNAL` | `false` | Connect to external LDAP instead of internal deployment. |
| `OC_LDAP_EXTERNAL_ENDPOINT` | (none) | LDAP server URL. |
| `OC_LDAP_EXTERNAL_DN` | `cn=admin,dc=example,dc=com` | Bind DN for external LDAP. |
| `OC_LDAP_EXTERNAL_PWD` | `admin` | Bind password for external LDAP. |
## Prometheus VARIABLE
| Variable | Default | Explanation |
| ------------------------------- | ------- | ------------------------- |
| `OC_PROMETHEUS_ENABLED` | `true` | Enable Prometheus server. |
| `OC_PROMETHEUS_SIZE` | `5Gi` | Persistent volume size. |
| `OC_PROMETHEUS_LIMITS_CPU` | `500m` | CPU limit. |
| `OC_PROMETHEUS_LIMITS_MEMORY` | `512Mi` | Memory limit. |
| `OC_PROMETHEUS_REQUESTS_CPU` | `128m` | CPU request. |
| `OC_PROMETHEUS_REQUESTS_MEMORY` | `256Mi` | Memory request. |
## Grafana VARIABLE
| VARIABLE | DEFAULT | DESCRIPTION |
| -------------------------------------- | ----------- | ------------------------------------------------------------------------------------ |
| `OC_GRAFANA_ENABLED` | `true` | Enable or disable Grafana deployment. |
| `OC_GRAFANA_ADMIN_USER` | `admin` | Username for the Grafana admin account. |
| `OC_GRAFANA_ADMIN_PWD` | `admin` | Password for the Grafana admin account. |
| `OC_GRAFANA_SIZE` | `1Gi` | Size of the persistent volume for Grafana. |
## Traefik VARIABLE
| Variable | Default | Explanation |
| ------------------------------- | ------- | ------------------------- |
| `OC_TRAEFIK_ENABLED` | `true` | Enable Traefik server. |
## Hydra VARIABLE
| Variable | Default | Explanation |
| ------------------ | ------------------------------------------------------------------------ | ------------------------------------------- |
| `OC_HYDRA_ENABLED` | `true` | Deploy Hydra (OAuth2). |
## Keto VARIABLE
| VARIABLE | DEFAULT | DESCRIPTION |
| ---------------------------- | --------------------------------- | ---------------------------------------------------------------------------------------------- |
| `OC_KETO_ENABLED` | `true` | Enable or disable Keto deployment. |
## Loki VARIABLE
| VARIABLE | DEFAULT | DESCRIPTION |
| ---------------------------- | --------------------------------- | ---------------------------------------------------------------------------------------------- |
| `OC_LOKI_ENABLED` | `true` | Enable or disable Loki deployment. |
| `OC_LOKI_SIZE` | `1Gi` | Resource allowed. |
## Minio VARIABLE
| VARIABLE | DEFAULT | DESCRIPTION |
| ---------------------------- | --------------------------------- | ---------------------------------------------------------------------------------------------- |
| `OC_MINIO_ENABLED` | `true` | Enable or disable Minio deployment. |
## Argo VARIABLE
| VARIABLE | DEFAULT | DESCRIPTION |
| ------------------------------------------ | --------------- | ---------------------------------------------- |
| `OC_ARGO_ENABLED` | `false` | Enable or disable Argo Workflows deployment. |
## OC API VARIABLE
| Variable | Default | Explanation |
| ------------------------------------ | ------------ | --------------------------------- |
| `OC_<APP>_ENABLED` | true | Deploy the service. |
| `OC_<APP>_IMAGE` | registry URL | Docker image. |
| `OC_<APP>_LIMITS_CPU/MEMORY` | 128m / 256Mi | Resource limits. |
| `OC_<APP>_REQUESTS_CPU/MEMORY` | 128m / 256Mi | Resource requests. |
| `OC_<APP>_REPLICAS_ENABLED` | true | Enable Horizontal Pod Autoscaler. |
| `OC_<APP>_REPLICAS_MAX` | 5 | Max replicas. |
| `OC_<APP>_REPLICAS_USAGE` | 80 | HPA target CPU usage (%). |

23
opencloud/charts/argo-workflows/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
ci/
*.gotmpl

20
opencloud/charts/argo-workflows/Chart.yaml Normal file
View File

@@ -0,0 +1,20 @@
annotations:
artifacthub.io/changes: |
- kind: added
description: Support configuring workflow events in the controller
artifacthub.io/signKey: |
fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
url: https://argoproj.github.io/argo-helm/pgp_keys.asc
apiVersion: v2
appVersion: v3.6.2
description: A Helm chart for Argo Workflows
home: https://github.com/argoproj/argo-helm
icon: https://argo-workflows.readthedocs.io/en/stable/assets/logo.png
maintainers:
- name: argoproj
url: https://argoproj.github.io/
name: argo-workflows
sources:
- https://github.com/argoproj/argo-workflows
type: application
version: 0.45.4

410
opencloud/charts/argo-workflows/README.md Normal file
View File

@@ -0,0 +1,410 @@
# Argo Workflows Chart
This is a **community maintained** chart. It is used to set up argo and its needed dependencies through one command. This is used in conjunction with [helm](https://github.com/kubernetes/helm).
If you want your deployment of this helm chart to most closely match the [argo CLI](https://github.com/argoproj/argo-workflows), you should deploy it in the `kube-system` namespace.
## Pre-Requisites
### Custom resource definitions
Some users would prefer to install the CRDs _outside_ of the chart. You can disable the CRD installation of this chart by using `--set crds.install=false` when installing the chart.
Helm cannot upgrade custom resource definitions in the `<chart>/crds` folder [by design](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). Starting with 3.4.0 (chart version 0.19.0), the CRDs have been moved to `<chart>/templates` to address this design decision.
If you are using Argo Workflows chart version prior to 3.4.0 (chart version 0.19.0) or have elected to manage the Argo Workflows CRDs outside of the chart, please use `kubectl` to upgrade CRDs manually from [templates/crds](templates/crds/) folder or via the manifests from the upstream project repo:
```bash
kubectl apply -k "https://github.com/argoproj/argo-workflows/manifests/base/crds/full?ref=<appVersion>"
# Eg. version v3.3.9
kubectl apply -k "https://github.com/argoproj/argo-workflows/manifests/base/crds/full?ref=v3.3.9"
```
### ServiceAccount for Workflow Spec
In order for each Workflow run, you create ServiceAccount via `values.yaml` like below.
```yaml
workflow:
serviceAccount:
create: true
name: "argo-workflow"
rbac:
create: true
controller:
workflowNamespaces:
- default
- foo
- bar
```
Set ServiceAccount on Workflow.
```yaml
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
generateName: hello-world-
spec:
entrypoint: whalesay
serviceAccountName: argo-workflow # Set ServiceAccount
templates:
- name: whalesay
container:
image: docker/whalesay
command: [ cowsay ]
args: [ "hello world" ]
```
## Installing the Chart
To install the chart with the release name `my-release`:
```console
$ helm repo add argo https://argoproj.github.io/argo-helm
"argo" has been added to your repositories
$ helm install my-release argo/argo-workflows
NAME: my-release
...
```
## Changelog
For full list of changes, please check ArtifactHub [changelog].
## Usage Notes
### High Availability
This chart installs the non-HA version of Argo Workflows by default. If you want to run in HA mode, you can use [these example values](ci/ha-values.yaml) as a starting point.
Please see the upstream [Operator Manual's High Availability page](https://argo-workflows.readthedocs.io/en/stable/high-availability/) to understand how to scale Argo Workflows in depth.
### Workflow controller
This chart defaults to setting the `controller.instanceID.enabled` to `false` now, which means the deployed controller will act upon any workflow deployed to the cluster. If you would like to limit the behavior and deploy multiple workflow controllers, please use the `controller.instanceID.enabled` attribute along with one of its configuration options to set the `instanceID` of the workflow controller to be properly scoped for your needs.
### Argo Workflows server authentication
Argo Workflows server provides some choices for authentication mechanism and you can configure `.Values.server.authModes`. By default, authentication mode is `[server]`, for local development purposes or cases where your gateway authentication is covered by some other means.
Please refer to [Argo Server Auth Mode] for more details.
Argo Workflows server also supports SSO and you can enable it to configure `.Values.server.sso` and `.Values.server.authModes`. In order to manage access levels, you can optionally add RBAC to SSO. Please refer to [SSO RBAC] for more details.
## Values
The `values.yaml` contains items used to tweak a deployment of this chart.
Fields to note:
- `controller.instanceID.enabled`: If set to true, the Argo Controller will **ONLY** monitor Workflow submissions with a `--instanceid` attribute
- `controller.instanceID.useReleaseName`: If set to true then chart set controller instance id to release name
- `controller.instanceID.explicitID`: Allows customization of an instance id for the workflow controller to monitor
- `singleNamespace`: When true, restricts the workflow controller to operate
in just the single namespace (that one of the Helm release).
- `controller.workflowNamespaces`: This is a list of namespaces where the
workflow controller will manage workflows. Only valid when `singleNamespace`
is false.
### General parameters
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| apiVersionOverrides.autoscaling | string | `""` | String to override apiVersion of autoscaling rendered by this helm chart |
| apiVersionOverrides.cloudgoogle | string | `""` | String to override apiVersion of GKE resources rendered by this helm chart |
| apiVersionOverrides.monitoring | string | `""` | String to override apiVersion of monitoring CRDs (ServiceMonitor) rendered by this helm chart |
| commonLabels | object | `{}` | Labels to set on all resources |
| crds.annotations | object | `{}` | Annotations to be added to all CRDs |
| crds.install | bool | `true` | Install and upgrade CRDs |
| crds.keep | bool | `true` | Keep CRDs on chart uninstall |
| createAggregateRoles | bool | `true` | Create clusterroles that extend existing clusterroles to interact with argo-cd crds |
| emissary.images | list | `[]` | The command/args for each image on workflow, needed when the command is not specified and the emissary executor is used. |
| extraObjects | list | `[]` | Array of extra K8s manifests to deploy |
| fullnameOverride | string | `nil` | String to fully override "argo-workflows.fullname" template |
| images.pullPolicy | string | `"Always"` | imagePullPolicy to apply to all containers |
| images.pullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry |
| images.tag | string | `""` | Common tag for Argo Workflows images. Defaults to `.Chart.AppVersion`. |
| kubeVersionOverride | string | `""` | Override the Kubernetes version, which is used to evaluate certain manifests |
| nameOverride | string | `nil` | String to partially override "argo-workflows.fullname" template |
| namespaceOverride | string | `.Release.Namespace` | Override the namespace |
| singleNamespace | bool | `false` | Restrict Argo to operate only in a single namespace (the namespace of the Helm release) by apply Roles and RoleBindings instead of the Cluster equivalents, and start workflow-controller with the --namespaced flag. Use it in clusters with strict access policy. |
### Workflow
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| workflow.namespace | string | `nil` | Deprecated; use controller.workflowNamespaces instead. |
| workflow.rbac.agentPermissions | bool | `false` | Allows permissions for the Argo Agent. Only required if using http/plugin templates |
| workflow.rbac.artifactGC | bool | `false` | Allows permissions for the Argo Artifact GC pod. Only required if using artifact gc |
| workflow.rbac.create | bool | `true` | Adds Role and RoleBinding for the above specified service account to be able to run workflows. A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below) |
| workflow.rbac.serviceAccounts | list | `[]` | Extra service accounts to be added to the RoleBinding |
| workflow.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
| workflow.serviceAccount.create | bool | `false` | Specifies whether a service account should be created |
| workflow.serviceAccount.labels | object | `{}` | Labels applied to created service account |
| workflow.serviceAccount.name | string | `"argo-workflow"` | Service account which is used to run workflows |
| workflow.serviceAccount.pullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry. Same format as `.Values.images.pullSecrets` |
### Workflow Controller
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| controller.affinity | object | `{}` | Assign custom [affinity] rules |
| controller.clusterWorkflowTemplates.enabled | bool | `true` | Create a ClusterRole and CRB for the controller to access ClusterWorkflowTemplates. |
| controller.clusterWorkflowTemplates.serviceAccounts | list | `[]` | Extra service accounts to be added to the ClusterRoleBinding |
| controller.columns | list | `[]` | Configure Argo Server to show custom [columns] |
| controller.configMap.annotations | object | `{}` | ConfigMap annotations |
| controller.configMap.create | bool | `true` | Create a ConfigMap for the controller |
| controller.configMap.name | string | `""` | ConfigMap name |
| controller.cronWorkflowWorkers | string | `nil` | Number of cron workflow workers Only valid for 3.5+ |
| controller.deploymentAnnotations | object | `{}` | deploymentAnnotations is an optional map of annotations to be applied to the controller Deployment |
| controller.extraArgs | list | `[]` | Extra arguments to be added to the controller |
| controller.extraContainers | list | `[]` | Extra containers to be added to the controller deployment |
| controller.extraEnv | list | `[]` | Extra environment variables to provide to the controller container |
| controller.extraInitContainers | list | `[]` | Enables init containers to be added to the controller deployment |
| controller.image.registry | string | `"quay.io"` | Registry to use for the controller |
| controller.image.repository | string | `"argoproj/workflow-controller"` | Registry to use for the controller |
| controller.image.tag | string | `""` | Image tag for the workflow controller. Defaults to `.Values.images.tag`. |
| controller.initialDelay | string | `nil` | Resolves ongoing, uncommon AWS EKS bug: https://github.com/argoproj/argo-workflows/pull/4224 |
| controller.instanceID.enabled | bool | `false` | Configures the controller to filter workflow submissions to only those which have a matching instanceID attribute. |
| controller.instanceID.explicitID | string | `""` | Use a custom instanceID |
| controller.instanceID.useReleaseName | bool | `false` | Use ReleaseName as instanceID |
| controller.kubeConfig | object | `{}` (See [values.yaml]) | Configure when workflow controller runs in a different k8s cluster with the workflow workloads, or needs to communicate with the k8s apiserver using an out-of-cluster kubeconfig secret. |
| controller.links | list | `[]` | Configure Argo Server to show custom [links] |
| controller.livenessProbe | object | See [values.yaml] | Configure liveness [probe] for the controller |
| controller.loadBalancerClass | string | `""` | The class of the load balancer implementation |
| controller.loadBalancerSourceRanges | list | `[]` | Source ranges to allow access to service from. Only applies to service type `LoadBalancer` |
| controller.logging.format | string | `"text"` | Set the logging format (one of: `text`, `json`) |
| controller.logging.globallevel | string | `"0"` | Set the glog logging level |
| controller.logging.level | string | `"info"` | Set the logging level (one of: `debug`, `info`, `warn`, `error`) |
| controller.metricsConfig.enabled | bool | `false` | Enables prometheus metrics server |
| controller.metricsConfig.headlessService | bool | `false` | Flag to enable headless service |
| controller.metricsConfig.honorLabels | bool | `false` | When true, honorLabels preserves the metrics labels when they collide with the targets labels. |
| controller.metricsConfig.ignoreErrors | bool | `false` | Flag that instructs prometheus to ignore metric emission errors. |
| controller.metricsConfig.interval | string | `"30s"` | Frequency at which prometheus scrapes metrics |
| controller.metricsConfig.metricRelabelings | list | `[]` | ServiceMonitor metric relabel configs to apply to samples before ingestion |
| controller.metricsConfig.metricsTTL | string | `""` | How often custom metrics are cleared from memory |
| controller.metricsConfig.path | string | `"/metrics"` | Path is the path where metrics are emitted. Must start with a "/". |
| controller.metricsConfig.port | int | `9090` | Port is the port where metrics are emitted |
| controller.metricsConfig.portName | string | `"metrics"` | Container metrics port name |
| controller.metricsConfig.relabelings | list | `[]` | ServiceMonitor relabel configs to apply to samples before scraping |
| controller.metricsConfig.secure | bool | `false` | Flag that use a self-signed cert for TLS |
| controller.metricsConfig.servicePort | int | `8080` | Service metrics port |
| controller.metricsConfig.servicePortName | string | `"metrics"` | Service metrics port name |
| controller.metricsConfig.targetLabels | list | `[]` | ServiceMonitor will add labels from the service to the Prometheus metric |
| controller.name | string | `"workflow-controller"` | Workflow controller name string |
| controller.namespaceParallelism | string | `nil` | Limits the maximum number of incomplete workflows in a namespace |
| controller.navColor | string | `""` | Set ui navigation bar background color |
| controller.nodeEvents.enabled | bool | `true` | Enable to emit events on node completion. |
| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | [Node selector] |
| controller.parallelism | string | `nil` | parallelism dictates how many workflows can be running at the same time |
| controller.pdb.enabled | bool | `false` | Configure [Pod Disruption Budget] for the controller pods |
| controller.persistence | object | `{}` | enable Workflow Archive to store the status of workflows. Postgres and MySQL (>= 5.7.8) are available. |
| controller.podAnnotations | object | `{}` | podAnnotations is an optional map of annotations to be applied to the controller Pods |
| controller.podCleanupWorkers | string | `nil` | Number of pod cleanup workers |
| controller.podGCDeleteDelayDuration | string | `5s` (Argo Workflows default) | The duration in seconds before the pods in the GC queue get deleted. A zero value indicates that the pods will be deleted immediately. |
| controller.podGCGracePeriodSeconds | string | `30` seconds (Kubernetes default) | Specifies the duration in seconds before a terminating pod is forcefully killed. A zero value indicates that the pod will be forcefully terminated immediately. |
| controller.podLabels | object | `{}` | Optional labels to add to the controller pods |
| controller.podSecurityContext | object | `{}` | SecurityContext to set on the controller pods |
| controller.priorityClassName | string | `""` | Leverage a PriorityClass to ensure your pods survive resource shortages. |
| controller.rbac.accessAllSecrets | bool | `false` | Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty. |
| controller.rbac.create | bool | `true` | Adds Role and RoleBinding for the controller. |
| controller.rbac.secretWhitelist | list | `[]` | Allows controller to get, list, and watch certain k8s secrets |
| controller.rbac.writeConfigMaps | bool | `false` | Allows controller to create and update ConfigMaps. Enables memoization feature |
| controller.replicas | int | `1` | The number of controller pods to run |
| controller.resourceRateLimit | object | `{}` | Globally limits the rate at which pods are created. This is intended to mitigate flooding of the Kubernetes API server by workflows with a large amount of parallel nodes. |
| controller.resources | object | `{}` | Resource limits and requests for the controller |
| controller.retentionPolicy | object | `{}` | Workflow retention by number of workflows |
| controller.revisionHistoryLimit | int | `10` | The number of revisions to keep. |
| controller.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | the controller container's securityContext |
| controller.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
| controller.serviceAccount.create | bool | `true` | Create a service account for the controller |
| controller.serviceAccount.labels | object | `{}` | Labels applied to created service account |
| controller.serviceAccount.name | string | `""` | Service account name |
| controller.serviceAnnotations | object | `{}` | Annotations to be applied to the controller Service |
| controller.serviceLabels | object | `{}` | Optional labels to add to the controller Service |
| controller.serviceMonitor.additionalLabels | object | `{}` | Prometheus ServiceMonitor labels |
| controller.serviceMonitor.enabled | bool | `false` | Enable a prometheus ServiceMonitor |
| controller.serviceMonitor.namespace | string | `""` | Prometheus ServiceMonitor namespace |
| controller.serviceType | string | `"ClusterIP"` | Service type of the controller Service |
| controller.telemetryConfig.enabled | bool | `false` | Enables prometheus telemetry server |
| controller.telemetryConfig.ignoreErrors | bool | `false` | Flag that instructs prometheus to ignore metric emission errors. |
| controller.telemetryConfig.interval | string | `"30s"` | Frequency at which prometheus scrapes telemetry data |
| controller.telemetryConfig.metricsTTL | string | `""` | How often custom metrics are cleared from memory |
| controller.telemetryConfig.path | string | `"/telemetry"` | telemetry path |
| controller.telemetryConfig.port | int | `8081` | telemetry container port |
| controller.telemetryConfig.secure | bool | `false` | Flag that use a self-signed cert for TLS |
| controller.telemetryConfig.servicePort | int | `8081` | telemetry service port |
| controller.telemetryConfig.servicePortName | string | `"telemetry"` | telemetry service port name |
| controller.tolerations | list | `[]` | [Tolerations] for use with node taints |
| controller.topologySpreadConstraints | list | `[]` | Assign custom [TopologySpreadConstraints] rules to the workflow controller |
| controller.volumeMounts | list | `[]` | Additional volume mounts to the controller main container |
| controller.volumes | list | `[]` | Additional volumes to the controller pod |
| controller.workflowDefaults | object | `{}` | Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level. Only valid for 2.7+ |
| controller.workflowEvents.enabled | bool | `true` | Enable to emit events on workflow status changes. |
| controller.workflowNamespaces | list | `["default"]` | Specify all namespaces where this workflow controller instance will manage workflows. This controls where the service account and RBAC resources will be created. Only valid when singleNamespace is false. |
| controller.workflowRestrictions | object | `{}` | Restricts the Workflows that the controller will process. Only valid for 2.9+ |
| controller.workflowTTLWorkers | string | `nil` | Number of workflow TTL workers |
| controller.workflowWorkers | string | `nil` | Number of workflow workers |
### Workflow Main Container
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| mainContainer.env | list | `[]` | Adds environment variables for the Workflow main container |
| mainContainer.envFrom | list | `[]` | Adds reference environment variables for the Workflow main container |
| mainContainer.imagePullPolicy | string | `""` | imagePullPolicy to apply to Workflow main container. Defaults to `.Values.images.pullPolicy`. |
| mainContainer.resources | object | `{}` | Resource limits and requests for the Workflow main container |
| mainContainer.securityContext | object | `{}` | sets security context for the Workflow main container |
### Workflow Executor
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| executor.args | list | `[]` | Passes arguments to the executor processes |
| executor.env | list | `[]` | Adds environment variables for the executor. |
| executor.image.pullPolicy | string | `""` | Image PullPolicy to use for the Workflow Executors. Defaults to `.Values.images.pullPolicy`. |
| executor.image.registry | string | `"quay.io"` | Registry to use for the Workflow Executors |
| executor.image.repository | string | `"argoproj/argoexec"` | Repository to use for the Workflow Executors |
| executor.image.tag | string | `""` | Image tag for the workflow executor. Defaults to `.Values.images.tag`. |
| executor.resources | object | `{}` | Resource limits and requests for the Workflow Executors |
| executor.securityContext | object | `{}` | sets security context for the executor container |
### Workflow Server
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| server.GKEbackendConfig.enabled | bool | `false` | Enable BackendConfig custom resource for Google Kubernetes Engine |
| server.GKEbackendConfig.spec | object | `{}` | [BackendConfigSpec] |
| server.GKEfrontendConfig.enabled | bool | `false` | Enable FrontConfig custom resource for Google Kubernetes Engine |
| server.GKEfrontendConfig.spec | object | `{}` | [FrontendConfigSpec] |
| server.GKEmanagedCertificate.domains | list | `["argoworkflows.example.com"]` | Domains for the Google Managed Certificate |
| server.GKEmanagedCertificate.enabled | bool | `false` | Enable ManagedCertificate custom resource for Google Kubernetes Engine. |
| server.affinity | object | `{}` | Assign custom [affinity] rules |
| server.authMode | string | `""` | Deprecated; use server.authModes instead. |
| server.authModes | list | `[]` | A list of supported authentication modes. Available values are `server`, `client`, or `sso`. If you provide sso, please configure `.Values.server.sso` as well. |
| server.autoscaling.behavior | object | `{}` | Configures the scaling behavior of the target in both Up and Down directions. This is only available on HPA apiVersion `autoscaling/v2beta2` and newer |
| server.autoscaling.enabled | bool | `false` | Enable Horizontal Pod Autoscaler ([HPA]) for the Argo Server |
| server.autoscaling.maxReplicas | int | `5` | Maximum number of replicas for the Argo Server [HPA] |
| server.autoscaling.minReplicas | int | `1` | Minimum number of replicas for the Argo Server [HPA] |
| server.autoscaling.targetCPUUtilizationPercentage | int | `50` | Average CPU utilization percentage for the Argo Server [HPA] |
| server.autoscaling.targetMemoryUtilizationPercentage | int | `50` | Average memory utilization percentage for the Argo Server [HPA] |
| server.baseHref | string | `"/"` | Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /. |
| server.clusterWorkflowTemplates.enableEditing | bool | `true` | Give the server permissions to edit ClusterWorkflowTemplates. |
| server.clusterWorkflowTemplates.enabled | bool | `true` | Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates. |
| server.deploymentAnnotations | object | `{}` | optional map of annotations to be applied to the ui Deployment |
| server.enabled | bool | `true` | Deploy the Argo Server |
| server.extraArgs | list | `[]` | Extra arguments to provide to the Argo server binary. |
| server.extraContainers | list | `[]` | Extra containers to be added to the server deployment |
| server.extraEnv | list | `[]` | Extra environment variables to provide to the argo-server container |
| server.extraInitContainers | list | `[]` | Enables init containers to be added to the server deployment |
| server.hostAliases | list | `[]` | Mapping between IP and hostnames that will be injected as entries in the pod's hosts files |
| server.image.registry | string | `"quay.io"` | Registry to use for the server |
| server.image.repository | string | `"argoproj/argocli"` | Repository to use for the server |
| server.image.tag | string | `""` | Image tag for the Argo Workflows server. Defaults to `.Values.images.tag`. |
| server.ingress.annotations | object | `{}` | Additional ingress annotations |
| server.ingress.enabled | bool | `false` | Enable an ingress resource |
| server.ingress.extraPaths | list | `[]` | Additional ingress paths |
| server.ingress.hosts | list | `[]` | List of ingress hosts |
| server.ingress.ingressClassName | string | `""` | Defines which ingress controller will implement the resource |
| server.ingress.labels | object | `{}` | Additional ingress labels |
| server.ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` |
| server.ingress.paths | list | `["/"]` | List of ingress paths |
| server.ingress.tls | list | `[]` | Ingress TLS configuration |
| server.lifecycle | object | `{}` | Specify postStart and preStop lifecycle hooks for server container |
| server.loadBalancerClass | string | `""` | The class of the load balancer implementation |
| server.loadBalancerIP | string | `""` | Static IP address to assign to loadBalancer service type `LoadBalancer` |
| server.loadBalancerSourceRanges | list | `[]` | Source ranges to allow access to service from. Only applies to service type `LoadBalancer` |
| server.logging.format | string | `"text"` | Set the logging format (one of: `text`, `json`) |
| server.logging.globallevel | string | `"0"` | Set the glog logging level |
| server.logging.level | string | `"info"` | Set the logging level (one of: `debug`, `info`, `warn`, `error`) |
| server.name | string | `"server"` | Server name string |
| server.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | [Node selector] |
| server.pdb.enabled | bool | `false` | Configure [Pod Disruption Budget] for the server pods |
| server.podAnnotations | object | `{}` | optional map of annotations to be applied to the ui Pods |
| server.podLabels | object | `{}` | Optional labels to add to the UI pods |
| server.podSecurityContext | object | `{}` | SecurityContext to set on the server pods |
| server.priorityClassName | string | `""` | Leverage a PriorityClass to ensure your pods survive resource shortages |
| server.rbac.create | bool | `true` | Adds Role and RoleBinding for the server. |
| server.replicas | int | `1` | The number of server pods to run |
| server.resources | object | `{}` | Resource limits and requests for the server |
| server.revisionHistoryLimit | int | `10` | The number of revisions to keep. |
| server.secure | bool | `false` | Run the argo server in "secure" mode. Configure this value instead of `--secure` in extraArgs. |
| server.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true}` | Servers container-level security context |
| server.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
| server.serviceAccount.create | bool | `true` | Create a service account for the server |
| server.serviceAccount.labels | object | `{}` | Labels applied to created service account |
| server.serviceAccount.name | string | `""` | Service account name |
| server.serviceAnnotations | object | `{}` | Annotations to be applied to the UI Service |
| server.serviceLabels | object | `{}` | Optional labels to add to the UI Service |
| server.serviceNodePort | string | `nil` | Service node port |
| server.servicePort | int | `2746` | Service port for server |
| server.servicePortName | string | `""` | Service port name |
| server.serviceType | string | `"ClusterIP"` | Service type for server pods |
| server.sso.clientId.key | string | `"client-id"` | Key of secret to retrieve the app OIDC client ID |
| server.sso.clientId.name | string | `"argo-server-sso"` | Name of secret to retrieve the app OIDC client ID |
| server.sso.clientSecret.key | string | `"client-secret"` | Key of a secret to retrieve the app OIDC client secret |
| server.sso.clientSecret.name | string | `"argo-server-sso"` | Name of a secret to retrieve the app OIDC client secret |
| server.sso.customGroupClaimName | string | `""` | Override claim name for OIDC groups |
| server.sso.enabled | bool | `false` | Create SSO configuration. If you set `true` , please also set `.Values.server.authMode` as `sso`. |
| server.sso.filterGroupsRegex | list | `[]` | Filter the groups returned by the OIDC provider |
| server.sso.insecureSkipVerify | bool | `false` | Skip TLS verification for the HTTP client |
| server.sso.issuer | string | `"https://accounts.google.com"` | The root URL of the OIDC identity provider |
| server.sso.issuerAlias | string | `""` | Alternate root URLs that can be included for some OIDC providers |
| server.sso.rbac.enabled | bool | `true` | Adds ServiceAccount Policy to server (Cluster)Role. |
| server.sso.rbac.secretWhitelist | list | `[]` | Whitelist to allow server to fetch Secrets |
| server.sso.redirectUrl | string | `""` | The OIDC redirect URL. Should be in the form <argo-root-url>/oauth2/callback. |
| server.sso.scopes | list | `[]` | Scopes requested from the SSO ID provider |
| server.sso.sessionExpiry | string | `""` | Define how long your login is valid for (in hours) |
| server.sso.userInfoPath | string | `""` | Specify the user info endpoint that contains the groups claim |
| server.terminationGracePeriodSeconds | int | `30` | terminationGracePeriodSeconds for container lifecycle hook |
| server.tmpVolume | object | `{"emptyDir":{}}` | Volume to be mounted in Pods for temporary files. |
| server.tolerations | list | `[]` | [Tolerations] for use with node taints |
| server.topologySpreadConstraints | list | `[]` | Assign custom [TopologySpreadConstraints] rules to the argo server |
| server.volumeMounts | list | `[]` | Additional volume mounts to the server main container. |
| server.volumes | list | `[]` | Additional volumes to the server pod. |
### Artifact Repository
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| artifactRepository.archiveLogs | bool | `false` | Archive the main container logs as an artifact |
| artifactRepository.azure | object | `{}` (See [values.yaml]) | Store artifact in Azure Blob Storage |
| artifactRepository.gcs | object | `{}` (See [values.yaml]) | Store artifact in a GCS object store |
| artifactRepository.s3 | object | See [values.yaml] | Store artifact in a S3-compliant object store |
| artifactRepositoryRef | object | `{}` (See [values.yaml]) | The section of [artifact repository ref](https://argo-workflows.readthedocs.io/en/stable/artifact-repository-ref/). Each map key is the name of configmap |
| customArtifactRepository | object | `{}` | The section of custom artifact repository. Utilize a custom artifact repository that is not one of the current base ones (s3, gcs, azure) |
| useStaticCredentials | bool | `true` | Use static credentials for S3 (eg. when not using AWS IRSA) |
## Breaking changes from the deprecated `argo` chart
1. the `installCRD` value has been removed. CRDs are now only installed from the conventional crds/ directory
1. the CRDs were updated to `apiextensions.k8s.io/v1`
1. the container image registry/project/tag format was changed to be more in line with the more common
```yaml
image:
registry: quay.io
repository: argoproj/argocli
tag: v3.0.1
```
this also makes it easier for automatic update tooling (eg. renovate bot) to detect and update images.
1. switched to quay.io as the default registry for all images
1. removed any included usage of Minio
1. aligned the configuration of serviceAccounts with the argo-cd chart, ie: what used to be `server.createServiceAccount` is now `server.serviceAccount.create`
1. moved the field previously known as `telemetryServicePort` inside the `telemetryConfig` as `telemetryConfig.servicePort` - same for `metricsConfig`
[affinity]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
[BackendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig#backendconfigspec_v1beta1_cloudgooglecom
[FrontendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters
[links]: https://argo-workflows.readthedocs.io/en/stable/links/
[columns]: https://github.com/argoproj/argo-workflows/pull/10693
[Node selector]: https://kubernetes.io/docs/user-guide/node-selection/
[Pod Disruption Budget]: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
[probe]: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
[Tolerations]: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
[TopologySpreadConstraints]: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
[values.yaml]: values.yaml
[changelog]: https://artifacthub.io/packages/helm/argo/argo-workflows?modal=changelog
[SSO RBAC]: https://argo-workflows.readthedocs.io/en/stable/argo-server-sso/
[Argo Server Auth Mode]: https://argo-workflows.readthedocs.io/en/stable/argo-server-auth-mode/

11
opencloud/charts/argo-workflows/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,11 @@
{{- if .Values.server.authMode }}
DEPRECATED option server.authMode - Use server.authModes
{{- end }}
1. Get Argo Server external IP/domain by running:
kubectl --namespace {{ .Release.Namespace }} get services -o wide | grep {{ template "argo-workflows.server.fullname" . }}
2. Submit the hello-world workflow by running:
argo submit https://raw.githubusercontent.com/argoproj/argo-workflows/master/examples/hello-world.yaml --watch

211
opencloud/charts/argo-workflows/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,211 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Create argo workflows server name and version as used by the chart label.
*/}}
{{- define "argo-workflows.server.fullname" -}}
{{- printf "%s-%s" (include "argo-workflows.fullname" .) .Values.server.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create controller name and version as used by the chart label.
*/}}
{{- define "argo-workflows.controller.fullname" -}}
{{- printf "%s-%s" (include "argo-workflows.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Expand the name of the chart.
*/}}
{{- define "argo-workflows.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "argo-workflows.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "argo-workflows.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create kubernetes friendly chart version label for the controller.
Examples:
image.tag = v3.4.4
output = v3.4.4
image.tag = v3.4.4@sha256:d06860f1394a94ac3ff8401126ef32ba28915aa6c3c982c7e607ea0b4dadb696
output = v3.4.4
*/}}
{{- define "argo-workflows.controller_chart_version_label" -}}
{{- regexReplaceAll "[^a-zA-Z0-9-_.]+" (regexReplaceAll "@sha256:[a-f0-9]+" (default (include "argo-workflows.defaultTag" .) .Values.controller.image.tag) "") "" | trunc 63 | quote -}}
{{- end -}}
{{/*
Create kubernetes friendly chart version label for the server.
Examples:
image.tag = v3.4.4
output = v3.4.4
image.tag = v3.4.4@sha256:d06860f1394a94ac3ff8401126ef32ba28915aa6c3c982c7e607ea0b4dadb696
output = v3.4.4
*/}}
{{- define "argo-workflows.server_chart_version_label" -}}
{{- regexReplaceAll "[^a-zA-Z0-9-_.]+" (regexReplaceAll "@sha256:[a-f0-9]+" (default (include "argo-workflows.defaultTag" .) .Values.server.image.tag) "") "" | trunc 63 | quote -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "argo-workflows.labels" -}}
helm.sh/chart: {{ include "argo-workflows.chart" .context }}
{{ include "argo-workflows.selectorLabels" (dict "context" .context "component" .component "name" .name) }}
app.kubernetes.io/managed-by: {{ .context.Release.Service }}
app.kubernetes.io/part-of: argo-workflows
{{- with .context.Values.commonLabels }}
{{ toYaml .}}
{{- end }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "argo-workflows.selectorLabels" -}}
{{- if .name -}}
app.kubernetes.io/name: {{ include "argo-workflows.name" .context }}-{{ .name }}
{{ end -}}
app.kubernetes.io/instance: {{ .context.Release.Name }}
{{- if .component }}
app.kubernetes.io/component: {{ .component }}
app: {{ .component }}
{{- end }}
{{- end }}
{{/*
Create the name of the controller configMap
*/}}
{{- define "argo-workflows.controller.config-map.name" -}}
{{- .Values.controller.configMap.name | default (printf "%s-%s" (include "argo-workflows.controller.fullname" .) "configmap") | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the server service account to use
*/}}
{{- define "argo-workflows.serverServiceAccountName" -}}
{{- if .Values.server.serviceAccount.create -}}
{{ default (include "argo-workflows.server.fullname" .) .Values.server.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.server.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create the name of the controller service account to use
*/}}
{{- define "argo-workflows.controllerServiceAccountName" -}}
{{- if .Values.controller.serviceAccount.create -}}
{{ default (include "argo-workflows.controller.fullname" .) .Values.controller.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.controller.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for ingress
*/}}
{{- define "argo-workflows.ingress.apiVersion" -}}
{{- if semverCompare "<1.14-0" (include "argo-workflows.kubeVersion" $) -}}
{{- print "extensions/v1beta1" -}}
{{- else if semverCompare "<1.19-0" (include "argo-workflows.kubeVersion" $) -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the target Kubernetes version
*/}}
{{- define "argo-workflows.kubeVersion" -}}
{{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride }}
{{- end -}}
{{/*
Return the default Argo Workflows app version
*/}}
{{- define "argo-workflows.defaultTag" -}}
{{- default .Chart.AppVersion .Values.images.tag }}
{{- end -}}
{{/*
Return full image name including or excluding registry based on existence
*/}}
{{- define "argo-workflows.image" -}}
{{- if and .image.registry .image.repository -}}
{{ .image.registry }}/{{ .image.repository }}
{{- else -}}
{{ .image.repository }}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for autoscaling
*/}}
{{- define "argo-workflows.apiVersion.autoscaling" -}}
{{- if .Values.apiVersionOverrides.autoscaling -}}
{{- print .Values.apiVersionOverrides.autoscaling -}}
{{- else if semverCompare "<1.23-0" (include "argo-workflows.kubeVersion" .) -}}
{{- print "autoscaling/v2beta1" -}}
{{- else -}}
{{- print "autoscaling/v2" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for GKE resources
*/}}
{{- define "argo-workflows.apiVersions.cloudgoogle" -}}
{{- if .Values.apiVersionOverrides.cloudgoogle -}}
{{- print .Values.apiVersionOverrides.cloudgoogle -}}
{{- else if .Capabilities.APIVersions.Has "cloud.google.com/v1" -}}
{{- print "cloud.google.com/v1" -}}
{{- else -}}
{{- print "cloud.google.com/v1beta1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for monitoring CRDs
*/}}
{{- define "argo-workflows.apiVersions.monitoring" -}}
{{- if .Values.apiVersionOverrides.monitoring -}}
{{- print .Values.apiVersionOverrides.monitoring -}}
{{- else -}}
{{- print "monitoring.coreos.com/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Expand the namespace of the release.
Allows overriding it for multi-namespace deployments in combined charts.
*/}}
{{- define "argo-workflows.namespace" -}}
{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
{{- end }}

29
opencloud/charts/argo-workflows/templates/controller/agent-rb.yaml Normal file
View File

@@ -0,0 +1,29 @@
{{- if .Values.workflow.rbac.agentPermissions -}}
{{- range $namespace := or .Values.singleNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace (include "argo-workflows.namespace" .)) | uniq) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "argo-workflows.fullname" $ }}-workflow-agent
labels:
{{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $.Values.controller.name) | nindent 4 }}
{{- with $namespace }}
namespace: {{ . }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "argo-workflows.fullname" $ }}-workflow-agent
subjects:
- kind: ServiceAccount
name: {{ $.Values.workflow.serviceAccount.name }}
{{- with $namespace }}
namespace: {{ . }}
{{- end }}
{{- range $.Values.workflow.rbac.serviceAccounts }}
- kind: ServiceAccount
name: {{ .name }}
namespace: {{ .namespace | quote }}
{{- end }}
{{- end }}
{{- end }}

29
opencloud/charts/argo-workflows/templates/controller/agent-role.yaml Normal file
View File

@@ -0,0 +1,29 @@
{{- if .Values.workflow.rbac.agentPermissions -}}
{{- range $namespace := or .Values.singleNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace (include "argo-workflows.namespace" .)) | uniq) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "argo-workflows.fullname" $ }}-workflow-agent
labels:
{{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $.Values.controller.name) | nindent 4 }}
{{- with $namespace }}
namespace: {{ . }}
{{- end }}
rules:
- apiGroups:
- argoproj.io
resources:
- workflowtasksets
verbs:
- list
- watch
- apiGroups:
- argoproj.io
resources:
- workflowtasksets/status
verbs:
- patch
{{- end }}
{{- end }}

29
opencloud/charts/argo-workflows/templates/controller/artifact-gc-rb.yaml Normal file
View File

@@ -0,0 +1,29 @@
{{- if .Values.workflow.rbac.artifactGC -}}
{{- range $namespace := or .Values.singleNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace (include "argo-workflows.namespace" .)) | uniq) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "argo-workflows.fullname" $ }}-wf-artifactgc
labels:
{{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $.Values.controller.name) | nindent 4 }}
{{- with $namespace }}
namespace: {{ . }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "argo-workflows.fullname" $ }}-wf-artifactgc
subjects:
- kind: ServiceAccount
name: {{ $.Values.workflow.serviceAccount.name }}
{{- with $namespace }}
namespace: {{ . }}
{{- end }}
{{- range $.Values.workflow.rbac.serviceAccounts }}
- kind: ServiceAccount
name: {{ .name }}
namespace: {{ .namespace | quote }}
{{- end }}
{{- end }}
{{- end }}

29
opencloud/charts/argo-workflows/templates/controller/artifact-gc-role.yaml Normal file
View File

@@ -0,0 +1,29 @@
{{- if .Values.workflow.rbac.artifactGC -}}
{{- range $namespace := or .Values.singleNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace (include "argo-workflows.namespace" .)) | uniq) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "argo-workflows.fullname" $ }}-wf-artifactgc
labels:
{{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $.Values.controller.name) | nindent 4 }}
{{- with $namespace }}
namespace: {{ . }}
{{- end }}
rules:
- apiGroups:
- argoproj.io
resources:
- workflowartifactgctasks
verbs:
- list
- watch
- apiGroups:
- argoproj.io
resources:
- workflowartifactgctasks/status
verbs:
- patch
{{- end }}
{{- end }}

19
opencloud/charts/argo-workflows/templates/controller/artifact-repository-ref-cm.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- range $cm_name, $cm_val := .Values.artifactRepositoryRef }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $cm_name }}
namespace: {{ include "argo-workflows.namespace" $ | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $cm_name) | nindent 4 }}
{{- with $cm_val.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
data:
{{- range $data_key, $data_val := (omit $cm_val "annotations") }}
{{- $data_key | nindent 2 }}: |
{{- toYaml $data_val | nindent 4 }}
{{- end }}
{{- end }}

107
opencloud/charts/argo-workflows/templates/controller/workflow-aggregate-roles.yaml Normal file
View File

@@ -0,0 +1,107 @@
{{- if .Values.createAggregateRoles }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "argo-workflows.fullname" . }}-view
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- argoproj.io
resources:
- workflows
- workflows/finalizers
- workfloweventbindings
- workfloweventbindings/finalizers
- workflowtemplates
- workflowtemplates/finalizers
- cronworkflows
- cronworkflows/finalizers
- clusterworkflowtemplates
- clusterworkflowtemplates/finalizers
- workflowtasksets
- workflowtasksets/finalizers
- workflowtaskresults
- workflowtaskresults/finalizers
- workflowartifactgctasks
- workflowartifactgctasks/finalizers
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "argo-workflows.fullname" . }}-edit
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups:
- argoproj.io
resources:
- workflows
- workflows/finalizers
- workfloweventbindings
- workfloweventbindings/finalizers
- workflowtemplates
- workflowtemplates/finalizers
- cronworkflows
- cronworkflows/finalizers
- clusterworkflowtemplates
- clusterworkflowtemplates/finalizers
- workflowtasksets
- workflowtasksets/finalizers
- workflowtaskresults
- workflowtaskresults/finalizers
- workflowartifactgctasks
- workflowartifactgctasks/finalizers
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "argo-workflows.fullname" . }}-admin
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- argoproj.io
resources:
- workflows
- workflows/finalizers
- workfloweventbindings
- workfloweventbindings/finalizers
- workflowtemplates
- workflowtemplates/finalizers
- cronworkflows
- cronworkflows/finalizers
- clusterworkflowtemplates
- clusterworkflowtemplates/finalizers
- workflowtasksets
- workflowtasksets/finalizers
- workflowtaskresults
- workflowtaskresults/finalizers
- workflowartifactgctasks
- workflowartifactgctasks/finalizers
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
{{- end }}

220
opencloud/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml Normal file
View File

@@ -0,0 +1,220 @@
{{- if .Values.controller.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
{{- if .Values.singleNamespace }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
metadata:
name: {{ template "argo-workflows.controller.fullname" . }}
{{- if .Values.singleNamespace }}
namespace: {{ include "argo-workflows.namespace" . | quote }}
{{- end }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- watch
- list
{{- if .Values.controller.rbac.writeConfigMaps }}
- create
- update
{{- end}}
- apiGroups:
- ""
resources:
- persistentvolumeclaims
- persistentvolumeclaims/finalizers
verbs:
- create
- update
- delete
- get
- apiGroups:
- argoproj.io
resources:
- workflows
- workflows/finalizers
- workflowtasksets
- workflowtasksets/finalizers
- workflowartifactgctasks
verbs:
- get
- list
- watch
- update
- patch
- delete
- create
- apiGroups:
- argoproj.io
resources:
- workflowtemplates
- workflowtemplates/finalizers
verbs:
- get
- list
- watch
- apiGroups:
- argoproj.io
resources:
- workflowtaskresults
- workflowtaskresults/finalizers
verbs:
- list
- watch
- deletecollection
- apiGroups:
- argoproj.io
resources:
- cronworkflows
- cronworkflows/finalizers
verbs:
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
- list
- apiGroups:
- "policy"
resources:
- poddisruptionbudgets
verbs:
- create
- get
- delete
{{- if .Values.controller.persistence }}
- apiGroups:
- ""
resources:
- secrets
resourceNames:
{{- if .Values.controller.persistence.postgresql }}
- {{ .Values.controller.persistence.postgresql.userNameSecret.name }}
- {{ .Values.controller.persistence.postgresql.passwordSecret.name }}
{{- end}}
{{- if .Values.controller.persistence.mysql }}
- {{ .Values.controller.persistence.mysql.userNameSecret.name }}
- {{ .Values.controller.persistence.mysql.passwordSecret.name }}
{{- end}}
verbs:
- get
{{- end}}
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- coordination.k8s.io
resources:
- leases
resourceNames:
{{- if .Values.controller.instanceID.enabled }}
{{- if .Values.controller.instanceID.useReleaseName }}
- workflow-controller-{{ .Release.Name }}
- workflow-controller-lease-{{ .Release.Name }}
{{- else }}
- workflow-controller-{{ .Values.controller.instanceID.explicitID }}
- workflow-controller-lease-{{ .Values.controller.instanceID.explicitID }}
{{- end }}
{{- else }}
- workflow-controller
- workflow-controller-lease
{{- end }}
verbs:
- get
- watch
- update
- patch
- delete
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
resourceNames:
{{/* for HTTP templates */}}
- argo-workflows-agent-ca-certificates
{{- with .Values.controller.rbac.secretWhitelist }}
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
resourceNames: {{- toYaml . | nindent 4 }}
{{- end }}
{{- if and (not .Values.controller.rbac.secretWhitelist) (.Values.controller.rbac.accessAllSecrets) }}
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
{{- end }}
{{- if and .Values.controller.clusterWorkflowTemplates.enabled (not .Values.singleNamespace) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "argo-workflows.controller.fullname" . }}-cluster-template
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
rules:
- apiGroups:
- argoproj.io
resources:
- clusterworkflowtemplates
- clusterworkflowtemplates/finalizers
verbs:
- get
- list
- watch
{{- end }}
{{- end }}

214
opencloud/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml Normal file
View File

@@ -0,0 +1,214 @@
{{- if .Values.controller.configMap.create }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "argo-workflows.controller.config-map.name" . }}
namespace: {{ include "argo-workflows.namespace" . | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" "cm") | nindent 4 }}
{{- with .Values.controller.configMap.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
data:
config: |
{{- if .Values.controller.instanceID.enabled }}
{{- if .Values.controller.instanceID.useReleaseName }}
instanceID: {{ .Release.Name }}
{{- else }}
instanceID: {{ .Values.controller.instanceID.explicitID }}
{{- end }}
{{- end }}
{{- if .Values.controller.parallelism }}
parallelism: {{ .Values.controller.parallelism }}
{{- end }}
{{- if .Values.controller.resourceRateLimit }}
resourceRateLimit: {{- toYaml .Values.controller.resourceRateLimit | nindent 6 }}
{{- end }}
{{- with .Values.controller.namespaceParallelism }}
namespaceParallelism: {{ . }}
{{- end }}
{{- with .Values.controller.initialDelay }}
initialDelay: {{ . }}
{{- end }}
{{- if or .Values.mainContainer.resources .Values.mainContainer.env .Values.mainContainer.envFrom .Values.mainContainer.securityContext}}
mainContainer:
imagePullPolicy: {{ default (.Values.images.pullPolicy) .Values.mainContainer.imagePullPolicy }}
{{- with .Values.mainContainer.resources }}
resources: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.mainContainer.env }}
env: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.mainContainer.envFrom }}
envFrom: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.mainContainer.securityContext }}
securityContext: {{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- if or .Values.executor.resources .Values.executor.env .Values.executor.args .Values.executor.securityContext}}
executor:
imagePullPolicy: {{ default (.Values.images.pullPolicy) .Values.executor.image.pullPolicy }}
{{- with .Values.executor.resources }}
resources: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.executor.args }}
args: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.executor.env }}
env: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.executor.securityContext }}
securityContext: {{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- if or .Values.artifactRepository.s3 .Values.artifactRepository.gcs .Values.artifactRepository.azure .Values.customArtifactRepository }}
artifactRepository:
{{- if .Values.artifactRepository.archiveLogs }}
archiveLogs: {{ .Values.artifactRepository.archiveLogs }}
{{- end }}
{{- with .Values.artifactRepository.gcs }}
gcs: {{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.artifactRepository.azure }}
azure: {{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- if .Values.artifactRepository.s3 }}
s3:
{{- if .Values.useStaticCredentials }}
accessKeySecret:
key: {{ tpl .Values.artifactRepository.s3.accessKeySecret.key . }}
name: {{ tpl .Values.artifactRepository.s3.accessKeySecret.name . }}
secretKeySecret:
key: {{ tpl .Values.artifactRepository.s3.secretKeySecret.key . }}
name: {{ tpl .Values.artifactRepository.s3.secretKeySecret.name . }}
{{- if .Values.artifactRepository.s3.sessionTokenSecret }}
sessionTokenSecret:
key: {{ tpl .Values.artifactRepository.s3.sessionTokenSecret.key . }}
name: {{ tpl .Values.artifactRepository.s3.sessionTokenSecret.name . }}
{{- end }}
{{- end }}
bucket: {{ tpl (.Values.artifactRepository.s3.bucket | default "") . }}
endpoint: {{ tpl (.Values.artifactRepository.s3.endpoint | default "") . }}
insecure: {{ .Values.artifactRepository.s3.insecure }}
{{- if .Values.artifactRepository.s3.caSecret }}
caSecret:
name: {{ tpl .Values.artifactRepository.s3.caSecret.name . }}
key: {{ tpl .Values.artifactRepository.s3.caSecret.key . }}
{{- end }}
{{- if .Values.artifactRepository.s3.keyFormat }}
keyFormat: {{ .Values.artifactRepository.s3.keyFormat | quote }}
{{- end }}
{{- if .Values.artifactRepository.s3.region }}
region: {{ tpl .Values.artifactRepository.s3.region $ }}
{{- end }}
{{- if .Values.artifactRepository.s3.roleARN }}
roleARN: {{ .Values.artifactRepository.s3.roleARN }}
{{- end }}
{{- if .Values.artifactRepository.s3.useSDKCreds }}
useSDKCreds: {{ .Values.artifactRepository.s3.useSDKCreds }}
{{- end }}
{{- with .Values.artifactRepository.s3.encryptionOptions }}
encryptionOptions:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- end }}
{{- if .Values.customArtifactRepository }}
{{- toYaml .Values.customArtifactRepository | nindent 6 }}
{{- end }}
{{- end }}
{{- if .Values.controller.metricsConfig.enabled }}
metricsConfig:
enabled: {{ .Values.controller.metricsConfig.enabled }}
path: {{ .Values.controller.metricsConfig.path }}
port: {{ .Values.controller.metricsConfig.port }}
{{- if .Values.controller.metricsConfig.metricsTTL }}
metricsTTL: {{ .Values.controller.metricsConfig.metricsTTL }}
{{- end }}
ignoreErrors: {{ .Values.controller.metricsConfig.ignoreErrors }}
secure: {{ .Values.controller.metricsConfig.secure }}
{{- end }}
{{- if .Values.controller.telemetryConfig.enabled }}
telemetryConfig:
enabled: {{ .Values.controller.telemetryConfig.enabled }}
path: {{ .Values.controller.telemetryConfig.path }}
port: {{ .Values.controller.telemetryConfig.port }}
{{- if .Values.controller.telemetryConfig.metricsTTL }}
metricsTTL: {{ .Values.controller.telemetryConfig.metricsTTL }}
{{- end }}
ignoreErrors: {{ .Values.controller.telemetryConfig.ignoreErrors }}
secure: {{ .Values.controller.telemetryConfig.secure }}
{{- end }}
{{- if .Values.controller.persistence }}
persistence:
{{ toYaml .Values.controller.persistence | indent 6 }}{{- end }}
{{- if .Values.controller.workflowDefaults }}
workflowDefaults:
{{ toYaml .Values.controller.workflowDefaults | indent 6 }}{{- end }}
{{- if .Values.server.sso.enabled }}
sso:
issuer: {{ .Values.server.sso.issuer }}
clientId:
name: {{ .Values.server.sso.clientId.name }}
key: {{ .Values.server.sso.clientId.key }}
clientSecret:
name: {{ .Values.server.sso.clientSecret.name }}
key: {{ .Values.server.sso.clientSecret.key }}
redirectUrl: {{ .Values.server.sso.redirectUrl | quote }}
rbac:
enabled: {{ .Values.server.sso.rbac.enabled }}
{{- with .Values.server.sso.scopes }}
scopes: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.server.sso.issuerAlias }}
issuerAlias: {{ toYaml . }}
{{- end }}
{{- with .Values.server.sso.sessionExpiry }}
sessionExpiry: {{ toYaml . }}
{{- end }}
{{- with .Values.server.sso.customGroupClaimName }}
customGroupClaimName: {{ toYaml . }}
{{- end }}
{{- with .Values.server.sso.userInfoPath }}
userInfoPath: {{ toYaml . }}
{{- end }}
{{- with .Values.server.sso.insecureSkipVerify }}
insecureSkipVerify: {{ toYaml . }}
{{- end }}
{{- with .Values.server.sso.filterGroupsRegex }}
filterGroupsRegex: {{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- with .Values.controller.workflowRestrictions }}
workflowRestrictions: {{- toYaml . | nindent 6 }}
{{- end }}
{{- with .Values.controller.links }}
links: {{- toYaml . | nindent 6 }}
{{- end }}
{{- with .Values.controller.columns }}
columns: {{- toYaml . | nindent 6 }}
{{- end }}
{{- with .Values.controller.navColor }}
navColor: {{ . }}
{{- end }}
{{- with .Values.controller.retentionPolicy }}
retentionPolicy: {{- toYaml . | nindent 6 }}
{{- end }}
{{- with .Values.emissary.images }}
images: {{- toYaml . | nindent 6 }}
{{- end }}
nodeEvents:
enabled: {{ .Values.controller.nodeEvents.enabled }}
workflowEvents:
enabled: {{ .Values.controller.workflowEvents.enabled }}
{{- with .Values.controller.kubeConfig }}
kubeConfig: {{- toYaml . | nindent 6 }}
{{- end }}
{{- with .Values.controller.podGCGracePeriodSeconds }}
podGCGracePeriodSeconds: {{ . }}
{{- end }}
{{- with .Values.controller.podGCDeleteDelayDuration }}
podGCDeleteDelayDuration: {{ . }}
{{- end }}
{{- end }}

50
opencloud/charts/argo-workflows/templates/controller/workflow-controller-crb.yaml Normal file
View File

@@ -0,0 +1,50 @@
{{- if .Values.controller.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
{{- if .Values.singleNamespace }}
kind: RoleBinding
{{ else }}
kind: ClusterRoleBinding
{{- end }}
metadata:
name: {{ template "argo-workflows.controller.fullname" . }}
{{- if .Values.singleNamespace }}
namespace: {{ include "argo-workflows.namespace" . | quote }}
{{- end }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
{{- if .Values.singleNamespace }}
kind: Role
{{ else }}
kind: ClusterRole
{{- end }}
name: {{ template "argo-workflows.controller.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "argo-workflows.controllerServiceAccountName" . }}
namespace: {{ include "argo-workflows.namespace" . | quote }}
{{- if .Values.controller.clusterWorkflowTemplates.enabled }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "argo-workflows.controller.fullname" . }}-cluster-template
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "argo-workflows.controller.fullname" . }}-cluster-template
subjects:
- kind: ServiceAccount
name: {{ template "argo-workflows.controllerServiceAccountName" . }}
namespace: {{ include "argo-workflows.namespace" . | quote }}
{{- range .Values.controller.clusterWorkflowTemplates.serviceAccounts }}
- kind: ServiceAccount
name: {{ .name }}
namespace: {{ .namespace | quote }}
{{- end }}
{{- end }}
{{- end }}

20
opencloud/charts/argo-workflows/templates/controller/workflow-controller-deployment-pdb.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- if .Values.controller.pdb.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "argo-workflows.controller.fullname" . }}
namespace: {{ include "argo-workflows.namespace" . | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
spec:
{{- if .Values.controller.pdb.minAvailable }}
minAvailable: {{ .Values.controller.pdb.minAvailable }}
{{- else if .Values.controller.pdb.maxUnavailable }}
maxUnavailable: {{ .Values.controller.pdb.maxUnavailable }}
{{- else }}
minAvailable: 0
{{- end }}
selector:
matchLabels:
{{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }}
{{- end }}

146
opencloud/charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml Normal file
View File

@@ -0,0 +1,146 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "argo-workflows.controller.fullname" . }}
namespace: {{ include "argo-workflows.namespace" . | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
app.kubernetes.io/version: {{ include "argo-workflows.controller_chart_version_label" . }}
{{- with .Values.controller.deploymentAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.controller.replicas }}
revisionHistoryLimit: {{ .Values.controller.revisionHistoryLimit }}
selector:
matchLabels:
{{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }}
template:
metadata:
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 8 }}
app.kubernetes.io/version: {{ include "argo-workflows.controller_chart_version_label" . }}
{{- with.Values.controller.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ template "argo-workflows.controllerServiceAccountName" . }}
{{- with .Values.controller.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.extraInitContainers }}
initContainers:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
containers:
- name: controller
image: "{{- include "argo-workflows.image" (dict "context" . "image" .Values.controller.image) }}:{{ default (include "argo-workflows.defaultTag" .) .Values.controller.image.tag }}"
imagePullPolicy: {{ .Values.images.pullPolicy }}
command: [ "workflow-controller" ]
args:
- "--configmap"
- "{{ template "argo-workflows.controller.config-map.name" . }}"
- "--executor-image"
- "{{- include "argo-workflows.image" (dict "context" . "image" .Values.executor.image) }}:{{ default (include "argo-workflows.defaultTag" .) .Values.executor.image.tag }}"
- "--loglevel"
- "{{ .Values.controller.logging.level }}"
- "--gloglevel"
- "{{ .Values.controller.logging.globallevel }}"
- "--log-format"
- "{{ .Values.controller.logging.format }}"
{{- if .Values.singleNamespace }}
- "--namespaced"
{{- end }}
{{- with .Values.controller.workflowWorkers }}
- "--workflow-workers"
- {{ . | quote }}
{{- end }}
{{- with .Values.controller.workflowTTLWorkers }}
- "--workflow-ttl-workers"
- {{ . | quote }}
{{- end }}
{{- with .Values.controller.podCleanupWorkers }}
- "--pod-cleanup-workers"
- {{ . | quote }}
{{- end }}
{{- with .Values.controller.cronWorkflowWorkers }}
- "--cron-workflow-workers"
- {{ . | quote }}
{{- end }}
{{- with .Values.controller.extraArgs }}
{{- toYaml . | nindent 10 }}
{{- end }}
securityContext:
{{- toYaml .Values.controller.securityContext | nindent 12 }}
env:
- name: ARGO_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: LEADER_ELECTION_IDENTITY
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
{{- if eq (int .Values.controller.replicas) 1 }}
- name: LEADER_ELECTION_DISABLE
value: "true"
{{- end }}
{{- with .Values.controller.extraEnv }}
{{- toYaml . | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.controller.resources | nindent 12 }}
{{- with .Values.controller.volumeMounts }}
volumeMounts:
{{- toYaml . | nindent 10 }}
{{- end }}
ports:
- name: {{ .Values.controller.metricsConfig.portName }}
containerPort: {{ .Values.controller.metricsConfig.port }}
- containerPort: 6060
livenessProbe: {{ .Values.controller.livenessProbe | toYaml | nindent 12 }}
{{- with .Values.controller.extraContainers }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.images.pullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.volumes }}
volumes:
{{- toYaml . | nindent 6 }}
{{- end }}
{{- with .Values.controller.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.topologySpreadConstraints }}
topologySpreadConstraints:
{{- range $constraint := . }}
- {{ toYaml $constraint | nindent 8 | trim }}
{{- if not $constraint.labelSelector }}
labelSelector:
matchLabels:
{{- include "argo-workflows.selectorLabels" (dict "context" $ "name" $.Values.controller.name) | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.controller.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}

16
opencloud/charts/argo-workflows/templates/controller/workflow-controller-sa.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if .Values.controller.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "argo-workflows.controllerServiceAccountName" . }}
namespace: {{ include "argo-workflows.namespace" . | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
{{- with .Values.controller.serviceAccount.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{ with .Values.controller.serviceAccount.annotations }}
annotations:
{{- toYaml .| nindent 4 }}
{{- end }}
{{- end }}

47
opencloud/charts/argo-workflows/templates/controller/workflow-controller-service.yaml Normal file
View File

@@ -0,0 +1,47 @@
{{- if or .Values.controller.metricsConfig.enabled .Values.controller.telemetryConfig.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "argo-workflows.controller.fullname" . }}
namespace: {{ include "argo-workflows.namespace" . | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
app.kubernetes.io/version: {{ include "argo-workflows.controller_chart_version_label" . }}
{{- with .Values.controller.serviceLabels }}
{{ toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.controller.serviceAnnotations }}
annotations:
{{- toYaml . | nindent 4}}
{{- end }}
spec:
ports:
{{- if .Values.controller.metricsConfig.enabled }}
- name: {{ .Values.controller.metricsConfig.servicePortName }}
port: {{ .Values.controller.metricsConfig.servicePort }}
protocol: TCP
targetPort: {{ .Values.controller.metricsConfig.port }}
{{- end }}
{{- if .Values.controller.telemetryConfig.enabled }}
- name: {{ .Values.controller.telemetryConfig.servicePortName }}
port: {{ .Values.controller.telemetryConfig.servicePort }}
protocol: TCP
targetPort: {{ .Values.controller.telemetryConfig.port }}
{{- end }}
selector:
{{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 4 }}
sessionAffinity: None
type: {{ .Values.controller.serviceType }}
{{- if and (eq .Values.controller.serviceType "ClusterIP") .Values.controller.metricsConfig.headlessService }}
clusterIP: None
{{- end }}
{{- if eq .Values.controller.serviceType "LoadBalancer" }}
{{- with .Values.controller.loadBalancerClass }}
loadBalancerClass: {{ . }}
{{- end }}
{{- if .Values.controller.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{- toYaml .Values.controller.loadBalancerSourceRanges | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}

53
opencloud/charts/argo-workflows/templates/controller/workflow-controller-servicemonitor.yaml Normal file
View File

@@ -0,0 +1,53 @@
{{- $apiVersion := include "argo-workflows.apiVersions.monitoring" . }}
{{- if and (.Capabilities.APIVersions.Has $apiVersion) (or .Values.controller.metricsConfig.enabled .Values.controller.telemetryConfig.enabled) .Values.controller.serviceMonitor.enabled }}
apiVersion: {{ $apiVersion }}
kind: ServiceMonitor
metadata:
name: {{ template "argo-workflows.controller.fullname" . }}
namespace: {{ default (include "argo-workflows.namespace" .) .Values.controller.serviceMonitor.namespace | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
{{- with .Values.controller.serviceMonitor.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
endpoints:
{{- if .Values.controller.metricsConfig.enabled }}
- port: {{ .Values.controller.metricsConfig.servicePortName }}
path: {{ .Values.controller.metricsConfig.path }}
interval: {{ .Values.controller.metricsConfig.interval }}
{{- with .Values.controller.metricsConfig.relabelings }}
relabelings:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.metricsConfig.metricRelabelings }}
metricRelabelings:
{{- toYaml . | nindent 8 }}
{{- end }}
honorLabels: {{ .Values.controller.metricsConfig.honorLabels }}
{{- end }}
{{- if .Values.controller.telemetryConfig.enabled }}
- port: telemetry
path: {{ .Values.controller.telemetryConfig.path }}
interval: {{ .Values.controller.telemetryConfig.interval }}
{{- with .Values.controller.metricsConfig.relabelings }}
relabelings:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.metricsConfig.metricRelabelings }}
metricRelabelings:
{{- toYaml . | nindent 8 }}
{{- end }}
honorLabels: {{ .Values.controller.metricsConfig.honorLabels }}
{{- end }}
{{- with .Values.controller.metricsConfig.targetLabels }}
targetLabels:
{{- toYaml . | nindent 8 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ include "argo-workflows.namespace" . | quote }}
selector:
matchLabels:
{{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }}
{{- end }}

29
opencloud/charts/argo-workflows/templates/controller/workflow-rb.yaml Normal file
View File

@@ -0,0 +1,29 @@
{{- if .Values.workflow.rbac.create -}}
{{- range $namespace := or .Values.singleNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace (include "argo-workflows.namespace" .)) | uniq) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "argo-workflows.fullname" $ }}-workflow
labels:
{{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $.Values.controller.name) | nindent 4 }}
{{- with $namespace }}
namespace: {{ . }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "argo-workflows.fullname" $ }}-workflow
subjects:
- kind: ServiceAccount
name: {{ $.Values.workflow.serviceAccount.name }}
{{- with $namespace }}
namespace: {{ . }}
{{- end }}
{{- range $.Values.workflow.rbac.serviceAccounts }}
- kind: ServiceAccount
name: {{ .name }}
namespace: {{ .namespace | quote }}
{{- end }}
{{- end }}
{{- end }}

23
opencloud/charts/argo-workflows/templates/controller/workflow-role.yaml Normal file
View File

@@ -0,0 +1,23 @@
{{- if .Values.workflow.rbac.create -}}
{{- range $namespace := or .Values.singleNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace (include "argo-workflows.namespace" .)) | uniq) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "argo-workflows.fullname" $ }}-workflow
labels:
{{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $.Values.controller.name) | nindent 4 }}
{{- with $namespace }}
namespace: {{ . }}
{{- end }}
rules:
- apiGroups:
- argoproj.io
resources:
- workflowtaskresults
verbs:
- create
- patch
{{- end }}
{{- end }}

25
opencloud/charts/argo-workflows/templates/controller/workflow-sa.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{- if .Values.workflow.serviceAccount.create -}}
{{- range $namespace := or .Values.singleNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace (include "argo-workflows.namespace" .)) | uniq) }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $.Values.workflow.serviceAccount.name }}
labels:
{{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $.Values.controller.name) | nindent 4 }}
{{- with $.Values.workflow.serviceAccount.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $namespace }}
namespace: {{ . }}
{{- end }}
{{- with $.Values.workflow.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $.Values.workflow.serviceAccount.pullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
{{- end }}

47
opencloud/charts/argo-workflows/templates/crds/argoproj.io_clusterworkflowtemplates.yaml Normal file
View File

@@ -0,0 +1,47 @@
{{- if .Values.crds.install }}
{{- if or (.Values.server.clusterWorkflowTemplates.enabled) (.Values.controller.clusterWorkflowTemplates.enabled) }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clusterworkflowtemplates.argoproj.io
annotations:
{{- if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{- end }}
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
group: argoproj.io
names:
kind: ClusterWorkflowTemplate
listKind: ClusterWorkflowTemplateList
plural: clusterworkflowtemplates
shortNames:
- clusterwftmpl
- cwft
singular: clusterworkflowtemplate
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
x-kubernetes-map-type: atomic
x-kubernetes-preserve-unknown-fields: true
required:
- metadata
- spec
type: object
served: true
storage: true
{{- end }}
{{- end }}

49
opencloud/charts/argo-workflows/templates/crds/argoproj.io_cronworkflows.yaml Normal file
View File

@@ -0,0 +1,49 @@
{{- if .Values.crds.install }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: cronworkflows.argoproj.io
annotations:
{{- if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{- end }}
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
group: argoproj.io
names:
kind: CronWorkflow
listKind: CronWorkflowList
plural: cronworkflows
shortNames:
- cwf
- cronwf
singular: cronworkflow
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
x-kubernetes-map-type: atomic
x-kubernetes-preserve-unknown-fields: true
status:
type: object
x-kubernetes-map-type: atomic
x-kubernetes-preserve-unknown-fields: true
required:
- metadata
- spec
type: object
served: true
storage: true
{{- end }}

1146
opencloud/charts/argo-workflows/templates/crds/argoproj.io_workflowartifactgctasks.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

690
opencloud/charts/argo-workflows/templates/crds/argoproj.io_workfloweventbindings.yaml Normal file
View File

@@ -0,0 +1,690 @@
{{- if .Values.crds.install }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: workfloweventbindings.argoproj.io
annotations:
{{- if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{- end }}
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
group: argoproj.io
names:
kind: WorkflowEventBinding
listKind: WorkflowEventBindingList
plural: workfloweventbindings
shortNames:
- wfeb
singular: workfloweventbinding
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
properties:
event:
properties:
selector:
type: string
required:
- selector
type: object
submit:
properties:
arguments:
properties:
artifacts:
items:
properties:
archive:
properties:
none:
type: object
tar:
properties:
compressionLevel:
format: int32
type: integer
type: object
zip:
type: object
type: object
archiveLogs:
type: boolean
artifactGC:
properties:
podMetadata:
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
serviceAccountName:
type: string
strategy:
enum:
- ""
- OnWorkflowCompletion
- OnWorkflowDeletion
- Never
type: string
type: object
artifactory:
properties:
passwordSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
url:
type: string
usernameSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
required:
- url
type: object
azure:
properties:
accountKeySecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
blob:
type: string
container:
type: string
endpoint:
type: string
useSDKCreds:
type: boolean
required:
- blob
- container
- endpoint
type: object
deleted:
type: boolean
from:
type: string
fromExpression:
type: string
gcs:
properties:
bucket:
type: string
key:
type: string
serviceAccountKeySecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
required:
- key
type: object
git:
properties:
branch:
type: string
depth:
format: int64
type: integer
disableSubmodules:
type: boolean
fetch:
items:
type: string
type: array
insecureIgnoreHostKey:
type: boolean
insecureSkipTLS:
type: boolean
passwordSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
repo:
type: string
revision:
type: string
singleBranch:
type: boolean
sshPrivateKeySecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
usernameSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
required:
- repo
type: object
globalName:
type: string
hdfs:
properties:
addresses:
items:
type: string
type: array
dataTransferProtection:
type: string
force:
type: boolean
hdfsUser:
type: string
krbCCacheSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
krbConfigConfigMap:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
krbKeytabSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
krbRealm:
type: string
krbServicePrincipalName:
type: string
krbUsername:
type: string
path:
type: string
required:
- path
type: object
http:
properties:
auth:
properties:
basicAuth:
properties:
passwordSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
usernameSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
type: object
clientCert:
properties:
clientCertSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
clientKeySecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
type: object
oauth2:
properties:
clientIDSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
clientSecretSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
endpointParams:
items:
properties:
key:
type: string
value:
type: string
required:
- key
type: object
type: array
scopes:
items:
type: string
type: array
tokenURLSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
type: object
type: object
headers:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
url:
type: string
required:
- url
type: object
mode:
format: int32
type: integer
name:
type: string
optional:
type: boolean
oss:
properties:
accessKeySecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
bucket:
type: string
createBucketIfNotPresent:
type: boolean
endpoint:
type: string
key:
type: string
lifecycleRule:
properties:
markDeletionAfterDays:
format: int32
type: integer
markInfrequentAccessAfterDays:
format: int32
type: integer
type: object
secretKeySecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
securityToken:
type: string
useSDKCreds:
type: boolean
required:
- key
type: object
path:
type: string
raw:
properties:
data:
type: string
required:
- data
type: object
recurseMode:
type: boolean
s3:
properties:
accessKeySecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
bucket:
type: string
caSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
createBucketIfNotPresent:
properties:
objectLocking:
type: boolean
type: object
encryptionOptions:
properties:
enableEncryption:
type: boolean
kmsEncryptionContext:
type: string
kmsKeyId:
type: string
serverSideCustomerKeySecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
type: object
endpoint:
type: string
insecure:
type: boolean
key:
type: string
region:
type: string
roleARN:
type: string
secretKeySecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
sessionTokenSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
useSDKCreds:
type: boolean
type: object
subPath:
type: string
required:
- name
type: object
type: array
parameters:
items:
properties:
default:
type: string
description:
type: string
enum:
items:
type: string
type: array
globalName:
type: string
name:
type: string
value:
type: string
valueFrom:
properties:
configMapKeyRef:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
default:
type: string
event:
type: string
expression:
type: string
jqFilter:
type: string
jsonPath:
type: string
parameter:
type: string
path:
type: string
supplied:
type: object
type: object
required:
- name
type: object
type: array
type: object
metadata:
type: object
workflowTemplateRef:
properties:
clusterScope:
type: boolean
name:
type: string
type: object
required:
- workflowTemplateRef
type: object
required:
- event
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
{{- end }}

64
opencloud/charts/argo-workflows/templates/crds/argoproj.io_workflows.yaml Normal file
View File

@@ -0,0 +1,64 @@
{{- if .Values.crds.install }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: workflows.argoproj.io
annotations:
{{- if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{- end }}
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
group: argoproj.io
names:
kind: Workflow
listKind: WorkflowList
plural: workflows
shortNames:
- wf
singular: workflow
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Status of the workflow
jsonPath: .status.phase
name: Status
type: string
- description: When the workflow was started
format: date-time
jsonPath: .status.startedAt
name: Age
type: date
- description: Human readable message indicating details about why the workflow
is in this condition.
jsonPath: .status.message
name: Message
type: string
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
x-kubernetes-map-type: atomic
x-kubernetes-preserve-unknown-fields: true
status:
type: object
x-kubernetes-map-type: atomic
x-kubernetes-preserve-unknown-fields: true
required:
- metadata
- spec
type: object
served: true
storage: true
subresources: {}
{{- end }}

671
opencloud/charts/argo-workflows/templates/crds/argoproj.io_workflowtaskresults.yaml Normal file
View File

@@ -0,0 +1,671 @@
{{- if .Values.crds.install }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: workflowtaskresults.argoproj.io
annotations:
{{- if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{- end }}
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
group: argoproj.io
names:
kind: WorkflowTaskResult
listKind: WorkflowTaskResultList
plural: workflowtaskresults
singular: workflowtaskresult
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
type: string
kind:
type: string
message:
type: string
metadata:
type: object
outputs:
properties:
artifacts:
items:
properties:
archive:
properties:
none:
type: object
tar:
properties:
compressionLevel:
format: int32
type: integer
type: object
zip:
type: object
type: object
archiveLogs:
type: boolean
artifactGC:
properties:
podMetadata:
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
serviceAccountName:
type: string
strategy:
enum:
- ""
- OnWorkflowCompletion
- OnWorkflowDeletion
- Never
type: string
type: object
artifactory:
properties:
passwordSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
url:
type: string
usernameSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
required:
- url
type: object
azure:
properties:
accountKeySecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
blob:
type: string
container:
type: string
endpoint:
type: string
useSDKCreds:
type: boolean
required:
- blob
- container
- endpoint
type: object
deleted:
type: boolean
from:
type: string
fromExpression:
type: string
gcs:
properties:
bucket:
type: string
key:
type: string
serviceAccountKeySecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
required:
- key
type: object
git:
properties:
branch:
type: string
depth:
format: int64
type: integer
disableSubmodules:
type: boolean
fetch:
items:
type: string
type: array
insecureIgnoreHostKey:
type: boolean
insecureSkipTLS:
type: boolean
passwordSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
repo:
type: string
revision:
type: string
singleBranch:
type: boolean
sshPrivateKeySecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
usernameSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
required:
- repo
type: object
globalName:
type: string
hdfs:
properties:
addresses:
items:
type: string
type: array
dataTransferProtection:
type: string
force:
type: boolean
hdfsUser:
type: string
krbCCacheSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
krbConfigConfigMap:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
krbKeytabSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
krbRealm:
type: string
krbServicePrincipalName:
type: string
krbUsername:
type: string
path:
type: string
required:
- path
type: object
http:
properties:
auth:
properties:
basicAuth:
properties:
passwordSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
usernameSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
type: object
clientCert:
properties:
clientCertSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
clientKeySecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
type: object
oauth2:
properties:
clientIDSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
clientSecretSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
endpointParams:
items:
properties:
key:
type: string
value:
type: string
required:
- key
type: object
type: array
scopes:
items:
type: string
type: array
tokenURLSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
type: object
type: object
headers:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
url:
type: string
required:
- url
type: object
mode:
format: int32
type: integer
name:
type: string
optional:
type: boolean
oss:
properties:
accessKeySecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
bucket:
type: string
createBucketIfNotPresent:
type: boolean
endpoint:
type: string
key:
type: string
lifecycleRule:
properties:
markDeletionAfterDays:
format: int32
type: integer
markInfrequentAccessAfterDays:
format: int32
type: integer
type: object
secretKeySecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
securityToken:
type: string
useSDKCreds:
type: boolean
required:
- key
type: object
path:
type: string
raw:
properties:
data:
type: string
required:
- data
type: object
recurseMode:
type: boolean
s3:
properties:
accessKeySecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
bucket:
type: string
caSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
createBucketIfNotPresent:
properties:
objectLocking:
type: boolean
type: object
encryptionOptions:
properties:
enableEncryption:
type: boolean
kmsEncryptionContext:
type: string
kmsKeyId:
type: string
serverSideCustomerKeySecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
type: object
endpoint:
type: string
insecure:
type: boolean
key:
type: string
region:
type: string
roleARN:
type: string
secretKeySecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
sessionTokenSecret:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
useSDKCreds:
type: boolean
type: object
subPath:
type: string
required:
- name
type: object
type: array
exitCode:
type: string
parameters:
items:
properties:
default:
type: string
description:
type: string
enum:
items:
type: string
type: array
globalName:
type: string
name:
type: string
value:
type: string
valueFrom:
properties:
configMapKeyRef:
properties:
key:
type: string
name:
default: ""
type: string
optional:
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
default:
type: string
event:
type: string
expression:
type: string
jqFilter:
type: string
jsonPath:
type: string
parameter:
type: string
path:
type: string
supplied:
type: object
type: object
required:
- name
type: object
type: array
result:
type: string
type: object
phase:
type: string
progress:
type: string
required:
- metadata
type: object
served: true
storage: true
{{- end }}

50
opencloud/charts/argo-workflows/templates/crds/argoproj.io_workflowtasksets.yaml Normal file
View File

@@ -0,0 +1,50 @@
{{- if .Values.crds.install }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: workflowtasksets.argoproj.io
annotations:
{{- if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{- end }}
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
group: argoproj.io
names:
kind: WorkflowTaskSet
listKind: WorkflowTaskSetList
plural: workflowtasksets
shortNames:
- wfts
singular: workflowtaskset
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
x-kubernetes-map-type: atomic
x-kubernetes-preserve-unknown-fields: true
status:
type: object
x-kubernetes-map-type: atomic
x-kubernetes-preserve-unknown-fields: true
required:
- metadata
- spec
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

44
opencloud/charts/argo-workflows/templates/crds/argoproj.io_workflowtemplates.yaml Normal file
View File

@@ -0,0 +1,44 @@
{{- if .Values.crds.install }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: workflowtemplates.argoproj.io
annotations:
{{- if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{- end }}
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
group: argoproj.io
names:
kind: WorkflowTemplate
listKind: WorkflowTemplateList
plural: workflowtemplates
shortNames:
- wftmpl
singular: workflowtemplate
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
x-kubernetes-map-type: atomic
x-kubernetes-preserve-unknown-fields: true
required:
- metadata
- spec
type: object
served: true
storage: true
{{- end }}

8
opencloud/charts/argo-workflows/templates/extra-manifests.yaml Normal file
View File

@@ -0,0 +1,8 @@
{{ range .Values.extraObjects }}
---
{{ if typeIs "string" . }}
{{- tpl . $ }}
{{- else }}
{{- tpl (toYaml .) $ }}
{{- end }}
{{ end }}

11
opencloud/charts/argo-workflows/templates/server/gke/backendconfig.yaml Normal file
View File

@@ -0,0 +1,11 @@
{{- if .Values.server.GKEbackendConfig.enabled }}
apiVersion: {{ include "argo-workflows.apiVersions.cloudgoogle" . }}
kind: BackendConfig
metadata:
name: {{ template "argo-workflows.server.fullname" . }}
namespace: {{ include "argo-workflows.namespace" . | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
spec:
{{- toYaml .Values.server.GKEbackendConfig.spec | nindent 2 }}
{{- end }}

11
opencloud/charts/argo-workflows/templates/server/gke/frontendconfig.yaml Normal file
View File

@@ -0,0 +1,11 @@
{{- if .Values.server.GKEfrontendConfig.enabled }}
apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
name: {{ template "argo-workflows.server.fullname" . }}
namespace: {{ include "argo-workflows.namespace" . | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
spec:
{{- toYaml .Values.server.GKEfrontendConfig.spec | nindent 2 }}
{{- end }}

12
opencloud/charts/argo-workflows/templates/server/gke/managedcertificate.yaml Normal file
View File

@@ -0,0 +1,12 @@
{{- if .Values.server.GKEmanagedCertificate.enabled }}
apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
name: {{ template "argo-workflows.server.fullname" . }}
namespace: {{ include "argo-workflows.namespace" . | quote }}
spec:
domains:
{{- with .Values.server.GKEmanagedCertificate.domains }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

145
opencloud/charts/argo-workflows/templates/server/server-cluster-roles.yaml Normal file
View File

@@ -0,0 +1,145 @@
{{- if and .Values.server.enabled .Values.server.rbac.create}}
apiVersion: rbac.authorization.k8s.io/v1
{{- if .Values.singleNamespace }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
metadata:
name: {{ template "argo-workflows.server.fullname" . }}
{{- if .Values.singleNamespace }}
namespace: {{ include "argo-workflows.namespace" . | quote }}
{{- end }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- configmaps
- events
verbs:
- get
- watch
- list
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- delete
- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- list
{{- if .Values.server.sso.enabled }}
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- sso
verbs:
- get
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
{{- if .Values.server.sso.rbac.enabled }}
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
- list
- watch
{{- end }}
{{- end }}
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
{{- if and .Values.server.sso.enabled .Values.server.sso.rbac.enabled }}
{{- with .Values.server.sso.rbac.secretWhitelist }}
resourceNames: {{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
- apiGroups:
- ""
resources:
- events
verbs:
- watch
- create
- patch
{{- if .Values.controller.persistence }}
- apiGroups:
- ""
resources:
- secrets
resourceNames:
{{- with .Values.controller.persistence.postgresql }}
- {{ .userNameSecret.name }}
- {{ .passwordSecret.name }}
{{- end}}
{{- with .Values.controller.persistence.mysql }}
- {{ .userNameSecret.name }}
- {{ .passwordSecret.name }}
{{- end}}
verbs:
- get
{{- end}}
- apiGroups:
- argoproj.io
resources:
- eventsources
- sensors
- workflows
- workfloweventbindings
- workflowtemplates
- cronworkflows
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
{{- if and .Values.server.clusterWorkflowTemplates.enabled (not .Values.singleNamespace) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "argo-workflows.server.fullname" . }}-cluster-template
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
rules:
- apiGroups:
- argoproj.io
resources:
- clusterworkflowtemplates
verbs:
- get
- list
- watch
{{- if .Values.server.clusterWorkflowTemplates.enableEditing }}
- create
- update
- patch
- delete
{{- end }}
{{- end }}
{{- end }}

45
opencloud/charts/argo-workflows/templates/server/server-crb.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{- if and .Values.server.enabled .Values.server.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
{{- if .Values.singleNamespace }}
kind: RoleBinding
{{ else }}
kind: ClusterRoleBinding
{{- end }}
metadata:
name: {{ template "argo-workflows.server.fullname" . }}
{{- if .Values.singleNamespace }}
namespace: {{ include "argo-workflows.namespace" . | quote }}
{{- end }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
{{- if .Values.singleNamespace }}
kind: Role
{{ else }}
kind: ClusterRole
{{- end }}
name: {{ template "argo-workflows.server.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "argo-workflows.serverServiceAccountName" . }}
namespace: {{ include "argo-workflows.namespace" . | quote }}
{{- if .Values.server.clusterWorkflowTemplates.enabled }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "argo-workflows.server.fullname" . }}-cluster-template
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "argo-workflows.server.fullname" . }}-cluster-template
subjects:
- kind: ServiceAccount
name: {{ template "argo-workflows.serverServiceAccountName" . }}
namespace: {{ include "argo-workflows.namespace" . | quote }}
{{- end -}}
{{- end -}}

45
opencloud/charts/argo-workflows/templates/server/server-deployment-hpa.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{- if and .Values.server.enabled .Values.server.autoscaling.enabled }}
apiVersion: {{ include "argo-workflows.apiVersion.autoscaling" . }}
kind: HorizontalPodAutoscaler
metadata:
name: {{ template "argo-workflows.server.fullname" . }}
namespace: {{ include "argo-workflows.namespace" . | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ template "argo-workflows.server.fullname" . }}
minReplicas: {{ .Values.server.autoscaling.minReplicas }}
maxReplicas: {{ .Values.server.autoscaling.maxReplicas }}
metrics:
{{- with .Values.server.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
{{- if eq (include "argo-workflows.apiVersion.autoscaling" $) "autoscaling/v2beta1" }}
targetAverageUtilization: {{ . }}
{{- else }}
target:
averageUtilization: {{ . }}
type: Utilization
{{- end }}
{{- end }}
{{- with .Values.server.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
{{- if eq (include "argo-workflows.apiVersion.autoscaling" $) "autoscaling/v2beta1" }}
targetAverageUtilization: {{ . }}
{{- else }}
target:
averageUtilization: {{ . }}
type: Utilization
{{- end }}
{{- end }}
{{- with .Values.server.autoscaling.behavior }}
behavior:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

20
opencloud/charts/argo-workflows/templates/server/server-deployment-pdb.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- if and .Values.server.enabled .Values.server.pdb.enabled -}}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "argo-workflows.server.fullname" . }}
namespace: {{ include "argo-workflows.namespace" . | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
spec:
{{- if .Values.server.pdb.minAvailable }}
minAvailable: {{ .Values.server.pdb.minAvailable }}
{{- else if .Values.server.pdb.maxUnavailable }}
maxUnavailable: {{ .Values.server.pdb.maxUnavailable }}
{{- else }}
minAvailable: 0
{{- end }}
selector:
matchLabels:
{{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 6 }}
{{- end -}}

157
opencloud/charts/argo-workflows/templates/server/server-deployment.yaml Normal file
View File

@@ -0,0 +1,157 @@
{{- if .Values.server.enabled -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "argo-workflows.server.fullname" . }}
namespace: {{ include "argo-workflows.namespace" . | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
app.kubernetes.io/version: {{ include "argo-workflows.server_chart_version_label" . }}
{{- with .Values.server.deploymentAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if not .Values.server.autoscaling.enabled }}
replicas: {{ .Values.server.replicas }}
{{- end }}
revisionHistoryLimit: {{ .Values.server.revisionHistoryLimit }}
selector:
matchLabels:
{{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 6 }}
template:
metadata:
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 8 }}
app.kubernetes.io/version: {{ include "argo-workflows.server_chart_version_label" . }}
{{- with .Values.server.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.server.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ template "argo-workflows.serverServiceAccountName" . }}
{{- with .Values.server.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.server.hostAliases }}
hostAliases:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.server.extraInitContainers }}
initContainers:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
containers:
- name: argo-server
image: "{{- include "argo-workflows.image" (dict "context" . "image" .Values.server.image) }}:{{ default (include "argo-workflows.defaultTag" .) .Values.server.image.tag }}"
imagePullPolicy: {{ .Values.images.pullPolicy }}
securityContext:
{{- toYaml .Values.server.securityContext | nindent 12 }}
args:
- server
- --configmap={{ template "argo-workflows.controller.config-map.name" . }}
{{- with .Values.server.extraArgs }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.server.authMode }}
- "--auth-mode={{ .Values.server.authMode }}"
{{- end }}
{{- range .Values.server.authModes }}
- "--auth-mode={{ . }}"
{{- end }}
- "--secure={{ .Values.server.secure }}"
{{- if .Values.singleNamespace }}
- "--namespaced"
{{- end }}
- "--loglevel"
- "{{ .Values.server.logging.level }}"
- "--gloglevel"
- "{{ .Values.server.logging.globallevel }}"
- "--log-format"
- "{{ .Values.server.logging.format }}"
ports:
- name: web
containerPort: 2746
readinessProbe:
httpGet:
path: /
port: 2746
{{- if .Values.server.secure }}
scheme: HTTPS
{{- else }}
scheme: HTTP
{{- end }}
initialDelaySeconds: 10
periodSeconds: 20
env:
- name: IN_CLUSTER
value: "true"
- name: ARGO_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: ARGO_BASE_HREF
value: {{ .Values.server.baseHref | quote }}
{{- with .Values.server.extraEnv }}
{{- toYaml . | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.server.resources | nindent 12 }}
volumeMounts:
- name: tmp
mountPath: /tmp
{{- with .Values.server.volumeMounts }}
{{- toYaml . | nindent 10}}
{{- end }}
{{- with .Values.server.lifecycle }}
lifecycle:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.server.extraContainers }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.server.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ . }}
{{- end }}
{{- with .Values.images.pullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: tmp
{{- toYaml .Values.server.tmpVolume | nindent 8 }}
{{- with .Values.server.volumes }}
{{- toYaml . | nindent 6}}
{{- end }}
{{- with .Values.server.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.server.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.server.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.server.topologySpreadConstraints }}
topologySpreadConstraints:
{{- range $constraint := . }}
- {{ toYaml $constraint | nindent 8 | trim }}
{{- if not $constraint.labelSelector }}
labelSelector:
matchLabels:
{{- include "argo-workflows.selectorLabels" (dict "context" $ "name" $.Values.server.name) | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.server.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- end -}}

90
opencloud/charts/argo-workflows/templates/server/server-ingress.yaml Normal file
View File

@@ -0,0 +1,90 @@
{{- if .Values.server.ingress.enabled -}}
{{- $serviceName := include "argo-workflows.server.fullname" . -}}
{{- $servicePort := .Values.server.servicePort -}}
{{- $paths := .Values.server.ingress.paths -}}
{{- $extraPaths := .Values.server.ingress.extraPaths -}}
{{- $pathType := .Values.server.ingress.pathType -}}
apiVersion: {{ include "argo-workflows.ingress.apiVersion" . }}
kind: Ingress
metadata:
{{- if .Values.server.ingress.annotations }}
annotations:
{{- range $key, $value := .Values.server.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
name: {{ template "argo-workflows.server.fullname" . }}
namespace: {{ include "argo-workflows.namespace" . | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
{{- if .Values.server.ingress.labels }}
{{- toYaml .Values.server.ingress.labels | nindent 4 }}
{{- end }}
spec:
{{- if eq (include "argo-workflows.ingress.apiVersion" $) "networking.k8s.io/v1" }}
{{- with .Values.server.ingress.ingressClassName }}
ingressClassName: {{ . }}
{{- end }}
{{- end }}
rules:
{{- if .Values.server.ingress.hosts }}
{{- range $host := .Values.server.ingress.hosts }}
- host: {{ $host }}
http:
paths:
{{- if $extraPaths }}
{{- toYaml $extraPaths | nindent 10 }}
{{- end }}
{{- range $p := $paths }}
- path: {{ $p }}
{{- if eq (include "argo-workflows.ingress.apiVersion" $) "networking.k8s.io/v1" }}
pathType: {{ $pathType }}
{{- end }}
backend:
{{- if eq (include "argo-workflows.ingress.apiVersion" $) "networking.k8s.io/v1" }}
service:
name: {{ $serviceName }}
port:
{{- if kindIs "float64" $servicePort }}
number: {{ $servicePort }}
{{- else }}
name: {{ $servicePort }}
{{- end }}
{{- else }}
serviceName: {{ $serviceName }}
servicePort: {{ $servicePort }}
{{- end }}
{{- end -}}
{{- end -}}
{{- else }}
- http:
paths:
{{- if $extraPaths }}
{{- toYaml $extraPaths | nindent 10 }}
{{- end }}
{{- range $p := $paths }}
- path: {{ $p }}
{{- if eq (include "argo-workflows.ingress.apiVersion" $) "networking.k8s.io/v1" }}
pathType: {{ $pathType }}
{{- end }}
backend:
{{- if eq (include "argo-workflows.ingress.apiVersion" $) "networking.k8s.io/v1" }}
service:
name: {{ $serviceName }}
port:
{{- if kindIs "float64" $servicePort }}
number: {{ $servicePort }}
{{- else }}
name: {{ $servicePort }}
{{- end }}
{{- else }}
serviceName: {{ $serviceName }}
servicePort: {{ $servicePort }}
{{- end }}
{{- end -}}
{{- end -}}
{{- if .Values.server.ingress.tls }}
tls:
{{- toYaml .Values.server.ingress.tls | nindent 4 }}
{{- end -}}
{{- end -}}

16
opencloud/charts/argo-workflows/templates/server/server-sa.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if and .Values.server.enabled .Values.server.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "argo-workflows.serverServiceAccountName" . }}
namespace: {{ include "argo-workflows.namespace" . | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
{{- with .Values.server.serviceAccount.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.server.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

43
opencloud/charts/argo-workflows/templates/server/server-service.yaml Normal file
View File

@@ -0,0 +1,43 @@
{{- if .Values.server.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "argo-workflows.server.fullname" . }}
namespace: {{ include "argo-workflows.namespace" . | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
app.kubernetes.io/version: {{ include "argo-workflows.server_chart_version_label" . }}
{{- with .Values.server.serviceLabels }}
{{ toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.server.serviceAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ports:
- port: {{ .Values.server.servicePort }}
{{- with .Values.server.servicePortName }}
name: {{ . }}
{{- end }}
targetPort: 2746
{{- if and (eq .Values.server.serviceType "NodePort") .Values.server.serviceNodePort }}
nodePort: {{ .Values.server.serviceNodePort }}
{{- end }}
selector:
{{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 4 }}
sessionAffinity: None
type: {{ .Values.server.serviceType }}
{{- if eq .Values.server.serviceType "LoadBalancer" }}
{{- with .Values.controller.loadBalancerClass }}
loadBalancerClass: {{ . }}
{{- end }}
{{- with .Values.server.loadBalancerIP }}
loadBalancerIP: {{ . | quote }}
{{- end }}
{{- if .Values.server.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{- toYaml .Values.server.loadBalancerSourceRanges | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}

943
opencloud/charts/argo-workflows/values.yaml Normal file
View File

@@ -0,0 +1,943 @@
images:
# -- Common tag for Argo Workflows images. Defaults to `.Chart.AppVersion`.
tag: ""
# -- imagePullPolicy to apply to all containers
pullPolicy: Always
# -- Secrets with credentials to pull images from a private registry
pullSecrets: []
# - name: argo-pull-secret
## Custom resource configuration
crds:
# -- Install and upgrade CRDs
install: true
# -- Keep CRDs on chart uninstall
keep: true
# -- Annotations to be added to all CRDs
annotations: {}
# -- Create clusterroles that extend existing clusterroles to interact with argo-cd crds
## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
createAggregateRoles: true
# -- String to partially override "argo-workflows.fullname" template
nameOverride:
# -- String to fully override "argo-workflows.fullname" template
fullnameOverride:
# -- Override the namespace
# @default -- `.Release.Namespace`
namespaceOverride: ""
# -- Labels to set on all resources
commonLabels: {}
# -- Override the Kubernetes version, which is used to evaluate certain manifests
kubeVersionOverride: ""
# Override APIVersions
apiVersionOverrides:
# -- String to override apiVersion of autoscaling rendered by this helm chart
autoscaling: "" # autoscaling/v2
# -- String to override apiVersion of GKE resources rendered by this helm chart
cloudgoogle: "" # cloud.google.com/v1
# -- String to override apiVersion of monitoring CRDs (ServiceMonitor) rendered by this helm chart
monitoring: "" # monitoring.coreos.com/v1
# -- Restrict Argo to operate only in a single namespace (the namespace of the
# Helm release) by apply Roles and RoleBindings instead of the Cluster
# equivalents, and start workflow-controller with the --namespaced flag. Use it
# in clusters with strict access policy.
singleNamespace: false
workflow:
# -- Deprecated; use controller.workflowNamespaces instead.
namespace:
serviceAccount:
# -- Specifies whether a service account should be created
create: false
# -- Labels applied to created service account
labels: {}
# -- Annotations applied to created service account
annotations: {}
# -- Service account which is used to run workflows
name: "argo-workflow"
# -- Secrets with credentials to pull images from a private registry. Same format as `.Values.images.pullSecrets`
pullSecrets: []
rbac:
# -- Adds Role and RoleBinding for the above specified service account to be able to run workflows.
# A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below)
create: true
# -- Allows permissions for the Argo Agent. Only required if using http/plugin templates
agentPermissions: false
# -- Allows permissions for the Argo Artifact GC pod. Only required if using artifact gc
artifactGC: false
# -- Extra service accounts to be added to the RoleBinding
serviceAccounts: []
# - name: my-service-account
# namespace: my-namespace
controller:
image:
# -- Registry to use for the controller
registry: quay.io
# -- Registry to use for the controller
repository: argoproj/workflow-controller
# -- Image tag for the workflow controller. Defaults to `.Values.images.tag`.
tag: ""
# -- parallelism dictates how many workflows can be running at the same time
parallelism:
# -- Globally limits the rate at which pods are created.
# This is intended to mitigate flooding of the Kubernetes API server by workflows with a large amount of
# parallel nodes.
resourceRateLimit: {}
# limit: 10
# burst: 1
rbac:
# -- Adds Role and RoleBinding for the controller.
create: true
# -- Allows controller to get, list, and watch certain k8s secrets
secretWhitelist: []
# -- Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty.
accessAllSecrets: false
# -- Allows controller to create and update ConfigMaps. Enables memoization feature
writeConfigMaps: false
configMap:
# -- Create a ConfigMap for the controller
create: true
# -- ConfigMap name
name: ""
# -- ConfigMap annotations
annotations: {}
# -- Limits the maximum number of incomplete workflows in a namespace
namespaceParallelism:
# -- Resolves ongoing, uncommon AWS EKS bug: https://github.com/argoproj/argo-workflows/pull/4224
initialDelay:
# -- deploymentAnnotations is an optional map of annotations to be applied to the controller Deployment
deploymentAnnotations: {}
# -- podAnnotations is an optional map of annotations to be applied to the controller Pods
podAnnotations: {}
# -- Optional labels to add to the controller pods
podLabels: {}
# -- SecurityContext to set on the controller pods
podSecurityContext: {}
# podPortName: http
metricsConfig:
# -- Enables prometheus metrics server
enabled: false
# -- Path is the path where metrics are emitted. Must start with a "/".
path: /metrics
# -- Frequency at which prometheus scrapes metrics
interval: 30s
# -- Port is the port where metrics are emitted
port: 9090
# -- How often custom metrics are cleared from memory
metricsTTL: ""
# -- Flag that instructs prometheus to ignore metric emission errors.
ignoreErrors: false
# -- Flag that use a self-signed cert for TLS
secure: false
# -- Container metrics port name
portName: metrics
# -- Service metrics port
servicePort: 8080
# -- Service metrics port name
servicePortName: metrics
# -- Flag to enable headless service
headlessService: false
# -- When true, honorLabels preserves the metrics labels when they collide with the targets labels.
## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#honorlabels
honorLabels: false
# -- ServiceMonitor relabel configs to apply to samples before scraping
## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig
relabelings: []
# -- ServiceMonitor metric relabel configs to apply to samples before ingestion
## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#endpoint
metricRelabelings: []
# -- ServiceMonitor will add labels from the service to the Prometheus metric
## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitorspec
targetLabels: []
# -- the controller container's securityContext
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# -- enable Workflow Archive to store the status of workflows. Postgres and MySQL (>= 5.7.8) are available.
## Ref: https://argo-workflows.readthedocs.io/en/stable/workflow-archive/
persistence: {}
# connectionPool:
# maxIdleConns: 100
# maxOpenConns: 0
# # save the entire workflow into etcd and DB
# nodeStatusOffLoad: false
# # enable archiving of old workflows
# archive: false
# postgresql:
# host: localhost
# port: 5432
# database: postgres
# tableName: argo_workflows
# # the database secrets must be in the same namespace of the controller
# userNameSecret:
# name: argo-postgres-config
# key: username
# passwordSecret:
# name: argo-postgres-config
# key: password
# ssl: true
# # sslMode must be one of: disable, require, verify-ca, verify-full
# # you can find more information about those ssl options here: https://godoc.org/github.com/lib/pq
# sslMode: require
# mysql:
# host: localhost
# port: 3306
# database: argo
# tableName: argo_workflows
# userNameSecret:
# name: argo-mysql-config
# key: username
# passwordSecret:
# name: argo-mysql-config
# key: password
# -- Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level.
# Only valid for 2.7+
## See more: https://argo-workflows.readthedocs.io/en/stable/default-workflow-specs/
workflowDefaults: {}
# spec:
# ttlStrategy:
# secondsAfterCompletion: 86400
# # Ref: https://argo-workflows.readthedocs.io/en/stable/artifact-repository-ref/
# artifactRepositoryRef:
# configMap: my-artifact-repository # default is "artifact-repositories"
# key: v2-s3-artifact-repository # default can be set by the `workflows.argoproj.io/default-artifact-repository` annotation in config map.
# -- Number of workflow workers
workflowWorkers: # 32
# -- Number of workflow TTL workers
workflowTTLWorkers: # 4
# -- Number of pod cleanup workers
podCleanupWorkers: # 4
# -- Number of cron workflow workers
# Only valid for 3.5+
cronWorkflowWorkers: # 8
# -- Restricts the Workflows that the controller will process.
# Only valid for 2.9+
workflowRestrictions: {}
# templateReferencing: Strict|Secure
# telemetryConfig controls the path and port for prometheus telemetry. Telemetry is enabled and emitted in the same endpoint
# as metrics by default, but can be overridden using this config.
telemetryConfig:
# -- Enables prometheus telemetry server
enabled: false
# -- telemetry path
path: /telemetry
# -- Frequency at which prometheus scrapes telemetry data
interval: 30s
# -- telemetry container port
port: 8081
# -- How often custom metrics are cleared from memory
metricsTTL: ""
# -- Flag that instructs prometheus to ignore metric emission errors.
ignoreErrors: false
# -- Flag that use a self-signed cert for TLS
secure: false
# -- telemetry service port
servicePort: 8081
# -- telemetry service port name
servicePortName: telemetry
serviceMonitor:
# -- Enable a prometheus ServiceMonitor
enabled: false
# -- Prometheus ServiceMonitor labels
additionalLabels: {}
# -- Prometheus ServiceMonitor namespace
namespace: "" # "monitoring"
serviceAccount:
# -- Create a service account for the controller
create: true
# -- Service account name
name: ""
# -- Labels applied to created service account
labels: {}
# -- Annotations applied to created service account
annotations: {}
# -- Workflow controller name string
name: workflow-controller
# -- Specify all namespaces where this workflow controller instance will manage
# workflows. This controls where the service account and RBAC resources will
# be created. Only valid when singleNamespace is false.
workflowNamespaces:
- default
instanceID:
# -- Configures the controller to filter workflow submissions
# to only those which have a matching instanceID attribute.
## NOTE: If `instanceID.enabled` is set to `true` then either `instanceID.userReleaseName`
## or `instanceID.explicitID` must be defined.
enabled: false
# -- Use ReleaseName as instanceID
useReleaseName: false
# useReleaseName: true
# -- Use a custom instanceID
explicitID: ""
# explicitID: unique-argo-controller-identifier
logging:
# -- Set the logging level (one of: `debug`, `info`, `warn`, `error`)
level: info
# -- Set the glog logging level
globallevel: "0"
# -- Set the logging format (one of: `text`, `json`)
format: "text"
# -- Service type of the controller Service
serviceType: ClusterIP
# -- Annotations to be applied to the controller Service
serviceAnnotations: {}
# -- Optional labels to add to the controller Service
serviceLabels: {}
# -- The class of the load balancer implementation
loadBalancerClass: ""
# -- Source ranges to allow access to service from. Only applies to service type `LoadBalancer`
loadBalancerSourceRanges: []
# -- Resource limits and requests for the controller
resources: {}
# -- Configure liveness [probe] for the controller
# @default -- See [values.yaml]
livenessProbe:
httpGet:
port: 6060
path: /healthz
failureThreshold: 3
initialDelaySeconds: 90
periodSeconds: 60
timeoutSeconds: 30
# -- Extra environment variables to provide to the controller container
extraEnv: []
# - name: FOO
# value: "bar"
# -- Extra arguments to be added to the controller
extraArgs: []
# -- Additional volume mounts to the controller main container
volumeMounts: []
# -- Additional volumes to the controller pod
volumes: []
# -- The number of controller pods to run
replicas: 1
# -- The number of revisions to keep.
revisionHistoryLimit: 10
pdb:
# -- Configure [Pod Disruption Budget] for the controller pods
enabled: false
# minAvailable: 1
# maxUnavailable: 1
# -- [Node selector]
nodeSelector:
kubernetes.io/os: linux
# -- [Tolerations] for use with node taints
tolerations: []
# -- Assign custom [affinity] rules
affinity: {}
# -- Assign custom [TopologySpreadConstraints] rules to the workflow controller
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: DoNotSchedule
# -- Leverage a PriorityClass to ensure your pods survive resource shortages.
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName: ""
# -- Configure Argo Server to show custom [links]
## Ref: https://argo-workflows.readthedocs.io/en/stable/links/
links: []
# -- Configure Argo Server to show custom [columns]
## Ref: https://github.com/argoproj/argo-workflows/pull/10693
columns: []
# -- Set ui navigation bar background color
navColor: ""
clusterWorkflowTemplates:
# -- Create a ClusterRole and CRB for the controller to access ClusterWorkflowTemplates.
enabled: true
# -- Extra service accounts to be added to the ClusterRoleBinding
serviceAccounts: []
# - name: my-service-account
# namespace: my-namespace
# -- Extra containers to be added to the controller deployment
extraContainers: []
# -- Enables init containers to be added to the controller deployment
extraInitContainers: []
# -- Workflow retention by number of workflows
retentionPolicy: {}
# completed: 10
# failed: 3
# errored: 3
nodeEvents:
# -- Enable to emit events on node completion.
## This can take up a lot of space in k8s (typically etcd) resulting in errors when trying to create new events:
## "Unable to create audit event: etcdserver: mvcc: database space exceeded"
enabled: true
workflowEvents:
# -- Enable to emit events on workflow status changes.
## This can take up a lot of space in k8s (typically etcd), resulting in errors when trying to create new events:
## "Unable to create audit event: etcdserver: mvcc: database space exceeded"
enabled: true
# -- Configure when workflow controller runs in a different k8s cluster with the workflow workloads,
# or needs to communicate with the k8s apiserver using an out-of-cluster kubeconfig secret.
# @default -- `{}` (See [values.yaml])
kubeConfig: {}
# # name of the kubeconfig secret, may not be empty when kubeConfig specified
# secretName: kubeconfig-secret
# # key of the kubeconfig secret, may not be empty when kubeConfig specified
# secretKey: kubeconfig
# # mounting path of the kubeconfig secret, default to /kube/config
# mountPath: /kubeconfig/mount/path
# # volume name when mounting the secret, default to kubeconfig
# volumeName: kube-config-volume
# -- Specifies the duration in seconds before a terminating pod is forcefully killed. A zero value indicates that the pod will be forcefully terminated immediately.
# @default -- `30` seconds (Kubernetes default)
podGCGracePeriodSeconds:
# -- The duration in seconds before the pods in the GC queue get deleted. A zero value indicates that the pods will be deleted immediately.
# @default -- `5s` (Argo Workflows default)
podGCDeleteDelayDuration: ""
# mainContainer adds default config for main container that could be overriden in workflows template
mainContainer:
# -- imagePullPolicy to apply to Workflow main container. Defaults to `.Values.images.pullPolicy`.
imagePullPolicy: ""
# -- Resource limits and requests for the Workflow main container
resources: {}
# -- Adds environment variables for the Workflow main container
env: []
# -- Adds reference environment variables for the Workflow main container
envFrom: []
# -- sets security context for the Workflow main container
securityContext: {}
# executor controls how the init and wait container should be customized
executor:
image:
# -- Registry to use for the Workflow Executors
registry: quay.io
# -- Repository to use for the Workflow Executors
repository: argoproj/argoexec
# -- Image tag for the workflow executor. Defaults to `.Values.images.tag`.
tag: ""
# -- Image PullPolicy to use for the Workflow Executors. Defaults to `.Values.images.pullPolicy`.
pullPolicy: ""
# -- Resource limits and requests for the Workflow Executors
resources: {}
# -- Passes arguments to the executor processes
args: []
# -- Adds environment variables for the executor.
env: []
# -- sets security context for the executor container
securityContext: {}
server:
# -- Deploy the Argo Server
enabled: true
# -- Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /.
## only updates base url of resources on client side,
## it's expected that a proxy server rewrites the request URL and gets rid of this prefix
## https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190
baseHref: /
image:
# -- Registry to use for the server
registry: quay.io
# -- Repository to use for the server
repository: argoproj/argocli
# -- Image tag for the Argo Workflows server. Defaults to `.Values.images.tag`.
tag: ""
# -- optional map of annotations to be applied to the ui Deployment
deploymentAnnotations: {}
# -- optional map of annotations to be applied to the ui Pods
podAnnotations: {}
# -- Optional labels to add to the UI pods
podLabels: {}
# -- SecurityContext to set on the server pods
podSecurityContext: {}
rbac:
# -- Adds Role and RoleBinding for the server.
create: true
# -- Servers container-level security context
securityContext:
readOnlyRootFilesystem: false
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# -- Server name string
name: server
# -- Service type for server pods
serviceType: ClusterIP
# -- Service port for server
servicePort: 2746
# -- Service node port
serviceNodePort: # 32746
# -- Service port name
servicePortName: "" # http
# -- Mapping between IP and hostnames that will be injected as entries in the pod's hosts files
hostAliases: []
# - ip: 10.20.30.40
# hostnames:
# - git.myhostname
serviceAccount:
# -- Create a service account for the server
create: true
# -- Service account name
name: ""
# -- Labels applied to created service account
labels: {}
# -- Annotations applied to created service account
annotations: {}
# -- Annotations to be applied to the UI Service
serviceAnnotations: {}
# -- Optional labels to add to the UI Service
serviceLabels: {}
# -- The class of the load balancer implementation
loadBalancerClass: ""
# -- Static IP address to assign to loadBalancer service type `LoadBalancer`
loadBalancerIP: ""
# -- Source ranges to allow access to service from. Only applies to service type `LoadBalancer`
loadBalancerSourceRanges: []
# -- Resource limits and requests for the server
resources: {}
# -- The number of server pods to run
replicas: 1
# -- The number of revisions to keep.
revisionHistoryLimit: 10
## Argo Server Horizontal Pod Autoscaler
autoscaling:
# -- Enable Horizontal Pod Autoscaler ([HPA]) for the Argo Server
enabled: false
# -- Minimum number of replicas for the Argo Server [HPA]
minReplicas: 1
# -- Maximum number of replicas for the Argo Server [HPA]
maxReplicas: 5
# -- Average CPU utilization percentage for the Argo Server [HPA]
targetCPUUtilizationPercentage: 50
# -- Average memory utilization percentage for the Argo Server [HPA]
targetMemoryUtilizationPercentage: 50
# -- Configures the scaling behavior of the target in both Up and Down directions.
# This is only available on HPA apiVersion `autoscaling/v2beta2` and newer
behavior: {}
# scaleDown:
# stabilizationWindowSeconds: 300
# policies:
# - type: Pods
# value: 1
# periodSeconds: 180
# scaleUp:
# stabilizationWindowSeconds: 300
# policies:
# - type: Pods
# value: 2
pdb:
# -- Configure [Pod Disruption Budget] for the server pods
enabled: false
# minAvailable: 1
# maxUnavailable: 1
# -- [Node selector]
nodeSelector:
kubernetes.io/os: linux
# -- [Tolerations] for use with node taints
tolerations: []
# -- Assign custom [affinity] rules
affinity: {}
# -- Assign custom [TopologySpreadConstraints] rules to the argo server
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: DoNotSchedule
# -- Leverage a PriorityClass to ensure your pods survive resource shortages
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName: ""
# -- Run the argo server in "secure" mode. Configure this value instead of `--secure` in extraArgs.
## See the following documentation for more details on secure mode:
## https://argo-workflows.readthedocs.io/en/stable/tls/
secure: false
# -- Extra environment variables to provide to the argo-server container
extraEnv: []
# - name: FOO
# value: "bar"
# -- Deprecated; use server.authModes instead.
authMode: ""
# -- A list of supported authentication modes. Available values are `server`, `client`, or `sso`. If you provide sso, please configure `.Values.server.sso` as well.
## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server-auth-mode/
authModes: []
# -- Extra arguments to provide to the Argo server binary.
## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server/#options
extraArgs: []
logging:
# -- Set the logging level (one of: `debug`, `info`, `warn`, `error`)
level: info
# -- Set the glog logging level
globallevel: "0"
# -- Set the logging format (one of: `text`, `json`)
format: "text"
# -- Volume to be mounted in Pods for temporary files.
tmpVolume:
emptyDir: {}
# -- Additional volume mounts to the server main container.
volumeMounts: []
# -- Additional volumes to the server pod.
volumes: []
## Ingress configuration.
# ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
ingress:
# -- Enable an ingress resource
enabled: false
# -- Additional ingress annotations
annotations: {}
# -- Additional ingress labels
labels: {}
# -- Defines which ingress controller will implement the resource
ingressClassName: ""
# -- List of ingress hosts
## Hostnames must be provided if Ingress is enabled.
## Secrets must be manually created in the namespace
hosts: []
# - argoworkflows.example.com
# -- List of ingress paths
paths:
- /
# -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
pathType: Prefix
# -- Additional ingress paths
extraPaths: []
# - path: /*
# backend:
# serviceName: ssl-redirect
# servicePort: use-annotation
## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used)
# - path: /*
# pathType: Prefix
# backend:
# service
# name: ssl-redirect
# port:
# name: use-annotation
# -- Ingress TLS configuration
tls: []
# - secretName: argoworkflows-example-tls
# hosts:
# - argoworkflows.example.com
## Create a Google Backendconfig for use with the GKE Ingress Controller
## https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_backendconfig_parameters
GKEbackendConfig:
# -- Enable BackendConfig custom resource for Google Kubernetes Engine
enabled: false
# -- [BackendConfigSpec]
spec: {}
# spec:
# iap:
# enabled: true
# oauthclientCredentials:
# secretName: argoworkflows-secret
## Create a Google Managed Certificate for use with the GKE Ingress Controller
## https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs
GKEmanagedCertificate:
# -- Enable ManagedCertificate custom resource for Google Kubernetes Engine.
enabled: false
# -- Domains for the Google Managed Certificate
domains:
- argoworkflows.example.com
## Create a Google FrontendConfig Custom Resource, for use with the GKE Ingress Controller
## https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters
GKEfrontendConfig:
# -- Enable FrontConfig custom resource for Google Kubernetes Engine
enabled: false
# -- [FrontendConfigSpec]
spec: {}
# spec:
# redirectToHttps:
# enabled: true
# responseCodeName: RESPONSE_CODE
clusterWorkflowTemplates:
# -- Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates.
enabled: true
# -- Give the server permissions to edit ClusterWorkflowTemplates.
enableEditing: true
# SSO configuration when SSO is specified as a server auth mode.
sso:
# -- Create SSO configuration. If you set `true` , please also set `.Values.server.authMode` as `sso`.
enabled: false
# -- The root URL of the OIDC identity provider
issuer: https://accounts.google.com
clientId:
# -- Name of secret to retrieve the app OIDC client ID
name: argo-server-sso
# -- Key of secret to retrieve the app OIDC client ID
key: client-id
clientSecret:
# -- Name of a secret to retrieve the app OIDC client secret
name: argo-server-sso
# -- Key of a secret to retrieve the app OIDC client secret
key: client-secret
# -- The OIDC redirect URL. Should be in the form <argo-root-url>/oauth2/callback.
redirectUrl: ""
rbac:
# -- Adds ServiceAccount Policy to server (Cluster)Role.
enabled: true
# -- Whitelist to allow server to fetch Secrets
## When present, restricts secrets the server can read to a given list.
## You can use it to restrict the server to only be able to access the
## service account token secrets that are associated with service accounts
## used for authorization.
secretWhitelist: []
# -- Scopes requested from the SSO ID provider
## The 'groups' scope requests group membership information, which is usually used for authorization decisions.
scopes: []
# - groups
# -- Define how long your login is valid for (in hours)
## If omitted, defaults to 10h.
sessionExpiry: ""
# -- Alternate root URLs that can be included for some OIDC providers
issuerAlias: ""
# -- Override claim name for OIDC groups
customGroupClaimName: ""
# -- Specify the user info endpoint that contains the groups claim
## Configure this if your OIDC provider provides groups information only using the user-info endpoint (e.g. Okta)
userInfoPath: ""
# -- Skip TLS verification for the HTTP client
insecureSkipVerify: false
# -- Filter the groups returned by the OIDC provider
## A logical "OR" is used between each regex in the list
filterGroupsRegex: []
# - ".*argo-wf.*"
# - ".*argo-workflow.*"
# -- Extra containers to be added to the server deployment
extraContainers: []
# -- Enables init containers to be added to the server deployment
extraInitContainers: []
# -- Specify postStart and preStop lifecycle hooks for server container
lifecycle: {}
# -- terminationGracePeriodSeconds for container lifecycle hook
terminationGracePeriodSeconds: 30
# -- Array of extra K8s manifests to deploy
extraObjects: []
# - apiVersion: secrets-store.csi.x-k8s.io/v1
# kind: SecretProviderClass
# metadata:
# name: argo-server-sso
# spec:
# provider: aws
# parameters:
# objects: |
# - objectName: "argo/server/sso"
# objectType: "secretsmanager"
# jmesPath:
# - path: "client_id"
# objectAlias: "client_id"
# - path: "client_secret"
# objectAlias: "client_secret"
# secretObjects:
# - data:
# - key: client_id
# objectName: client_id
# - key: client_secret
# objectName: client_secret
# secretName: argo-server-sso-secrets-store
# type: Opaque
# -- Use static credentials for S3 (eg. when not using AWS IRSA)
useStaticCredentials: true
artifactRepository:
# -- Archive the main container logs as an artifact
archiveLogs: false
# -- Store artifact in a S3-compliant object store
# @default -- See [values.yaml]
s3: {}
# # Note the `key` attribute is not the actual secret, it's the PATH to
# # the contents in the associated secret, as defined by the `name` attribute.
# accessKeySecret:
# name: "{{ .Release.Name }}-minio"
# key: accesskey
# secretKeySecret:
# name: "{{ .Release.Name }}-minio"
# key: secretkey
# sessionTokenSecret:
# name: "{{ .Release.Name }}-minio"
# key: sessionToken
# # insecure will disable TLS. Primarily used for minio installs not configured with TLS
# insecure: false
# caSecret:
# name: ca-root
# key: cert.pem
# bucket:
# endpoint:
# region:
# roleARN:
# useSDKCreds: true
# encryptionOptions:
# enableEncryption: true
# -- Store artifact in a GCS object store
# @default -- `{}` (See [values.yaml])
gcs: {}
# bucket: <project>-argo
# keyFormat: "{{ \"{{workflow.namespace}}/{{workflow.name}}/{{pod.name}}\" }}"
# # serviceAccountKeySecret is a secret selector.
# # It references the k8s secret named 'my-gcs-credentials'.
# # This secret is expected to have have the key 'serviceAccountKey',
# # containing the base64 encoded credentials
# # to the bucket.
# #
# # If it's running on GKE and Workload Identity is used,
# # serviceAccountKeySecret is not needed.
# serviceAccountKeySecret:
# name: my-gcs-credentials
# key: serviceAccountKey
# -- Store artifact in Azure Blob Storage
# @default -- `{}` (See [values.yaml])
azure: {}
# endpoint: https://mystorageaccountname.blob.core.windows.net
# container: my-container-name
# blobNameFormat: path/in/container
# # accountKeySecret is a secret selector.
# # It references the k8s secret named 'my-azure-storage-credentials'.
# # This secret is expected to have have the key 'account-access-key',
# # containing the base64 encoded credentials to the storage account.
# # If a managed identity has been assigned to the machines running the
# # workflow (e.g., https://docs.microsoft.com/en-us/azure/aks/use-managed-identity)
# # then accountKeySecret is not needed, and useSDKCreds should be
# # set to true instead:
# useSDKCreds: true
# accountKeySecret:
# name: my-azure-storage-credentials
# key: account-access-key
# -- The section of custom artifact repository.
# Utilize a custom artifact repository that is not one of the current base ones (s3, gcs, azure)
customArtifactRepository: {}
# artifactory:
# repoUrl: https://artifactory.example.com/raw
# usernameSecret:
# name: artifactory-creds
# key: username
# passwordSecret:
# name: artifactory-creds
# key: password
# -- The section of [artifact repository ref](https://argo-workflows.readthedocs.io/en/stable/artifact-repository-ref/).
# Each map key is the name of configmap
# @default -- `{}` (See [values.yaml])
artifactRepositoryRef: {}
# # -- 1st ConfigMap
# # If you want to use this config map by default, name it "artifact-repositories".
# # Otherwise, you can provide a reference to a
# # different config map in `artifactRepositoryRef.configMap`.
# artifact-repositories:
# # -- v3.0 and after - if you want to use a specific key, put that key into this annotation.
# annotations:
# workflows.argoproj.io/default-artifact-repository: default-v1-s3-artifact-repository
# # 1st data of configmap. See above artifactRepository or customArtifactRepository.
# default-v1-s3-artifact-repository:
# archiveLogs: false
# s3:
# bucket: my-bucket
# endpoint: minio:9000
# insecure: true
# accessKeySecret:
# name: my-minio-cred
# key: accesskey
# secretKeySecret:
# name: my-minio-cred
# key: secretkey
# # 2nd data
# oss-artifact-repository:
# archiveLogs: false
# oss:
# endpoint: http://oss-cn-zhangjiakou-internal.aliyuncs.com
# bucket: $mybucket
# # accessKeySecret and secretKeySecret are secret selectors.
# # It references the k8s secret named 'bucket-workflow-artifect-credentials'.
# # This secret is expected to have have the keys 'accessKey'
# # and 'secretKey', containing the base64 encoded credentials
# # to the bucket.
# accessKeySecret:
# name: $mybucket-credentials
# key: accessKey
# secretKeySecret:
# name: $mybucket-credentials
# key: secretKey
# # 2nd ConfigMap
# another-artifact-repositories:
# annotations:
# workflows.argoproj.io/default-artifact-repository: gcs
# gcs:
# bucket: my-bucket
# keyFormat: prefix/in/bucket/{{workflow.name}}/{{pod.name}}
# serviceAccountKeySecret:
# name: my-gcs-credentials
# key: serviceAccountKey
emissary:
# -- The command/args for each image on workflow, needed when the command is not specified and the emissary executor is used.
## See more: https://argo-workflows.readthedocs.io/en/stable/workflow-executors/#emissary-emissary
images: []
# argoproj/argosay:v2:
# cmd: [/argosay]
# docker/whalesay:latest:
# cmd: [/bin/bash]

22
opencloud/charts/docker-registry-ui/.helmignore Normal file
View File

@@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

30
opencloud/charts/docker-registry-ui/Chart.yaml Normal file
View File

@@ -0,0 +1,30 @@
annotations:
artifacthub.io/images: |
- name: docker-registry-ui
image: joxit/docker-registry-ui:2.5.2
- name: registry
image: registry:2.8.2
artifacthub.io/license: MIT
artifacthub.io/links: |
- name: Documentation
url: https://joxit.dev/docker-registry-ui
- name: Joxit/docker-registry-ui
url: https://github.com/Joxit/docker-registry-ui
- name: Joxit/helm-charts
url: https://github.com/Joxit/helm-charts
artifacthub.io/prerelease: "false"
apiVersion: v2
appVersion: 2.5.2
description: The simplest and most complete UI for your private registry
home: https://github.com/Joxit/docker-registry-ui
keywords:
- docker
- registry
- user-interface
- interface
kubeVersion: '>=1.19.0-0'
name: docker-registry-ui
sources:
- https://github.com/Joxit/docker-registry-ui
- https://github.com/Joxit/helm-charts
version: 1.1.3

140
opencloud/charts/docker-registry-ui/README.md Normal file
View File

@@ -0,0 +1,140 @@
# Docker Registry UI Chart
[![Stars](https://img.shields.io/github/stars/joxit/docker-registry-ui.svg?logo=github&maxAge=86400)](https://github.com/Joxit/docker-registry-ui/stargazers)
[![Pulls](https://img.shields.io/docker/pulls/joxit/docker-registry-ui.svg?maxAge=86400)](https://hub.docker.com/r/joxit/docker-registry-ui)
[![Sponsor](https://joxit.dev/images/sponsor.svg)](https://github.com/sponsors/Joxit)
[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/joxit)](https://artifacthub.io/packages/helm/joxit/docker-registry-ui)
## Overview
This project aims to provide a simple and complete user interface for your private docker registry. You can customize the interface with various options. The major option is `ui.singleRegistry` which allows you to disable the dynamic selection of docker registeries.
If you like my work and want to support it, don't hesitate to [sponsor me](https://github.com/sponsors/Joxit).
## [Project Page](https://joxit.dev/docker-registry-ui), [Live Demo](https://joxit.dev/docker-registry-ui/demo/), [Examples](https://github.com/Joxit/docker-registry-ui/tree/main/examples), [Helm Chart](https://helm.joxit.dev/charts/docker-registry-ui/)
![preview](https://raw.github.com/Joxit/docker-registry-ui/main/docker-registry-ui.gif "Preview of Docker Registry UI")
## Prerequisites
* **Helm 3.2+** (Helm 2 is not supported)
* **Kubernetes 1.19+** - This is the earliest version of Kubernetes tested.
It is possible that this chart works with earlier versions but it is untested.
## Usage
1. Add my Helm repository (named `joxit`)
```
helm repo add joxit https://helm.joxit.dev
```
2. Ensure you have access to the Helm chart and you see the latest chart version listed. If you have previously added the Helm repository, run `helm repo update`.
```
helm search repo joxit/docker-registry-ui
```
3. Now you're ready to install the Docker Registry UI! To install Docker Registry UI with the default configuration using Helm 3.2 run the following command below. This will deploy the Docker Registry UI on the default namespace.
```
helm upgrade --install docker-registry-ui joxit/docker-registry-ui
```
## Configuration
### Global
| Value | Default | Description |
| --- | --- | --- |
| `global.name` | `null` | Set the prefix used for all resources in the Helm chart. If not set, the prefix will be `<helm release name>`. |
| `global.imagePullSecrets` | `[]` | The default array of objects containing image pull secret names that will be applied. |
| `global.imagePullPolicy` | `IfNotPresent` | The default image policy for images: `IfNotPresent`, `Always`, `Never` |
### User Interface
| Value | Default | Description |
| --- | --- | --- |
| `ui.replicas` | `1` | Number of replicas for the Deployment. |
| `ui.title` | `"Docker registry UI"` | Title of the registry |
| `ui.proxy` | `false` | UI behave as a proxy of the registry |
| `ui.dockerRegistryUrl` | `null` | The URL of your docker registry, may be a service (when proxy is on) or an external URL. |
| `ui.pullUrl` | `null` | Override the pull URL |
| `ui.singleRegistry` | `true` | Remove the menu that show the dialogs to add, remove and change the endpoint of your docker registry. |
| `ui.registrySecured` | `false` | By default, the UI will check on every requests if your registry is secured or not (you will see `401` responses in your console). Set to `true` if your registry uses Basic Authentication and divide by two the number of call to your registry. |
| `ui.showCatalogNbTags` | `false` | Show number of tags per images on catalog page. This will produce + nb images requests, not recommended on large registries. |
| `ui.catalogElementsLimit` | `1000` | Limit the number of elements in the catalog page. |
| `ui.catalogDefaultExpanded` | `false` | Expand by default all repositories in catalog |
| `ui.catalogMinBranches` | `1` | Set the minimum repository/namespace to expand (e.g. `joxit/docker-registry-ui` `joxit/` is the repository/namespace). Can be 0 to disable branching. |
| `ui.catalogMaxBranches` | `1` | Set the maximum repository/namespace to expand (e.g. `joxit/docker-registry-ui` `joxit/` is the repository/namespace). Can be 0 to disable branching. |
| `ui.deleteImages` | `false` | Allow delete of images |
| `ui.showContentDigest` | `false` | Show content digest in docker tag list. |
| `ui.taglistOrder` | `alpha-asc;num-desc` | Set the default order for the taglist page, could be `num-asc;alpha-asc`, `num-desc;alpha-asc`, `num-asc;alpha-desc`, `num-desc;alpha-desc`, `alpha-asc;num-asc`, `alpha-asc;num-desc`, `alpha-desc;num-asc` or `alpha-desc;num-desc`. |
| `ui.taglistPageSize` | `100` | Set the number of tags to display in one page. |
| `ui.historyCustomLabels` | `[]` | Expose custom labels in history page, custom labels will be processed like maintainer label. |
| `ui.nginxProxyHeaders` | `[]` | Update the default Nginx configuration and **set custom headers** for your backend docker registry. Only when `ui.proxy` is used. Example: nginxProxyHeaders: [ { my-heeader-name: my-header-value } ] |
| `ui.nginxProxyPassHeaders` | `[]` | Update the default Nginx configuration and **forward custom headers** to your backend docker registry. Only when `ui.proxy` is used. Example: nginxProxyPassHeaders: [ my-first-header, my-second-header ] |
| `ui.useControlCacheHeader` | `false` | Add header Control-Cache: no-store, no-cache on requests to registry server. This needs to update your registry configuration with : `Access-Control-Allow-Headers: ['Authorization', 'Accept', 'Cache-Control']` |
| `ui.runAsRoot` | `true` | Use root or nginx user inside the container, when this is false the target port must be greater or equal to 1024. |
| `ui.defaultTheme` | `"auto"` | Select the default theme to apply, values can be `auto`, `dark` and `light` |
| `ui.theme.background` | `""` | Custom background color for the UI |
| `ui.theme.primaryText` | `""` | Custom primary text color for the UI |
| `ui.theme.neutralText` | `""` | Custom netral color for the UI (icons) |
| `ui.theme.accentText` | `""` | Custom accent color for the UI (buttons) |
| `ui.theme.hoverBackground` | `""` | Custom hover background color for the UI |
| `ui.theme.headerBackground` | `""` | Custom header background color for the UI |
| `ui.theme.headerText` | `""` | Custom header text color for the UI |
| `ui.theme.footerBackground` | `""` | Custom footer background color for the UI |
| `ui.theme.footerText` | `""` | Custom footer text color for the UI |
| `ui.theme.footerNeutralText` | `""` | Custom footer neutral color for the UI (links) |
| `ui.image` | `joxit/docker-registry-ui:2.5.2` | The name and tag of the docker image of the interface |
| `ui.imagePullSecrets` | `"-"` | Override default image pull secrets |
| `ui.imagePullPolicy` | `"-"` | Override default pull policy |
| `ui.resources` | `{}` | The resource settings for user interface pod. |
| `ui.nodeSelector` | `{}` | Optional YAML string to specify a nodeSelector config. |
| `ui.tolerations` | `[]` | Optional YAML string to specify tolerations. |
| `ui.affinity` | `{}` | This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) for server pods. |
| `ui.annotations` | `{}` | Annotations to apply to the user interface deployment. |
| `ui.additionalSpec` | `{}` | Optional YAML string that will be appended to the deployment spec. |
| `ui.service.type` | `ClusterIP` | Type of service: `LoadBalancer`, `ClusterIP` or `NodePort`. If using `NodePort` service type, you must set the desired `nodePorts` setting below. |
| `ui.service.port` | `80` | Ports that will be exposed on the service |
| `ui.service.targetPort` | `80` | The port to listhen on the container. If under 1024, the user must be root |
| `ui.service.nodePort` | `null` | If using a `NodePort` service type, you must specify the desired `nodePort` for each exposed port. |
| `ui.service.annotations` | `{}` | Annotations to apply to the user interface service. |
| `ui.service.additionalSpec` | `{}` | Optional YAML string that will be appended to the Service spec. |
| `ui.ingress.enabled` | `false` | Enable the ingress for the user interface. |
| `ui.ingress.host` | `null` | Fully qualified domain name of a network host. |
| `ui.ingress.path` | `/` | Path is matched against the path of an incoming request. |
| `ui.ingress.pathType` | `Prefix` | Determines the interpretation of the Path matching, must be Prefix to serve assets. |
| `ui.ingress.ingressClassName` | `nginx` | The name of an IngressClass cluster resource. |
| `ui.ingress.tls` | `[]` | TLS configuration |
| `ui.ingress.annotations` | `{}` | Annotations to apply to the user interface ingress. |
### Registry Server
| Value | Default | Description |
| --- | --- | --- |
| `registry.enabled` | `false` | Enable the registry server. |
| `registry.image` | `registry:2.8.2` | The name and tag of the docker registry server image |
| `registry.imagePullSecrets` | `"-"` | Override default image pull secrets |
| `registry.imagePullPolicy` | `"-"` | Override default pull policy |
| `registry.dataVolume` | `null` | Configuration for the data directory. When null it will create an emptyDir. |
| `registry.resources` | `{}` | The resource settings for registry server pod. |
| `registry.nodeSelector` | `{}` | Optional YAML string to specify a nodeSelector config. |
| `registry.tolerations` | `[]` | Optional YAML string to specify tolerations. |
| `registry.affinity` | `{}` | This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) for server pods. |
| `registry.annotations` | `{}` | Annotations to apply to the registry server deployment. |
| `registry.additionalSpec` | `{}` | Optional YAML string that will be appended to the deployment spec. |
| `registry.extraEnv` | `[]` | Extra Environmental Variables for Registry |
| `registry.auth.basic.enabled` | `false` | Enable basic auth for Registry. |
| `registry.auth.basic.realm` | `Docker registry` | Basic auth realm. |
| `registry.auth.basic.htpasswdPath` | `/etc/docker/registry/auth/htpasswd` | Full path for htpasswd file. Note that filename should match the secret key. |
| `registry.auth.basic.secretName` | `''` | htpasswd secret name volume to mount. |
| `registry.service.type` | `ClusterIP` | Type of service: `LoadBalancer`, `ClusterIP` or `NodePort`. If using `NodePort` service type, you must set the desired `nodePorts` setting below. |
| `registry.service.port` | `5000` | Ports that will be exposed on the service |
| `registry.service.targetPort` | `5000` | The port to listhen on the container. |
| `registry.service.nodePort` | `null` | If using a `NodePort` service type, you must specify the desired `nodePort` for each exposed port. |
| `registry.service.annotations` | `{}` | Annotations to apply to the registry server service. |
| `registry.service.additionalSpec` | `{}` | Optional YAML string that will be appended to the Service spec. |
| `registry.ingress.enabled` | `false` | Enable the ingress for the registry server. |
| `registry.ingress.host` | `null` | Fully qualified domain name of a network host. |
| `registry.ingress.path` | `/v2/` | Path is matched against the path of an incoming request. |
| `registry.ingress.pathType` | `Prefix` | Determines the interpretation of the Path matching, must be Prefix to serve assets. |
| `registry.ingress.ingressClassName` | `nginx` | The name of an IngressClass cluster resource. |
| `registry.ingress.tls` | `[]` | TLS configuration |
| `registry.ingress.annotations` | `{}` | Annotations to apply to the registry server ingress. |

28
opencloud/charts/docker-registry-ui/README.tmpl Normal file
View File

@@ -0,0 +1,28 @@
# {{ prettyName }} Chart
[![Stars](https://img.shields.io/github/stars/joxit/docker-registry-ui.svg?logo=github&maxAge=86400)](https://github.com/Joxit/docker-registry-ui/stargazers)
[![Pulls](https://img.shields.io/docker/pulls/joxit/docker-registry-ui.svg?maxAge=86400)](https://hub.docker.com/r/joxit/docker-registry-ui)
[![Sponsor](https://joxit.dev/images/sponsor.svg)](https://github.com/sponsors/Joxit)
[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/joxit)](https://artifacthub.io/packages/helm/joxit/docker-registry-ui)
## Overview
This project aims to provide a simple and complete user interface for your private docker registry. You can customize the interface with various options. The major option is `ui.singleRegistry` which allows you to disable the dynamic selection of docker registeries.
If you like my work and want to support it, don't hesitate to [sponsor me](https://github.com/sponsors/Joxit).
## [Project Page](https://joxit.dev/docker-registry-ui), [Live Demo](https://joxit.dev/docker-registry-ui/demo/), [Examples](https://github.com/Joxit/docker-registry-ui/tree/main/examples), [Helm Chart](https://helm.joxit.dev/charts/docker-registry-ui/)
![preview](https://raw.github.com/Joxit/docker-registry-ui/main/docker-registry-ui.gif "Preview of Docker Registry UI")
## Prerequisites
{{ prerequisites }}
## Usage
{{ usage }}
## Configuration
{{ configuration }}

8
opencloud/charts/docker-registry-ui/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,8 @@
Thank you for installing Joxit's Docker Registry UI!
Your release is named {{ .Release.Name }}.
To learn more about the release, run:
$ helm status {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }}
$ helm get all {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }}

43
opencloud/charts/docker-registry-ui/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,43 @@
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to
this (by the DNS naming spec). Supports the legacy fullnameOverride setting
as well as the global.name setting.
*/}}
{{- define "docker-registry-ui.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else if .Values.global.name -}}
{{- .Values.global.name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "docker-registry-ui.chart" -}}
{{- printf "%s-helm" .Chart.Name | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Expand the name of the chart.
*/}}
{{- define "docker-registry-ui.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels.
*/}}
{{- define "docker-registry-ui.labels" -}}
app.kubernetes.io/name: {{ include "docker-registry-ui.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
helm.sh/chart: {{ include "docker-registry-ui.chart" . }}
{{- end -}}

101
opencloud/charts/docker-registry-ui/templates/registry-deployment.yaml Normal file
View File

@@ -0,0 +1,101 @@
{{- if .Values.registry.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "docker-registry-ui.fullname" . }}-registry-server
labels:
app.kubernetes.io/component : registry-server
{{- include "docker-registry-ui.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.registry.replicas }}
selector:
matchLabels:
app.kubernetes.io/component : registry-server
{{- include "docker-registry-ui.labels" . | nindent 6 }}
template:
metadata:
labels:
app.kubernetes.io/component : registry-server
{{- include "docker-registry-ui.labels" . | nindent 8 }}
{{- if .Values.registry.annotations }}
annotations:
{{- toYaml .Values.registry.annotations | nindent 8 }}
{{- end }}
spec:
{{- if ne (.Values.registry.imagePullSecrets | toString) "-" }}
imagePullSecrets:
{{- toYaml .Values.registry.imagePullSecrets | nindent 8 }}
{{- else }}
imagePullSecrets:
{{- toYaml .Values.global.imagePullSecrets | nindent 8 }}
{{- end}}
containers:
- name: "registry-server"
image: {{ .Values.registry.image | quote }}
imagePullPolicy: {{ if ne (.Values.registry.imagePullPolicy | toString) "-" }}{{ .Values.registry.imagePullPolicy }}{{ else }}{{ .Values.global.imagePullPolicy }}{{ end }}
env:
- name: REGISTRY_HTTP_ADDR
value: {{ printf "%s:%d" "0.0.0.0" (.Values.registry.service.targetPort | int) }}
{{- if .Values.ui.deleteImages }}
- name: REGISTRY_STORAGE_DELETE_ENABLED
value: 'true'
{{- end }}
{{- if .Values.registry.auth.basic.enabled }}
- name: REGISTRY_AUTH
value: htpasswd
- name: REGISTRY_AUTH_HTPASSWD_REALM
value: {{ if ne (.Values.registry.auth.basic.realm | toString) "-" }}{{ .Values.registry.auth.basic.realm }}{{ else }}{{ "Docker registry" }}{{ end }}
- name: REGISTRY_AUTH_HTPASSWD_PATH
value: {{ if ne (.Values.registry.auth.basic.htpasswdPath | toString) "-" }}{{ .Values.registry.auth.basic.htpasswdPath }}{{ else }}{{ "/etc/docker/registry/auth/htpasswd" }}{{ end }}
{{- end }}
{{- range .Values.registry.extraEnv }}
- name: {{ .name | quote }}
value: {{ .value | quote }}
{{- end }}
ports:
- name: http
containerPort: {{ .Values.registry.service.targetPort }}
protocol: TCP
volumeMounts:
- mountPath: /var/lib/registry
name: data
{{- if .Values.registry.auth.basic.enabled }}
- name: htpasswd
mountPath: {{ if ne (.Values.registry.auth.basic.htpasswdPath | toString) "-" }}{{ dir .Values.registry.auth.basic.htpasswdPath }}{{ else }}{{ "/etc/docker/registry/auth" }}{{ end }}
readOnly: true
{{- end }}
resources:
{{- toYaml .Values.registry.resources | nindent 12 }}
volumes:
- name: data
{{- if .Values.registry.dataVolume }}
{{- toYaml .Values.registry.dataVolume | nindent 10 }}
{{- else }}
emptyDir: {}
{{- end }}
{{- if .Values.registry.auth.basic.enabled }}
- name: htpasswd
secret:
secretName: {{ if .Values.registry.auth.basic.secretName }}{{ .Values.registry.auth.basic.secretName }}{{ else }}{{ fail "Basic auth secret name is required" }}{{ end }}
{{- end }}
{{- with .Values.registry.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.registry.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.registry.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not .Values.registry.runAsRoot }}
securityContext:
runAsUser: 101
fsGroup: 101
{{- end }}
{{- if .Values.registry.additionalSpec }}
{{ tpl .Values.registry.additionalSpec . | nindent 6 | trim }}
{{- end }}
{{- end }}

38
opencloud/charts/docker-registry-ui/templates/registry-ingress.yaml Normal file
View File

@@ -0,0 +1,38 @@
{{- if .Values.registry.ingress.enabled -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "docker-registry-ui.fullname" . }}-registry-server
labels:
app.kubernetes.io/component : registry-server
{{- include "docker-registry-ui.labels" . | nindent 4 }}
{{- with .Values.registry.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.registry.ingress.ingressClassName }}
ingressClassName: {{ .Values.registry.ingress.ingressClassName }}
{{- end -}}
{{- if .Values.registry.ingress.tls }}
tls:
{{ tpl (toYaml .Values.registry.ingress.tls) $ | indent 4 }}
{{- end }}
rules:
- http:
paths:
- backend:
service:
name: {{ include "docker-registry-ui.fullname" . }}-registry-server
port:
number: {{ .Values.registry.service.port }}
{{- if .Values.registry.ingress.path }}
path: {{ .Values.registry.ingress.path }}
{{- end }}
{{- if .Values.registry.ingress.pathType }}
pathType: {{ .Values.registry.ingress.pathType }}
{{- end }}
{{- if .Values.registry.ingress.host }}
host: {{ .Values.registry.ingress.host | quote }}
{{- end -}}
{{- end }}

29
opencloud/charts/docker-registry-ui/templates/registry-service.yaml Normal file
View File

@@ -0,0 +1,29 @@
{{- if .Values.registry.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "docker-registry-ui.fullname" . }}-registry-server
labels:
app.kubernetes.io/component : registry-server
{{- include "docker-registry-ui.labels" . | nindent 4 }}
{{- with .Values.registry.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
app.kubernetes.io/component : registry-server
{{- include "docker-registry-ui.labels" . | nindent 4 }}
type: {{ .Values.registry.service.type }}
ports:
- port: {{ .Values.registry.service.port }}
targetPort: {{ .Values.registry.service.targetPort }}
protocol: TCP
name: http
{{- if (and (eq .Values.registry.service.type "NodePort") .Values.registry.service.nodePort) }}
nodePort: {{ .Values.registry.service.nodePort }}
{{- end }}
{{- if .Values.registry.service.additionalSpec }}
{{ tpl .Values.registry.service.additionalSpec . | nindent 2 | trim }}
{{- end }}
{{- end }}

139
opencloud/charts/docker-registry-ui/templates/ui-deployment.yaml Normal file
View File

@@ -0,0 +1,139 @@
{{- if and (not .Values.ui.runAsRoot) (lt (.Values.ui.service.targetPort | int) 1024) }}
{{ fail "When `ui.runAsRoot` is false `ui.service.targetPort` must be less than 1024." }}
{{- end }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "docker-registry-ui.fullname" . }}-user-interface
labels:
app.kubernetes.io/component : user-interface
{{- include "docker-registry-ui.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.ui.replicas }}
selector:
matchLabels:
app.kubernetes.io/component : user-interface
{{- include "docker-registry-ui.labels" . | nindent 6 }}
template:
metadata:
labels:
app.kubernetes.io/component : user-interface
{{- include "docker-registry-ui.labels" . | nindent 8 }}
{{- if .Values.ui.annotations }}
annotations:
{{- toYaml .Values.ui.annotations | nindent 8 }}
{{- end }}
spec:
{{- if ne (.Values.ui.imagePullSecrets | toString) "-" }}
imagePullSecrets:
{{- toYaml .Values.ui.imagePullSecrets | nindent 8 }}
{{- else }}
imagePullSecrets:
{{- toYaml .Values.global.imagePullSecrets | nindent 8 }}
{{- end}}
containers:
- name: "registry-ui"
image: {{ .Values.ui.image | quote }}
imagePullPolicy: {{ if ne (.Values.ui.imagePullPolicy | toString) "-" }}{{ .Values.ui.imagePullPolicy }}{{ else }}{{ .Values.global.imagePullPolicy }}{{ end }}
env:
- name: REGISTRY_TITLE
value: {{ .Values.ui.title | quote }}
- name: DELETE_IMAGES
value: {{ .Values.ui.deleteImages | quote }}
{{- if .Values.ui.proxy }}
{{- if .Values.ui.dockerRegistryUrl }}
- name: NGINX_PROXY_PASS_URL
value: {{ .Values.ui.dockerRegistryUrl | quote }}
{{- else if .Values.registry.enabled }}
- name: NGINX_PROXY_PASS_URL
value: {{ printf "http://%s-registry-server:%d" (include "docker-registry-ui.fullname" .) (.Values.registry.service.port | int) }}
{{- end }}
{{- range $header := .Values.ui.nginxProxyHeaders }}
{{- range $key, $value := $header }}
- name: {{ printf "NGINX_PROXY_HEADER_%s" $key }}
value: {{ $value }}
{{- end }}
{{- end }}
{{- range $header := .Values.ui.nginxProxyPassHeaders }}
- name: {{ printf "NGINX_PROXY_PASS_HEADER_%s" $header }}
{{- end }}
{{- else }}
- name: REGISTRY_URL
value: {{ .Values.ui.dockerRegistryUrl | quote }}
{{- end }}
- name: PULL_URL
value: {{ .Values.ui.pullUrl | quote }}
- name: SHOW_CATALOG_NB_TAGS
value: {{ .Values.ui.showCatalogNbTags | quote }}
- name: SHOW_CONTENT_DIGEST
value: {{ .Values.ui.showContentDigest | quote }}
- name: SINGLE_REGISTRY
value: {{ .Values.ui.singleRegistry | quote }}
- name: CATALOG_ELEMENTS_LIMIT
value: {{ .Values.ui.catalogElementsLimit | quote }}
- name: HISTORY_CUSTOM_LABELS
value: {{ .Values.ui.historyCustomLabels | join "," }}
- name: NGINX_LISTEN_PORT
value: {{ .Values.ui.service.targetPort | quote }}
- name: USE_CONTROL_CACHE_HEADER
value: {{ .Values.ui.useControlCacheHeader | quote }}
- name: TAGLIST_ORDER
value: {{ .Values.ui.taglistOrder | quote }}
- name: CATALOG_DEFAULT_EXPANDED
value: {{ .Values.ui.catalogDefaultExpanded | quote }}
- name: CATALOG_MIN_BRANCHES
value: {{ .Values.ui.catalogMinBranches | quote }}
- name: CATALOG_MAX_BRANCHES
value: {{ .Values.ui.catalogMaxBranches | quote }}
- name: TAGLIST_PAGE_SIZE
value: {{ .Values.ui.taglistPageSize | quote }}
- name: REGISTRY_SECURED
value: {{ .Values.ui.registrySecured | quote }}
- name: THEME
value: {{ .Values.ui.defaultTheme | quote }}
- name: THEME_PRIMARY_TEXT
value: {{ .Values.ui.theme.primaryText | quote }}
- name: THEME_NEUTRAL_TEXT
value: {{ .Values.ui.theme.neutralText | quote }}
- name: THEME_BACKGROUND
value: {{ .Values.ui.theme.background | quote }}
- name: THEME_HOVER_BACKGROUND
value: {{ .Values.ui.theme.hoverBackground | quote }}
- name: THEME_ACCENT_TEXT
value: {{ .Values.ui.theme.accentText | quote }}
- name: THEME_HEADER_TEXT
value: {{ .Values.ui.theme.headerText | quote }}
- name: THEME_HEADER_BACKGROUND
value: {{ .Values.ui.theme.headerBackground | quote }}
- name: THEME_FOOTER_TEXT
value: {{ .Values.ui.theme.footerText | quote }}
- name: THEME_FOOTER_NEUTRAL_TEXT
value: {{ .Values.ui.theme.footerNeutralText | quote }}
- name: THEME_FOOTER_BACKGROUND
value: {{ .Values.ui.theme.footerBackground | quote }}
ports:
- name: http
containerPort: {{ .Values.ui.service.targetPort }}
protocol: TCP
resources:
{{- toYaml .Values.ui.resources | nindent 12 }}
{{- with .Values.ui.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.ui.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.ui.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not .Values.ui.runAsRoot }}
securityContext:
runAsUser: 101
{{- end }}
{{- if .Values.ui.additionalSpec }}
{{ tpl .Values.ui.additionalSpec . | nindent 6 | trim }}
{{- end }}

38
opencloud/charts/docker-registry-ui/templates/ui-ingress.yaml Normal file
View File

@@ -0,0 +1,38 @@
{{- if .Values.ui.ingress.enabled -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "docker-registry-ui.fullname" . }}-user-interface
labels:
app.kubernetes.io/component : user-interface
{{- include "docker-registry-ui.labels" . | nindent 4 }}
{{- with .Values.ui.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ui.ingress.ingressClassName }}
ingressClassName: {{ .Values.ui.ingress.ingressClassName }}
{{- end -}}
{{- if .Values.ui.ingress.tls }}
tls:
{{ tpl (toYaml .Values.ui.ingress.tls) $ | indent 4 }}
{{- end }}
rules:
- http:
paths:
- backend:
service:
name: {{ include "docker-registry-ui.fullname" . }}-user-interface
port:
number: {{ .Values.ui.service.port }}
{{- if .Values.ui.ingress.path }}
path: {{ .Values.ui.ingress.path }}
{{- end }}
{{- if .Values.ui.ingress.pathType }}
pathType: {{ .Values.ui.ingress.pathType }}
{{- end }}
{{- if .Values.ui.ingress.host }}
host: {{ .Values.ui.ingress.host | quote }}
{{- end -}}
{{- end }}

27
opencloud/charts/docker-registry-ui/templates/ui-service.yaml Normal file
View File

@@ -0,0 +1,27 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "docker-registry-ui.fullname" . }}-user-interface
labels:
app.kubernetes.io/component : user-interface
{{- include "docker-registry-ui.labels" . | nindent 4 }}
{{- with .Values.ui.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
app.kubernetes.io/component : user-interface
{{- include "docker-registry-ui.labels" . | nindent 4 }}
type: {{ .Values.ui.service.type }}
ports:
- port: {{ .Values.ui.service.port }}
targetPort: {{ .Values.ui.service.targetPort }}
protocol: TCP
name: http
{{- if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort) }}
nodePort: {{ .Values.ui.service.nodePort }}
{{- end }}
{{- if .Values.ui.service.additionalSpec }}
{{ tpl .Values.ui.service.additionalSpec . | nindent 2 | trim }}
{{- end }}

218
opencloud/charts/docker-registry-ui/values.yaml Normal file
View File

@@ -0,0 +1,218 @@
## Global
global:
# Set the prefix used for all resources in the Helm chart. If not set,
# the prefix will be `<helm release name>`.
name: null
# The default array of objects containing image pull secret names that will be applied.
imagePullSecrets: []
# The default image policy for images: `IfNotPresent`, `Always`, `Never`
imagePullPolicy: IfNotPresent
## User Interface
ui:
# Number of replicas for the Deployment.
replicas: 1
# Title of the registry
title: "Docker registry UI"
# UI behave as a proxy of the registry
proxy: false
# The URL of your docker registry, may be a service (when proxy is on) or an external URL.
dockerRegistryUrl: null
# Override the pull URL
pullUrl: null
# Remove the menu that show the dialogs to add, remove and change the endpoint of your docker registry.
singleRegistry: true
# By default, the UI will check on every requests if your registry is secured or not (you will see `401` responses in your console). Set to `true` if your registry uses Basic Authentication and divide by two the number of call to your registry.
registrySecured: false
# Show number of tags per images on catalog page. This will produce + nb images requests, not recommended on large registries.
showCatalogNbTags: false
# Limit the number of elements in the catalog page.
catalogElementsLimit: 1000
# Expand by default all repositories in catalog
catalogDefaultExpanded: false
# Set the minimum repository/namespace to expand (e.g. `joxit/docker-registry-ui` `joxit/` is the repository/namespace). Can be 0 to disable branching.
catalogMinBranches: 1
# Set the maximum repository/namespace to expand (e.g. `joxit/docker-registry-ui` `joxit/` is the repository/namespace). Can be 0 to disable branching.
catalogMaxBranches: 1
# Allow delete of images
deleteImages: false
# Show content digest in docker tag list.
showContentDigest: false
# Set the default order for the taglist page, could be `num-asc;alpha-asc`, `num-desc;alpha-asc`, `num-asc;alpha-desc`, `num-desc;alpha-desc`, `alpha-asc;num-asc`, `alpha-asc;num-desc`, `alpha-desc;num-asc` or `alpha-desc;num-desc`.
taglistOrder: alpha-asc;num-desc
# Set the number of tags to display in one page.
taglistPageSize: 100
# Expose custom labels in history page, custom labels will be processed like maintainer label.
historyCustomLabels: []
# Update the default Nginx configuration and **set custom headers** for your backend docker registry. Only when `ui.proxy` is used.
# Example:
# nginxProxyHeaders:
# [ { my-heeader-name: my-header-value } ]
nginxProxyHeaders: []
# Update the default Nginx configuration and **forward custom headers** to your backend docker registry. Only when `ui.proxy` is used.
# Example:
# nginxProxyPassHeaders: [ my-first-header, my-second-header ]
nginxProxyPassHeaders: []
# Add header Control-Cache: no-store, no-cache on requests to registry server.
# This needs to update your registry configuration with : `Access-Control-Allow-Headers: ['Authorization', 'Accept', 'Cache-Control']`
useControlCacheHeader: false
# Use root or nginx user inside the container, when this is false the target port must be greater or equal to 1024.
runAsRoot: true
# Select the default theme to apply, values can be `auto`, `dark` and `light`
defaultTheme: "auto"
theme:
# Custom background color for the UI
background: ""
# Custom primary text color for the UI
primaryText: ""
# Custom netral color for the UI (icons)
neutralText: ""
# Custom accent color for the UI (buttons)
accentText: ""
# Custom hover background color for the UI
hoverBackground: ""
# Custom header background color for the UI
headerBackground: ""
# Custom header text color for the UI
headerText: ""
# Custom footer background color for the UI
footerBackground: ""
# Custom footer text color for the UI
footerText: ""
# Custom footer neutral color for the UI (links)
footerNeutralText: ""
# The name and tag of the docker image of the interface
image: joxit/docker-registry-ui:2.5.2
# Override default image pull secrets
imagePullSecrets: "-"
# Override default pull policy
imagePullPolicy: "-"
# The resource settings for user interface pod.
resources: {}
# Optional YAML string to specify a nodeSelector config.
nodeSelector: {}
# Optional YAML string to specify tolerations.
tolerations: []
# This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
# for server pods.
affinity: {}
# Annotations to apply to the user interface deployment.
annotations: {}
# Optional YAML string that will be appended to the deployment spec.
additionalSpec: {}
service:
# Type of service: `LoadBalancer`, `ClusterIP` or `NodePort`. If using `NodePort` service
# type, you must set the desired `nodePorts` setting below.
type: ClusterIP
# Ports that will be exposed on the service
port: 80
# The port to listhen on the container. If under 1024, the user must be root
targetPort: 80
# If using a `NodePort` service type, you must specify the desired `nodePort` for each exposed port.
nodePort: null
# Annotations to apply to the user interface service.
annotations: {}
# Optional YAML string that will be appended to the Service spec.
additionalSpec: {}
ingress:
# Enable the ingress for the user interface.
enabled: false
# Fully qualified domain name of a network host.
host: null
# Path is matched against the path of an incoming request.
path: /
# Determines the interpretation of the Path matching, must be Prefix to serve assets.
pathType: Prefix
# The name of an IngressClass cluster resource.
ingressClassName: nginx
# TLS configuration
tls: []
# Annotations to apply to the user interface ingress.
annotations: {}
# If you want a custom path, you can try this example:
# path: /ui(/|$)(.*)
# annotations:
# { nginx.ingress.kubernetes.io/rewrite-target: /$2 }
## Registry Server
registry:
# Enable the registry server.
enabled: false
# The name and tag of the docker registry server image
image: registry:2.8.2
# Override default image pull secrets
imagePullSecrets: "-"
# Override default pull policy
imagePullPolicy: "-"
# Configuration for the data directory. When null it will create an emptyDir.
dataVolume: null
# The resource settings for registry server pod.
resources: {}
# Optional YAML string to specify a nodeSelector config.
nodeSelector: {}
# Optional YAML string to specify tolerations.
tolerations: []
# This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
# for server pods.
affinity: {}
# Annotations to apply to the registry server deployment.
annotations: {}
# Optional YAML string that will be appended to the deployment spec.
additionalSpec: {}
# Extra Environmental Variables for Registry
extraEnv: []
auth:
basic:
# Enable basic auth for Registry.
enabled: false
# Basic auth realm.
realm: Docker registry
# Full path for htpasswd file. Note that filename should match the secret key.
htpasswdPath: /etc/docker/registry/auth/htpasswd
# htpasswd secret name volume to mount.
secretName: ''
service:
# Type of service: `LoadBalancer`, `ClusterIP` or `NodePort`. If using `NodePort` service
# type, you must set the desired `nodePorts` setting below.
type: ClusterIP
# Ports that will be exposed on the service
port: 5000
# The port to listhen on the container.
targetPort: 5000
# If using a `NodePort` service type, you must specify the desired `nodePort` for each exposed port.
nodePort: null
# Annotations to apply to the registry server service.
annotations: {}
# Optional YAML string that will be appended to the Service spec.
additionalSpec: {}
ingress:
# Enable the ingress for the registry server.
enabled: false
# Fully qualified domain name of a network host.
host: null
# Path is matched against the path of an incoming request.
path: /v2/
# Determines the interpretation of the Path matching, must be Prefix to serve assets.
pathType: Prefix
# The name of an IngressClass cluster resource.
ingressClassName: nginx
# TLS configuration
tls: []
# Annotations to apply to the registry server ingress.
annotations: {}
# If you want a custom path, you can try this example:
# path: /api(/|$)(.*)
# annotations:
# { nginx.ingress.kubernetes.io/rewrite-target: /$2 }

6
opencloud/charts/hydra/Chart.lock
View File

@@ -4,6 +4,6 @@ dependencies:
version: 0.1.0
- name: hydra-maester
repository: file://../hydra-maester
version: 0.50.2
digest: sha256:f39e4a74150060c63515886f4905dce57e1a90419e5a5c530684f1a363686cda
generated: "2024-11-28T10:30:15.53366383Z"
version: 0.50.6
digest: sha256:0799d168b3e83ce9b85a48ef5d3abb9a99f6cb2f8436be51d91f3612e6b2b2da
generated: "2024-12-16T15:04:47.361658969Z"

4
opencloud/charts/hydra/Chart.yaml
View File

@@ -9,7 +9,7 @@ dependencies:
condition: maester.enabled
name: hydra-maester
repository: file://../hydra-maester
version: 0.50.2
version: 0.50.6
description: A Helm chart for deploying ORY Hydra in Kubernetes
home: https://www.ory.sh/
icon: https://raw.githubusercontent.com/ory/docs/master/docs/static/img/logo-hydra.svg
@@ -30,4 +30,4 @@ sources:
- https://github.com/ory/hydra
- https://github.com/ory/k8s
type: application
version: 0.50.2
version: 0.50.6

6
opencloud/charts/hydra/README.md
View File

@@ -1,6 +1,6 @@
# hydra
![Version: 0.50.1](https://img.shields.io/badge/Version-0.50.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.2.0](https://img.shields.io/badge/AppVersion-v2.2.0-informational?style=flat-square)
![Version: 0.50.5](https://img.shields.io/badge/Version-0.50.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.2.0](https://img.shields.io/badge/AppVersion-v2.2.0-informational?style=flat-square)
A Helm chart for deploying ORY Hydra in Kubernetes
@@ -21,7 +21,7 @@ A Helm chart for deploying ORY Hydra in Kubernetes
| Repository | Name | Version |
|------------|------|---------|
| file://../hydra-maester | hydra-maester(hydra-maester) | 0.50.1 |
| file://../hydra-maester | hydra-maester(hydra-maester) | 0.50.5 |
| file://../ory-commons | ory(ory-commons) | 0.1.0 |
## Values
@@ -98,7 +98,7 @@ A Helm chart for deploying ORY Hydra in Kubernetes
| deployment.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
| deployment.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
| deployment.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
| deployment.startupProbe | object | `{"failureThreshold":5,"initialDelaySeconds":0,"periodSeconds":1,"successThreshold":1,"timeoutSeconds":1}` | Default probe timers |
| deployment.startupProbe | object | `{"failureThreshold":5,"initialDelaySeconds":1,"periodSeconds":1,"successThreshold":1,"timeoutSeconds":2}` | Default probe timers |
| deployment.strategy.rollingUpdate.maxSurge | string | `"25%"` | |
| deployment.strategy.rollingUpdate.maxUnavailable | string | `"25%"` | |
| deployment.strategy.type | string | `"RollingUpdate"` | |

4
opencloud/charts/hydra/charts/hydra-maester/Chart.yaml
View File

@@ -1,7 +1,7 @@
apiVersion: v2
appVersion: v0.0.34
appVersion: v0.0.36
description: A Helm chart for Kubernetes
icon: https://raw.githubusercontent.com/ory/docs/master/docs/static/img/logo-hydra.svg
name: hydra-maester
type: application
version: 0.50.2
version: 0.50.6

5
opencloud/charts/hydra/charts/hydra-maester/README.md
View File

@@ -1,6 +1,6 @@
# hydra-maester
![Version: 0.50.1](https://img.shields.io/badge/Version-0.50.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.34](https://img.shields.io/badge/AppVersion-v0.0.34-informational?style=flat-square)
![Version: 0.50.5](https://img.shields.io/badge/Version-0.50.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.36](https://img.shields.io/badge/AppVersion-v0.0.36-informational?style=flat-square)
A Helm chart for Kubernetes
@@ -20,6 +20,7 @@ A Helm chart for Kubernetes
| deployment.automountServiceAccountToken | bool | `true` | This applications connects to the k8s API and requires the permissions |
| deployment.dnsConfig | object | `{}` | Configure pod dnsConfig. |
| deployment.extraAnnotations | object | `{}` | Deployment level extra annotations |
| deployment.extraEnv | list | `[]` | To set extra env vars for the container. |
| deployment.extraLabels | object | `{}` | Deployment level extra labels |
| deployment.extraVolumeMounts | list | `[]` | |
| deployment.extraVolumes | list | `[]` | If you want to mount external volume |
@@ -52,7 +53,7 @@ A Helm chart for Kubernetes
| forwardedProto | string | `nil` | |
| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| image.repository | string | `"oryd/hydra-maester"` | Ory Hydra-maester image |
| image.tag | string | `"v0.0.35-amd64"` | Ory Hydra-maester version |
| image.tag | string | `"v0.0.36"` | Ory Hydra-maester version |
| imagePullSecrets | list | `[]` | Image pull secrets |
| pdb.enabled | bool | `false` | |
| pdb.spec.maxUnavailable | string | `""` | |

7
opencloud/charts/hydra/charts/hydra-maester/crds/crd-oauth2clients.yaml
View File

@@ -78,6 +78,13 @@ spec:
ClientName is the human-readable string name of the client
to be presented to the end-user during authorization.
type: string
deletionPolicy:
description:
Indicates if a deleted OAuth2Client custom resource should
delete the database row or not. Value 1 means deletion of
the OAuth2 client, value 2 means keep an orphan oauth2
client.
type: integer
frontChannelLogoutSessionRequired:
default: false
description:

4
opencloud/charts/hydra/charts/hydra-maester/templates/deployment.yaml
View File

@@ -80,6 +80,10 @@ spec:
{{- if .Values.deployment.extraVolumeMounts }}
{{- toYaml .Values.deployment.extraVolumeMounts | nindent 12 }}
{{- end }}
{{- if .Values.deployment.extraEnv }}
env:
{{- tpl (toYaml .Values.deployment.extraEnv) . | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.deployment.resources | nindent 12 }}
terminationMessagePath: /dev/termination-log

5
opencloud/charts/hydra/charts/hydra-maester/values.yaml
View File

@@ -12,7 +12,7 @@ image:
# -- Ory Hydra-maester image
repository: oryd/hydra-maester
# -- Ory Hydra-maester version
tag: v0.0.35-amd64
tag: v0.0.36
# -- Image pull policy
pullPolicy: IfNotPresent
@@ -56,6 +56,9 @@ deployment:
# cpu: 100m
# memory: 20Mi
# -- To set extra env vars for the container.
extraEnv: []
# -- If you want to mount external volume
extraVolumes: []
# - name: my-volume

10
opencloud/charts/hydra/values.yaml
View File

@@ -88,7 +88,7 @@ ingress:
# -- Configure ingress for the proxy port.
public:
# -- En-/Disable the proxy ingress.
enabled: false
enabled: true
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
@@ -105,7 +105,7 @@ ingress:
admin:
# -- En-/Disable the api ingress.
enabled: false
enabled: true
className: ""
annotations: {}
# If you do want to specify annotations, uncomment the following
@@ -345,8 +345,8 @@ deployment:
failureThreshold: 5
successThreshold: 1
periodSeconds: 1
timeoutSeconds: 1
initialDelaySeconds: 0
timeoutSeconds: 2
initialDelaySeconds: 1
automountServiceAccountToken: false
@@ -557,7 +557,7 @@ cronjob:
# -- If you want to mount external volume
extraVolumes: []
# - name: my-volume
# - name: my-volumep
# secret:
# secretName: my-secret
extraVolumeMounts: []

19
opencloud/charts/mongodb/.relok8s-images.yaml Normal file
View File

@@ -0,0 +1,19 @@
# relok8s image hints file
# This file makes this Helm Chart relocatable by relok8s
# More info here https://github.com/vmware-tanzu/asset-relocation-tool-for-kubernetes
#
# mongodb chart
# mongodb image
- "{{.image.registry}}/{{.image.repository}}:{{.image.tag}}"
# kubectl image
- "{{.externalAccess.autoDiscovery.image.registry}}/{{.externalAccess.autoDiscovery.image.repository}}:{{.externalAccess.autoDiscovery.image.tag}}"
# mongodb-exporter image
- "{{.metrics.image.registry}}/{{.metrics.image.repository}}:{{.metrics.image.tag}}"
# nginx image
- "{{.tls.image.registry}}/{{.tls.image.repository}}:{{.tls.image.tag}}"
# os-shell image
- "{{.externalAccess.dnsCheck.image.registry}}/{{.externalAccess.dnsCheck.image.repository}}:{{.externalAccess.dnsCheck.image.tag}}"
# os-shell image
- "{{.volumePermissions.image.registry}}/{{.volumePermissions.image.repository}}:{{.volumePermissions.image.tag}}"

6
opencloud/charts/mongodb/Chart.lock
View File

@@ -1,6 +0,0 @@
dependencies:
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.27.0
digest: sha256:b711ab5874abf868a0c64353a790f17771758cee6f802acb9819be004c8460af
generated: "2024-11-14T11:36:35.060517594+01:00"

32
opencloud/charts/mongodb/Chart.yaml
View File

@@ -1,30 +1,34 @@
annotations:
category: Database
fips: "true"
images: |
- name: kubectl
image: docker.io/bitnami/kubectl:1.31.2-debian-12-r3
version: 1.34.1
image: registry-1.docker.io/bitnami/kubectl:latest
- name: mongodb
image: docker.io/bitnami/mongodb:8.0.3-debian-12-r0
version: 8.2.1
image: registry-1.docker.io/bitnami/mongodb:latest
- name: mongodb-exporter
image: docker.io/bitnami/mongodb-exporter:0.41.2-debian-12-r1
version: 0.47.1
image: registry-1.docker.io/bitnami/mongodb-exporter:latest
- name: nginx
image: docker.io/bitnami/nginx:1.27.2-debian-12-r2
version: 1.29.3
image: registry-1.docker.io/bitnami/nginx:latest
- name: os-shell
image: docker.io/bitnami/os-shell:12-debian-12-r32
version: "5"
image: registry-1.docker.io/bitnami/os-shell:latest
licenses: Apache-2.0
tanzuCategory: service
apiVersion: v2
appVersion: 8.0.3
appVersion: 8.2.1
dependencies:
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
tags:
- bitnami-common
version: 2.x.x
description: MongoDB(R) is a relational open source NoSQL database. Easy to use, it
stores data in JSON-like documents. Automated scalability and high-performance.
Ideal for developing cloud native applications.
version: 2.33.2
description: "MongoDB(R) is a relational open source NoSQL database. Easy to use, it stores data in JSON-like documents. Automated scalability and high-performance. Ideal for developing cloud native applications."
home: https://bitnami.com
icon: https://bitnami.com/assets/stacks/mongodb/img/mongodb-stack-220x234.png
icon: https://dyltqmyl993wv.cloudfront.net/assets/stacks/mongodb/img/mongodb-stack-220x234.png
keywords:
- mongodb
- database
@@ -33,9 +37,9 @@ keywords:
- replicaset
- replication
maintainers:
- name: Broadcom, Inc. All Rights Reserved.
- name: "Broadcom, Inc. All Rights Reserved."
url: https://github.com/bitnami/charts
name: mongodb
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/mongodb
version: 16.3.1
version: 18.1.9

111
opencloud/charts/mongodb/README.md
View File

@@ -1,27 +1,42 @@
<!--- app-name: MongoDB&reg; -->
# MongoDB(R) packaged by Bitnami
# MongoDB&reg; packaged by Bitnami
MongoDB(R) is a relational open source NoSQL database. Easy to use, it stores data in JSON-like documents. Automated scalability and high-performance. Ideal for developing cloud native applications.
MongoDB&reg; is a relational open source NoSQL database. Easy to use, it stores data in JSON-like documents. Automated scalability and high-performance. Ideal for developing cloud native applications.
[Overview of MongoDB&reg;](http://www.mongodb.org)
Disclaimer: The respective trademarks mentioned in the offering are owned by the respective companies. We do not provide a commercial license for any of these products. This listing has an open-source license. MongoDB(R) is run and maintained by MongoDB, which is a completely separate project from Bitnami.
Disclaimer: The respective trademarks mentioned in the offering are owned by the respective companies. We do not provide a commercial license for any of these products. This listing has an open-source license. MongoDB&reg; is run and maintained by MongoDB, which is a completely separate project from Bitnami.
## TL;DR
```console
helm install my-release oci://registry-1.docker.io/bitnamicharts/mongodb
helm install my-release oci://MY-OCI-REGISTRY/mongodb
```
Looking to use MongoDBreg; in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog.
> Tip: Did you know that this app is also available as a Kubernetes App on the Azure Marketplace? Kubernetes Apps are the easiest way to deploy Bitnami on AKS. Click [here](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/bitnami.mongodb-cnab) to see the listing on Azure Marketplace.
## Why use Bitnami Secure Images?
Those are hardened, minimal CVE images built and maintained by Bitnami. Bitnami Secure Images are based on the cloud-optimized, security-hardened enterprise [OS Photon Linux](https://vmware.github.io/photon/). Why choose BSI images?
- Hardened secure images of popular open source software with Near-Zero Vulnerabilities
- Vulnerability Triage & Prioritization with VEX Statements, KEV and EPSS Scores
- Compliance focus with FIPS, STIG, and air-gap options, including secure bill of materials (SBOM)
- Software supply chain provenance attestation through in-toto
- First class support for the internets favorite Helm charts
Each image comes with valuable security metadata. You can view the metadata in [our public catalog here](https://app-catalog.vmware.com/bitnami/apps). Note: Some data is only available with [commercial subscriptions to BSI](https://bitnami.com/).
![Alt text](https://github.com/bitnami/containers/blob/main/BSI%20UI%201.png?raw=true "Application details")
![Alt text](https://github.com/bitnami/containers/blob/main/BSI%20UI%202.png?raw=true "Packaging report")
If you are looking for our previous generation of images based on Debian Linux, please see the [Bitnami Legacy registry](https://hub.docker.com/u/bitnamilegacy).
## Introduction
This chart bootstraps a [MongoDB(&reg;)](https://github.com/bitnami/containers/tree/main/bitnami/mongodb) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
## Architecture
This chart allows installing MongoDB(&reg;) using two different architecture setups: `standalone` or `replicaset`. Use the `architecture` parameter to choose the one to use:
@@ -121,7 +136,25 @@ The command deploys MongoDB(&reg;) on the Kubernetes cluster in the default conf
Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.
To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcesPreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
### Prometheus metrics
This chart can be integrated with Prometheus by setting `metrics.enabled` to `true`. This will deploy a sidecar container with [mongodb_exporter](https://github.com/percona/mongodb_exporter) in all pods and a `metrics` service, which can be configured under the `metrics.service` section. This `metrics` service will have the necessary annotations to be automatically scraped by Prometheus.
#### Prometheus requirements
It is necessary to have a working installation of Prometheus or Prometheus Operator for the integration to work. Install the [Bitnami Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/prometheus) or the [Bitnami Kube Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus) to easily have a working Prometheus in your cluster.
#### Integration with Prometheus Operator
The chart can deploy `ServiceMonitor` objects for integration with Prometheus Operator installations. To do so, set the value `metrics.serviceMonitor.enabled=true`. Ensure that the Prometheus Operator `CustomResourceDefinitions` are installed in the cluster or it will fail with the following error:
```text
no matches for kind "ServiceMonitor" in version "monitoring.coreos.com/v1"
```
Install the [Bitnami Kube Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus) for having the necessary CRDs and the Prometheus Operator.
### [Rolling vs Immutable tags](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html)
@@ -318,7 +351,7 @@ passwordUpdateJob:
In the following example we update the password via values.yaml in a MongoDB installation with replication and several usernames and databases (including metrics).
```yaml
architecture: "replication"
architecture: "replicaset"
auth:
usernames:
@@ -363,7 +396,7 @@ passwordUpdateJob:
You can add extra update commands using the `passwordUpdateJob.extraCommands` value.
### Backup and restore MongoDB(R) deployments
### Backup and restore
Two different approaches are available to back up and restore Bitnami MongoDB&reg; Helm chart deployments on Kubernetes:
@@ -418,7 +451,7 @@ Custom Prometheus rules can be defined for the Prometheus Operator by using the
summary: High request latency
```
### Enable SSL/TLS
### Securing traffic using TLS
This chart supports enabling SSL/TLS between nodes in the cluster, as well as between MongoDB(&reg;) clients and nodes, by setting the `MONGODB_EXTRA_FLAGS` and `MONGODB_CLIENT_EXTRA_FLAGS` container environment variables, together with the correct `MONGODB_ADVERTISED_HOSTNAME`. To enable full TLS encryption, set the `tls.enabled` parameter to `true`.
@@ -465,6 +498,12 @@ This chart allows you to set your custom affinity using the `XXX.affinity` param
As an alternative, you can use the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters.
### FIPS parameters
The FIPS parameters only have effect if you are using images from the [Bitnami Secure Images catalog](https://go-vmware.broadcom.com/contact-us).
For more information on this new support, please refer to the [FIPS Compliance section](https://techdocs.broadcom.com/us/en/vmware-tanzu/bitnami-secure-images/bitnami-secure-images/services/bsi-doc/security-frameworks-FIPS-compliance.html).
## Persistence
The [Bitnami MongoDB(&reg;)](https://github.com/bitnami/containers/tree/main/bitnami/mongodb) image stores the MongoDB(&reg;) data and configurations at the `/bitnami/mongodb` path of the container.
@@ -477,14 +516,16 @@ If you encounter errors when working with persistent volumes, refer to our [trou
### Global parameters
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` |
| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` |
| `global.namespaceOverride` | Override the namespace for resource deployed by the chart, but can itself be overridden by the local namespaceOverride | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` |
| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` |
| `global.namespaceOverride` | Override the namespace for resource deployed by the chart, but can itself be overridden by the local namespaceOverride | `""` |
| `global.defaultFips` | Default value for the FIPS configuration (allowed values: '', restricted, relaxed, off). Can be overriden by the 'fips' object | `restricted` |
| `global.security.allowInsecureImages` | Allows skipping image verification | `false` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
### Common parameters
@@ -501,6 +542,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `topologyKey` | Override common lib default topology key. If empty - "kubernetes.io/hostname" is used | `""` |
| `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` |
| `enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` |
| `usePasswordFiles` | Mount credentials as files instead of using environment variables | `true` |
| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` |
| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` |
| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` |
@@ -549,6 +591,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `tls.mode` | Allows to set the tls mode which should be used when tls is enabled (options: `allowTLS`, `preferTLS`, `requireTLS`) | `requireTLS` |
| `tls.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if tls.resources is set (tls.resources is recommended for production). | `nano` |
| `tls.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `tls.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` |
| `tls.securityContext` | Init container generate-tls-cert Security context | `{}` |
| `automountServiceAccountToken` | Mount Service Account token in pod | `false` |
| `hostAliases` | Add deployment host aliases | `[]` |
@@ -619,6 +662,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `small` |
| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` |
| `containerPorts.mongodb` | MongoDB(&reg;) container port | `27017` |
| `livenessProbe.enabled` | Enable livenessProbe | `true` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
@@ -667,9 +711,10 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` |
| `service.annotations` | Provide any additional annotations that may be required | `{}` |
| `service.externalTrafficPolicy` | service external traffic policy (only for standalone architecture) | `Local` |
| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` |
| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin. Allowed values: `ClientIP` or `None` | `None` |
| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity. Ignored if `service.sessionAffinity` is `None` | `{}` |
| `service.headless.annotations` | Annotations for the headless service. | `{}` |
| `service.publishNotReadyAddresses` | Indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready | `false` |
| `externalAccess.enabled` | Enable Kubernetes external cluster access to MongoDB(&reg;) nodes (only for replicaset architecture) | `false` |
| `externalAccess.autoDiscovery.enabled` | Enable using an init container to auto-detect external IPs by querying the K8s API | `false` |
| `externalAccess.autoDiscovery.image.registry` | Init container auto-discovery image registry | `REGISTRY_NAME` |
@@ -679,6 +724,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `externalAccess.autoDiscovery.image.pullSecrets` | Init container auto-discovery image pull secrets | `[]` |
| `externalAccess.autoDiscovery.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if externalAccess.autoDiscovery.resources is set (externalAccess.autoDiscovery.resources is recommended for production). | `nano` |
| `externalAccess.autoDiscovery.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `externalAccess.autoDiscovery.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` |
| `externalAccess.dnsCheck.image.registry` | Init container dns-check image registry | `REGISTRY_NAME` |
| `externalAccess.dnsCheck.image.repository` | Init container dns-check image repository | `REPOSITORY_NAME/kubectl` |
| `externalAccess.dnsCheck.image.digest` | Init container dns-check image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
@@ -686,6 +732,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `externalAccess.dnsCheck.image.pullSecrets` | Init container dns-check image pull secrets | `[]` |
| `externalAccess.dnsCheck.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if externalAccess.autoDiscovery.resources is set (externalAccess.autoDiscovery.resources is recommended for production). | `nano` |
| `externalAccess.dnsCheck.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `externalAccess.dnsCheck.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` |
| `externalAccess.externalMaster.enabled` | Use external master for bootstrapping | `false` |
| `externalAccess.externalMaster.host` | External master host to bootstrap from | `""` |
| `externalAccess.externalMaster.port` | Port for MongoDB(&reg;) service external master host | `27017` |
@@ -703,8 +750,8 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `externalAccess.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` |
| `externalAccess.service.annotations` | Service annotations for external access. These annotations are common for all services created. | `{}` |
| `externalAccess.service.annotationsList` | Service annotations for eache external service. This value contains a list allowing different annotations per each external service. | `[]` |
| `externalAccess.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` |
| `externalAccess.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `externalAccess.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin. Allowed values: `ClientIP` or `None` | `None` |
| `externalAccess.service.sessionAffinityConfig` | Additional settings for the sessionAffinity. Ignored if `externalAccess.service.sessionAffinity` is `None` | `{}` |
| `externalAccess.hidden.enabled` | Enable Kubernetes external cluster access to MongoDB(&reg;) hidden nodes | `false` |
| `externalAccess.hidden.service.type` | Kubernetes Service type for external access. Allowed values: NodePort or LoadBalancer | `LoadBalancer` |
| `externalAccess.hidden.service.portName` | MongoDB(&reg;) port name used for external access when service type is LoadBalancer | `mongodb` |
@@ -718,8 +765,8 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `externalAccess.hidden.service.domain` | Domain or external IP used to configure MongoDB(&reg;) advertised hostname when service type is NodePort | `""` |
| `externalAccess.hidden.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` |
| `externalAccess.hidden.service.annotations` | Service annotations for external access | `{}` |
| `externalAccess.hidden.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` |
| `externalAccess.hidden.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `externalAccess.hidden.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin. Allowed values: `ClientIP` or `None` | `None` |
| `externalAccess.hidden.service.sessionAffinityConfig` | Additional settings for the sessionAffinity. Ignored if `externalAccess.hidden.service.sessionAffinity` is `None` | `{}` |
### Password update job
@@ -755,6 +802,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `passwordUpdateJob.initContainers` | Add additional init containers for the mysql Primary pod(s) | `[]` |
| `passwordUpdateJob.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if passwordUpdateJob.resources is set (passwordUpdateJob.resources is recommended for production). | `micro` |
| `passwordUpdateJob.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `passwordUpdateJob.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` |
| `passwordUpdateJob.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `passwordUpdateJob.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `passwordUpdateJob.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
@@ -810,6 +858,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `backup.cronjob.ttlSecondsAfterFinished` | Set the cronjob parameter ttlSecondsAfterFinished | `""` |
| `backup.cronjob.restartPolicy` | Set the cronjob parameter restartPolicy | `OnFailure` |
| `backup.cronjob.backoffLimit` | Set the cronjob parameter backoffLimit | `6` |
| `backup.cronjob.serviceAccount.name` | Set the cronjob parameter serviceAccountName. If you change from the default values make sure that the SA already exists. | `default` |
| `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
@@ -822,6 +871,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `backup.cronjob.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `backup.cronjob.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` |
| `backup.cronjob.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `backup.cronjob.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` |
| `backup.cronjob.command` | Set backup container's command to run | `[]` |
| `backup.cronjob.labels` | Set the cronjob labels | `{}` |
| `backup.cronjob.annotations` | Set the cronjob annotations | `{}` |
@@ -862,6 +912,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` |
| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `volumePermissions.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` |
| `volumePermissions.securityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `volumePermissions.securityContext.runAsUser` | User ID for the volumePermissions container | `0` |
@@ -917,6 +968,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `arbiter.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `arbiter.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if arbiter.resources is set (arbiter.resources is recommended for production). | `small` |
| `arbiter.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `arbiter.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` |
| `arbiter.containerPorts.mongodb` | MongoDB(&reg;) arbiter container port | `27017` |
| `arbiter.livenessProbe.enabled` | Enable livenessProbe | `true` |
| `arbiter.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
@@ -1005,6 +1057,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `hidden.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `hidden.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if hidden.resources is set (hidden.resources is recommended for production). | `micro` |
| `hidden.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `hidden.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` |
| `hidden.containerPorts.mongodb` | MongoDB(&reg;) hidden container port | `27017` |
| `hidden.livenessProbe.enabled` | Enable livenessProbe | `true` |
| `hidden.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
@@ -1080,6 +1133,8 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `metrics.args` | Override default container args (useful when using custom images) | `[]` |
| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` |
| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `metrics.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` |
| `metrics.fips.golang` | Configure Golang FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `relaxed` |
| `metrics.containerPort` | Port of the Prometheus metrics container | `9216` |
| `metrics.service.annotations` | Annotations for Prometheus Exporter pods. Evaluated as a template. | `{}` |
| `metrics.service.type` | Type of the Prometheus metrics service | `ClusterIP` |
@@ -1151,6 +1206,10 @@ Find more information about how to deal with common errors related to Bitnami's
## Upgrading
### To 16.4.0
This version introduces image verification for security purposes. To disable it, set `global.security.allowInsecureImages` to `true`. More details at [GitHub issue](https://github.com/bitnami/charts/issues/30850).
If authentication is enabled, it's necessary to set the `auth.rootPassword` (also `auth.replicaSetKey` when using a replicaset architecture) when upgrading for readiness/liveness probes to work properly. When you install this chart for the first time, some notes will be displayed providing the credentials you must use under the 'Credentials' section. Please note down the password, and run the command below to upgrade your chart:
```console
@@ -1288,7 +1347,7 @@ extraDeploy:
## License
Copyright &copy; 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
Copyright &copy; 2025 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.

10
opencloud/charts/mongodb/charts/common/Chart.yaml
View File

@@ -1,12 +1,14 @@
annotations:
category: Infrastructure
fips: "true"
images: |
[]
licenses: Apache-2.0
apiVersion: v2
appVersion: 2.27.0
appVersion: 2.33.2
description: A Library Helm Chart for grouping common logic between bitnami charts.
This chart is not deployable by itself.
home: https://bitnami.com
icon: https://bitnami.com/downloads/logos/bitnami-mark.png
icon: https://dyltqmyl993wv.cloudfront.net/downloads/logos/bitnami-mark.png
keywords:
- common
- helper
@@ -20,4 +22,4 @@ name: common
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/common
type: library
version: 2.27.0
version: 2.33.2

189
opencloud/charts/mongodb/charts/common/README.md
View File

@@ -1,6 +1,12 @@
# Bitnami Common Library Chart
<!--- app-name: Common -->
A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts.
# Common library for Bitnami packages
A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself.
[Overview of Common](https://github.com/bitnami/charts/tree/main/bitnami/common)
Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.
## TL;DR
@@ -8,7 +14,7 @@ A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for gro
dependencies:
- name: common
version: 2.x.x
repository: oci://registry-1.docker.io/bitnamicharts
repository: oci://MY-OCI-REGISTRY
```
```console
@@ -24,14 +30,27 @@ data:
myvalue: "Hello World"
```
Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog.
## Why use Bitnami Secure Images?
Those are hardened, minimal CVE images built and maintained by Bitnami. Bitnami Secure Images are based on the cloud-optimized, security-hardened enterprise [OS Photon Linux](https://vmware.github.io/photon/). Why choose BSI images?
- Hardened secure images of popular open source software with Near-Zero Vulnerabilities
- Vulnerability Triage & Prioritization with VEX Statements, KEV and EPSS Scores
- Compliance focus with FIPS, STIG, and air-gap options, including secure bill of materials (SBOM)
- Software supply chain provenance attestation through in-toto
- First class support for the internets favorite Helm charts
Each image comes with valuable security metadata. You can view the metadata in [our public catalog here](https://app-catalog.vmware.com/bitnami/apps). Note: Some data is only available with [commercial subscriptions to BSI](https://bitnami.com/).
![Alt text](https://github.com/bitnami/containers/blob/main/BSI%20UI%201.png?raw=true "Application details")
![Alt text](https://github.com/bitnami/containers/blob/main/BSI%20UI%202.png?raw=true "Packaging report")
If you are looking for our previous generation of images based on Debian Linux, please see the [Bitnami Legacy registry](https://hub.docker.com/u/bitnamilegacy).
## Introduction
This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
## Prerequisites
- Kubernetes 1.23+
@@ -39,6 +58,162 @@ Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment
## Parameters
The following table lists the helpers available in the library which are scoped in different sections.
### Affinities
| Helper identifier | Description | Expected Input |
| ------------------------------- | ---------------------------------------------------- | ------------------------------------------------------------ |
| `common.affinities.nodes.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` |
| `common.affinities.nodes.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` |
| `common.affinities.nodes` | Return a nodeAffinity definition | `dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")` |
| `common.affinities.topologyKey` | Return a topologyKey definition | `dict "topologyKey" "FOO"` |
| `common.affinities.pods.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` |
| `common.affinities.pods.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` |
| `common.affinities.pods` | Return a podAffinity/podAntiAffinity definition | `dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")` |
### Capabilities
| Helper identifier | Description | Expected Input |
| --------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | --------------------------------------- |
| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context |
| `common.capabilities.apiVersions.has` | Return true if the apiVersion is supported | `dict "version" "batch/v1" "context" $` |
| `common.capabilities.job.apiVersion` | Return the appropriate apiVersion for job. | `.` Chart context |
| `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context |
| `common.capabilities.daemonset.apiVersion` | Return the appropriate apiVersion for daemonset. | `.` Chart context |
| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context |
| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context |
| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context |
| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context |
| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context |
| `common.capabilities.policy.apiVersion` | Return the appropriate apiVersion for podsecuritypolicy. | `.` Chart context |
| `common.capabilities.networkPolicy.apiVersion` | Return the appropriate apiVersion for networkpolicy. | `.` Chart context |
| `common.capabilities.apiService.apiVersion` | Return the appropriate apiVersion for APIService. | `.` Chart context |
| `common.capabilities.hpa.apiVersion` | Return the appropriate apiVersion for Horizontal Pod Autoscaler | `.` Chart context |
| `common.capabilities.vpa.apiVersion` | Return the appropriate apiVersion for Vertical Pod Autoscaler. | `.` Chart context |
| `common.capabilities.psp.supported` | Returns true if PodSecurityPolicy is supported | `.` Chart context |
| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context |
| `common.capabilities.admissionConfiguration.supported` | Returns true if AdmissionConfiguration is supported | `.` Chart context |
| `common.capabilities.admissionConfiguration.apiVersion` | Return the appropriate apiVersion for AdmissionConfiguration. | `.` Chart context |
| `common.capabilities.podSecurityConfiguration.apiVersion` | Return the appropriate apiVersion for PodSecurityConfiguration. | `.` Chart context |
### Certificates
| Helper identifier | Description | Expected Input |
| ------------------ | ---------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `common.certs.sans`| Returns a space-separated list of Subject Alternative Names (SANs) to create a TLS certificate | `dict "namespace" "default" "clusterDomain" "cluster.local" "serviceName" "my-service" "headlessServiceName" "my-service-headless"` |
### Compatibility
| Helper identifier | Description | Expected Input |
| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- |
| `common.compatibility.isOpenshift` | Return true if the detected platform is Openshift | `.` Chart context |
| `common.compatibility.renderSecurityContext` | Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC | `dict "secContext" .Values.containerSecurityContext "context" $` |
### Errors
| Helper identifier | Description | Expected Input |
| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- |
| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` |
| `common.errors.insecureImages` | Throw error when original container images are replaced. The error can be bypassed by setting the `global.security.allowInsecureImages` to true. | `dict "images" (list .Values.path.to.the.imageRoot) "context" $` |
### Images
| Helper identifier | Description | Expected Input |
| --------------------------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ |
| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. |
| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` |
| `common.images.renderPullSecrets` | Return the proper Docker Image Registry Secret Names (evaluates values as templates) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $` |
| `common.images.version` | Return the proper image version | `dict "imageRoot" .Values.path.to.the.image "chart" .Chart` , see [ImageRoot](#imageroot) for the structure. |
### Ingress
| Helper identifier | Description | Expected Input |
| ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences |
| `common.ingress.certManagerRequest` | Prints "true" if required cert-manager annotations for TLS signed certificates are set in the Ingress annotations | `dict "annotations" .Values.path.to.the.ingress.annotations` |
### Labels
| Helper identifier | Description | Expected Input |
| --------------------------- | --------------------------------------------------------------------------- | ----------------- |
| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context |
| `common.labels.matchLabels` | Labels to use on `deploy.spec.selector.matchLabels` and `svc.spec.selector` | `.` Chart context |
### Names
| Helper identifier | Description | Expected Input |
| ---------------------------------- | --------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- |
| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context |
| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context |
| `common.names.namespace` | Allow the release namespace to be overridden | `.` Chart context |
| `common.names.fullname.namespace` | Create a fully qualified app name adding the installation's namespace | `.` Chart context |
| `common.names.chart` | Chart name plus version | `.` Chart context |
| `common.names.dependency.fullname` | Create a default fully qualified dependency name. | `dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $` |
### Resources
| Helper identifier | Description | Expected Input |
| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- |
| `common.resources.preset` | Return a resource request/limit object based on a given preset. These presets are for basic testing and not meant to be used in production. | `dict "type" "nano"` |
### Secrets
| Helper identifier | Description | Expected Input |
| --------------------------------- | -------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. |
| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. |
| `common.secrets.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "honorProvidedValues" false "context" $`, length, strong, honorProvidedValues and chartName fields are optional. |
| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` |
| `common.secrets.lookup` | Reuses the value from an existing secret, otherwise sets its value to a default value. | `dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $` |
### Storage
| Helper identifier | Description | Expected Input |
| ---------------------- | -------------------------------- | ------------------------------------------------------------------------------------------------------------------- |
| `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. |
### TplValues
| Helper identifier | Description | Expected Input |
| ---------------------------------- | ------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` |
| `common.tplvalues.merge` | Merge a list of values that contains template after rendering them. | `dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $` |
| `common.tplvalues.merge-overwrite` | Merge a list of values that contains template after rendering them. | `dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $` |
### Utils
| Helper identifier | Description | Expected Input |
| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- |
| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` |
| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` |
| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` |
| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` |
| `common.utils.checksumTemplate` | Checksum a template at "path" containing a *single* resource (ConfigMap,Secret) for use in pod annotations, excluding the metadata (see #18376) | `dict "path" "/configmap.yaml" "context" $` |
### Validations
| Helper identifier | Description | Expected Input |
| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) |
| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) |
| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. |
### Warnings
| Helper identifier | Description | Expected Input |
| -------------------------------- | ----------------------------------------------------------------- | ---------------------------------------------------------- |
| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. |
| `common.warnings.modifiedImages` | Warning about replaced images from the original. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. |
| `common.warnings.resources` | Warning about not setting the resource object in all deployments. | `dict "sections" (list "path1" "path2") context $` |
### FIPS
| Helper identifier | Description | Expected Input |
| -------------------- | ------------------- | ------------------------------------------------------------------------------- |
| `common.fips.enabled` | Enable FIPS mode | `.` Chart context |
| `common.fips.config` | Configure FIPS mode | `dict "tech" "openssl|java|golang" "fips" .Values.fips "global" .Values.global` |
## Special input schemas
### ImageRoot
@@ -220,7 +395,7 @@ helm install test mychart --set path.to.value00="",path.to.value01=""
## License
Copyright &copy; 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
Copyright &copy; 2025 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.

28
opencloud/charts/mongodb/charts/common/templates/_affinities.tpl
View File

@@ -82,7 +82,7 @@ preferredDuringSchedulingIgnoredDuringExecution:
namespaces:
- {{ .context.Release.Namespace }}
{{- with $extraNamespaces }}
{{ include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }}
{{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }}
{{- end }}
{{- end }}
topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
@@ -97,6 +97,13 @@ preferredDuringSchedulingIgnoredDuringExecution:
{{- range $key, $value := .extraMatchLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if .namespaces }}
namespaces:
- {{ $.context.Release.Namespace }}
{{- with .namespaces }}
{{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }}
{{- end }}
{{- end }}
topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
weight: {{ .weight | default 1 -}}
{{- end -}}
@@ -121,13 +128,13 @@ requiredDuringSchedulingIgnoredDuringExecution:
{{- range $key, $value := $extraMatchLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if $extraNamespaces }}
namespaces:
- {{ .context.Release.Namespace }}
{{- with $extraNamespaces }}
{{ include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }}
{{- end }}
{{- if $extraNamespaces }}
namespaces:
- {{ .context.Release.Namespace }}
{{- with $extraNamespaces }}
{{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 6 }}
{{- end }}
{{- end }}
topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
{{- range $extraPodAffinityTerms }}
- labelSelector:
@@ -138,6 +145,13 @@ requiredDuringSchedulingIgnoredDuringExecution:
{{- range $key, $value := .extraMatchLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if .namespaces }}
namespaces:
- {{ $.context.Release.Namespace }}
{{- with .namespaces }}
{{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 6 }}
{{- end }}
{{- end }}
topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
{{- end -}}
{{- end -}}

103
opencloud/charts/mongodb/charts/common/templates/_capabilities.tpl
View File

@@ -12,159 +12,114 @@ Return the target Kubernetes version
{{- default (default .Capabilities.KubeVersion.Version .Values.kubeVersion) ((.Values.global).kubeVersion) -}}
{{- end -}}
{{/*
Return true if the apiVersion is supported
Usage:
{{ include "common.capabilities.apiVersions.has" (dict "version" "batch/v1" "context" $) }}
*/}}
{{- define "common.capabilities.apiVersions.has" -}}
{{- $providedAPIVersions := default .context.Values.apiVersions ((.context.Values.global).apiVersions) -}}
{{- if and (empty $providedAPIVersions) (.context.Capabilities.APIVersions.Has .version) -}}
{{- true -}}
{{- else if has .version $providedAPIVersions -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for poddisruptionbudget.
*/}}
{{- define "common.capabilities.policy.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}}
{{- print "policy/v1beta1" -}}
{{- else -}}
{{- print "policy/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for networkpolicy.
*/}}
{{- define "common.capabilities.networkPolicy.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.7-0" $kubeVersion) -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for job.
*/}}
{{- define "common.capabilities.job.apiVersion" -}}
{{- print "batch/v1" -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for cronjob.
*/}}
{{- define "common.capabilities.cronjob.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}}
{{- print "batch/v1beta1" -}}
{{- else -}}
{{- print "batch/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for daemonset.
*/}}
{{- define "common.capabilities.daemonset.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for deployment.
*/}}
{{- define "common.capabilities.deployment.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for statefulset.
*/}}
{{- define "common.capabilities.statefulset.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}}
{{- print "apps/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for ingress.
*/}}
{{- define "common.capabilities.ingress.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if (.Values.ingress).apiVersion -}}
{{- .Values.ingress.apiVersion -}}
{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}}
{{- print "extensions/v1beta1" -}}
{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end }}
{{- end -}}
{{/*
Return the appropriate apiVersion for RBAC resources.
*/}}
{{- define "common.capabilities.rbac.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.17-0" $kubeVersion) -}}
{{- print "rbac.authorization.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "rbac.authorization.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for CRDs.
*/}}
{{- define "common.capabilities.crd.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}}
{{- print "apiextensions.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "apiextensions.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for APIService.
*/}}
{{- define "common.capabilities.apiService.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.10-0" $kubeVersion) -}}
{{- print "apiregistration.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "apiregistration.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for Horizontal Pod Autoscaler.
*/}}
{{- define "common.capabilities.hpa.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}}
{{- if .beta2 -}}
{{- print "autoscaling/v2beta2" -}}
{{- else -}}
{{- print "autoscaling/v2beta1" -}}
{{- end -}}
{{- else -}}
{{- print "autoscaling/v2" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for Vertical Pod Autoscaler.
*/}}
{{- define "common.capabilities.vpa.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}}
{{- if .beta2 -}}
{{- print "autoscaling/v2beta2" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}}
{{- print "autoscaling/v1beta2" -}}
{{- else -}}
{{- print "autoscaling/v2beta1" -}}
{{- end -}}
{{- else -}}
{{- print "autoscaling/v2" -}}
{{- print "autoscaling/v1" -}}
{{- end -}}
{{- end -}}
@@ -183,19 +138,15 @@ Returns true if AdmissionConfiguration is supported
*/}}
{{- define "common.capabilities.admissionConfiguration.supported" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if or (empty $kubeVersion) (not (semverCompare "<1.23-0" $kubeVersion)) -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for AdmissionConfiguration.
*/}}
{{- define "common.capabilities.admissionConfiguration.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}}
{{- print "apiserver.config.k8s.io/v1alpha1" -}}
{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}}
{{- print "apiserver.config.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "apiserver.config.k8s.io/v1" -}}
@@ -207,9 +158,7 @@ Return the appropriate apiVersion for PodSecurityConfiguration.
*/}}
{{- define "common.capabilities.podSecurityConfiguration.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}}
{{- print "pod-security.admission.config.k8s.io/v1alpha1" -}}
{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}}
{{- print "pod-security.admission.config.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "pod-security.admission.config.k8s.io/v1" -}}

51
opencloud/charts/mongodb/charts/common/templates/_certs.tpl Normal file
View File

@@ -0,0 +1,51 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Returns a space-separated list of Subject Alternative Names (SANs) to create a TLS certificate
Usage:
{{ include "common.certs.sans" (dict "namespace" "default" "clusterDomain" "cluster.local" "serviceName" "my-service" "headlessServiceName" "my-service-headless" "loopback" true "extraSANs" (list "custom.domain.com")) }}
Params:
- namespace - String - Required - Namespace where the app which we are generating the certificate for is deployed.
- clusterDomain - String - Optional - Cluster domain. Default is "cluster.local".
- serviceName - String - Optional - App service name. If provided, the following SANs will be generated:
- serviceName.namespace.svc.clusterDomain
- serviceName.namespace.svc
- serviceName.namespace
- serviceName
- headlessServiceName - String - Optional - App headless service name. If provided, the following wildcard SANs will be generated:
- *.headlessServiceName.namespace.svc.clusterDomain
- *.headlessServiceName.namespace.svc
- *.headlessServiceName.namespace
- *.headlessServiceName
- extraSANs - List<String> - Optional - Additional custom SANs to be added.
- loopback - Boolean - Optional - If true, "localhost" will be added to the SANs.
*/}}
{{- define "common.certs.sans" -}}
{{- $sans := list }}
{{- if .serviceName -}}
{{- $sans = append $sans (printf "%s.%s.svc.%s" .serviceName .namespace (default "cluster.local" .clusterDomain)) -}}
{{- $sans = append $sans (printf "%s.%s.svc" .serviceName .namespace) -}}
{{- $sans = append $sans (printf "%s.%s" .serviceName .namespace) -}}
{{- $sans = append $sans .serviceName -}}
{{- end -}}
{{- if .headlessServiceName -}}
{{- /* Include wildcard SANs for headless service */ -}}
{{- $sans = append $sans (printf "*.%s.%s.svc.%s" .headlessServiceName .namespace (default "cluster.local" .clusterDomain)) -}}
{{- $sans = append $sans (printf "*.%s.%s.svc" .headlessServiceName .namespace) -}}
{{- $sans = append $sans (printf "*.%s.%s" .headlessServiceName .namespace) -}}
{{- $sans = append $sans (printf "*.%s" .headlessServiceName) -}}
{{- end -}}
{{- range .extraSANs }}
{{- $sans = append $sans . -}}
{{- end -}}
{{- if (default false .loopback) -}}
{{- $sans = append $sans "localhost" }}
{{- end -}}
{{- join " " $sans | trim -}}
{{- end -}}

2
opencloud/charts/mongodb/charts/common/templates/_compatibility.tpl
View File

@@ -40,7 +40,7 @@ Usage:
{{- end -}}
{{/* Remove fields that are disregarded when running the container in privileged mode */}}
{{- if $adaptedContext.privileged -}}
{{- $adaptedContext = omit $adaptedContext "capabilities" "seLinuxOptions" -}}
{{- $adaptedContext = omit $adaptedContext "capabilities" -}}
{{- end -}}
{{- omit $adaptedContext "enabled" | toYaml -}}
{{- end -}}

66
opencloud/charts/mongodb/charts/common/templates/_errors.tpl
View File

@@ -5,7 +5,7 @@ SPDX-License-Identifier: APACHE-2.0
{{/* vim: set filetype=mustache: */}}
{{/*
Through error when upgrading using empty passwords values that must not be empty.
Throw error when upgrading using empty passwords values that must not be empty.
Usage:
{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}}
@@ -26,3 +26,67 @@ Required password params:
{{- printf $errorString $validationErrors | fail -}}
{{- end -}}
{{- end -}}
{{/*
Throw error when original container images are replaced.
The error can be bypassed by setting the "global.security.allowInsecureImages" to true. In this case,
a warning message will be shown instead.
Usage:
{{ include "common.errors.insecureImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }}
*/}}
{{- define "common.errors.insecureImages" -}}
{{- $relocatedImages := list -}}
{{- $replacedImages := list -}}
{{- $bitnamiLegacyImages := list -}}
{{- $retaggedImages := list -}}
{{- $globalRegistry := ((.context.Values.global).imageRegistry) -}}
{{- $originalImages := .context.Chart.Annotations.images -}}
{{- range .images -}}
{{- $registryName := default .registry $globalRegistry -}}
{{- $fullImageNameNoTag := printf "%s/%s" $registryName .repository -}}
{{- $fullImageName := printf "%s:%s" $fullImageNameNoTag .tag -}}
{{- if not (contains $fullImageNameNoTag $originalImages) -}}
{{- if not (contains $registryName $originalImages) -}}
{{- $relocatedImages = append $relocatedImages $fullImageName -}}
{{- else if not (contains .repository $originalImages) -}}
{{- $replacedImages = append $replacedImages $fullImageName -}}
{{- if contains "docker.io/bitnamilegacy/" $fullImageNameNoTag -}}
{{- $bitnamiLegacyImages = append $bitnamiLegacyImages $fullImageName -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if not (contains (printf "%s:%s" .repository .tag) $originalImages) -}}
{{- $retaggedImages = append $retaggedImages $fullImageName -}}
{{- end -}}
{{- end -}}
{{- if and (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) (((.context.Values.global).security).allowInsecureImages) -}}
{{- print "\n\n⚠ SECURITY WARNING: Verifying original container images was skipped. Please note this Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Bitnami Secure Images containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables.\n" -}}
{{- else if (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) -}}
{{- $errorString := "Original containers have been substituted for unrecognized ones. Deploying this chart with non-standard containers is likely to cause degraded security and performance, broken chart features, and missing environment variables." -}}
{{- $errorString = print $errorString "\n\nUnrecognized images:" -}}
{{- range (concat $relocatedImages $replacedImages) -}}
{{- $errorString = print $errorString "\n - " . -}}
{{- end -}}
{{- if and (eq (len $relocatedImages) 0) (eq (len $replacedImages) (len $bitnamiLegacyImages)) -}}
{{- $errorString = print "\n\n⚠ WARNING: " $errorString -}}
{{- print $errorString -}}
{{- else if or (contains "docker.io/bitnami/" $originalImages) (contains "docker.io/bitnamiprem/" $originalImages) (contains "docker.io/bitnamisecure/" $originalImages) -}}
{{- $errorString = print "\n\n⚠ ERROR: " $errorString -}}
{{- $errorString = print $errorString "\n\nIf you are sure you want to proceed with non-standard containers, you can skip container image verification by setting the global parameter 'global.security.allowInsecureImages' to true." -}}
{{- $errorString = print $errorString "\nFurther information can be obtained at https://github.com/bitnami/charts/issues/30850" -}}
{{- print $errorString | fail -}}
{{- else if gt (len $replacedImages) 0 -}}
{{- $errorString = print "\n\n WARNING: " $errorString -}}
{{- print $errorString -}}
{{- end -}}
{{- else if gt (len $retaggedImages) 0 -}}
{{- $warnString := "\n\n WARNING: Original containers have been retagged. Please note this Helm chart was tested, and validated on multiple platforms using a specific set of Bitnami and Bitnami Secure Images containers. Substituting original image tags could cause unexpected behavior." -}}
{{- $warnString = print $warnString "\n\nRetagged images:" -}}
{{- range $retaggedImages -}}
{{- $warnString = print $warnString "\n - " . -}}
{{- end -}}
{{- print $warnString -}}
{{- end -}}
{{- end -}}

73
opencloud/charts/mongodb/charts/common/templates/_fips.tpl Normal file
View File

@@ -0,0 +1,73 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Enable FIPS features
{{ include "common.fips.enabled" . }}
*/}}
{{- define "common.fips.enabled" -}}
{{- $fips := .Chart.Annotations.fips -}}
{{- if eq "true" $fips -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Get FIPS environment variable value for the given tech
{{ include "common.fips.config" (dict "tech" "openssl|java|golang" "fips" .Values.fips "global" .Values.global) }}
*/}}
{{- define "common.fips.config" -}}
{{- $availableTechs := list "openssl" "java" "golang" -}}
{{- if not (has .tech $availableTechs) -}}
{{- printf "The common.fips.config method can only provide configuration for: %s" $availableTechs | fail -}}
{{- end -}}
{{- $tech := get (.fips) .tech -}}
{{- $value := $tech | default (.global).defaultFips -}}
{{- if empty $value -}}
{{- printf "Please configure a value for 'fips.%s' or 'global.defaultFips'" .tech | fail -}}
{{- else -}}
{{- $method := printf "common.fips.%s" .tech -}}
{{- include $method (dict "value" $value) | trim | print -}}
{{- end -}}
{{- end -}}
{{/*
Map OpenSSL values for FIPS configuration
{{ include "common.fips.openssl" (dict "value" "restricted") }}
*/}}
{{- define "common.fips.openssl" -}}
{{- ternary "yes" "no" (eq .value "restricted") | print -}}
{{- end -}}
{{/*
Map JAVA values for FIPS configuration
{{ include "common.fips.java" (dict "value" "restricted") }}
*/}}
{{- define "common.fips.java" -}}
{{- $suffix := ternary "original" .value (eq .value "off") -}}
{{- $javaSecurityFile := printf "java.security.%s" $suffix -}}
{{/* The two equals signs mean the property file will completely override the master properties file */}}
{{- $javaSecurityOpt := printf "-Djava.security.properties==/opt/bitnami/java/conf/security/%s" $javaSecurityFile -}}
{{- $bcModulesFlag := "--module-path=/opt/bitnami/bc-fips/" -}}
{{- $restrictedFlags := printf "%s %s" $bcModulesFlag $javaSecurityOpt -}}
{{- ternary $restrictedFlags $javaSecurityOpt (eq .value "restricted") | print -}}
{{- end -}}
{{/*
Map Golang values for FIPS configuration
{{ include "common.fips.golang" (dict "value" "restricted") }}
*/}}
{{- define "common.fips.golang" -}}
{{- if eq .value "restricted" -}}
{{- print "fips140=only" -}}
{{- else if eq .value "relaxed" -}}
{{- print "fips140=on" -}}
{{- else -}}
{{- print "fips140=off" -}}
{{- end -}}
{{- end -}}

32
opencloud/charts/mongodb/charts/common/templates/_ingress.tpl
View File

@@ -17,11 +17,6 @@ Params:
- context - Dict - Required. The context for the template evaluation.
*/}}
{{- define "common.ingress.backend" -}}
{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}}
{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}}
serviceName: {{ .serviceName }}
servicePort: {{ .servicePort }}
{{- else -}}
service:
name: {{ .serviceName }}
port:
@@ -31,33 +26,6 @@ service:
number: {{ .servicePort | int }}
{{- end }}
{{- end -}}
{{- end -}}
{{/*
Print "true" if the API pathType field is supported
Usage:
{{ include "common.ingress.supportsPathType" . }}
*/}}
{{- define "common.ingress.supportsPathType" -}}
{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}}
{{- print "false" -}}
{{- else -}}
{{- print "true" -}}
{{- end -}}
{{- end -}}
{{/*
Returns true if the ingressClassname field is supported
Usage:
{{ include "common.ingress.supportsIngressClassname" . }}
*/}}
{{- define "common.ingress.supportsIngressClassname" -}}
{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "false" -}}
{{- else -}}
{{- print "true" -}}
{{- end -}}
{{- end -}}
{{/*
Return true if cert-manager required annotations for TLS signed

2
opencloud/charts/mongodb/charts/common/templates/_labels.tpl
View File

@@ -22,7 +22,7 @@ helm.sh/chart: {{ include "common.names.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Chart.AppVersion }}
app.kubernetes.io/version: {{ . | quote }}
app.kubernetes.io/version: {{ . | replace "+" "_" | quote }}
{{- end -}}
{{- end -}}
{{- end -}}

7
opencloud/charts/mongodb/charts/common/templates/_names.tpl
View File

@@ -28,10 +28,11 @@ If release name contains chart name it will be used as a full name.
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- $releaseName := regexReplaceAll "(-?[^a-z\\d\\-])+-?" (lower .Release.Name) "-" -}}
{{- if contains $name $releaseName -}}
{{- $releaseName | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- printf "%s-%s" $releaseName $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}

2
opencloud/charts/mongodb/charts/common/templates/_resources.tpl
View File

@@ -19,7 +19,7 @@ These presets are for basic testing and not meant to be used in production
)
"micro" (dict
"requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi")
"limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "2Gi")
"limits" (dict "cpu" "380m" "memory" "384Mi" "ephemeral-storage" "2Gi")
)
"small" (dict
"requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi")

4
opencloud/charts/mongodb/charts/common/templates/_secrets.tpl
View File

@@ -110,12 +110,12 @@ The order in which this function returns a secret password:
{{- end }}
{{- if and $providedPasswordValue .honorProvidedValues }}
{{- $password = $providedPasswordValue | toString }}
{{- $password = tpl ($providedPasswordValue | toString) .context }}
{{- end }}
{{- if not $password }}
{{- if $providedPasswordValue }}
{{- $password = $providedPasswordValue | toString }}
{{- $password = tpl ($providedPasswordValue | toString) .context }}
{{- else }}
{{- if .context.Values.enabled }}
{{- $subchart = $chartName }}

5
opencloud/charts/mongodb/templates/NOTES.txt
View File

@@ -2,6 +2,10 @@ CHART NAME: {{ .Chart.Name }}
CHART VERSION: {{ .Chart.Version }}
APP VERSION: {{ .Chart.AppVersion }}
⚠ WARNING: Since August 28th, 2025, only a limited subset of images/charts are available for free.
Subscribe to Bitnami Secure Images to receive continued support and security updates.
More info at https://bitnami.com and https://github.com/bitnami/containers/issues/83267
{{- if .Values.diagnosticMode.enabled }}
The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with:
@@ -169,3 +173,4 @@ Then, open the obtained URL in a browser.
{{- include "mongodb.validateValues" . }}
{{- include "common.warnings.resources" (dict "sections" (list "arbiter" "externalAccess.autoDiscovery" "hidden" "metrics" "" "tls" "volumePermissions") "context" $) }}
{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.tls.image .Values.externalAccess.autoDiscovery.image .Values.externalAccess.dnsCheck.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }}
{{- include "common.errors.insecureImages" (dict "images" (list .Values.image .Values.tls.image .Values.externalAccess.autoDiscovery.image .Values.externalAccess.dnsCheck.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }}

35
opencloud/charts/mongodb/templates/_helpers.tpl
View File

@@ -309,6 +309,11 @@ Init container definition to change/establish volume permissions.
{{- else if ne .Values.volumePermissions.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
{{- end }}
{{- if include "common.fips.enabled" . }}
env:
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.volumePermissions.fips "global" .Values.global) | quote }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
@@ -338,6 +343,11 @@ Init container definition to recover log dir.
{{- else if ne .Values.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
{{- end }}
{{- if include "common.fips.enabled" . }}
env:
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.fips "global" .Values.global) | quote }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /opt/bitnami/mongodb/logs
@@ -366,6 +376,11 @@ Init container definition to get external IP addresses.
{{- else if ne .Values.externalAccess.autoDiscovery.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.externalAccess.autoDiscovery.resourcesPreset) | nindent 12 }}
{{- end }}
{{- if include "common.fips.enabled" . }}
env:
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.externalAccess.autoDiscovery.fips "global" .Values.global) | quote }}
{{- end }}
volumeMounts:
- name: shared
mountPath: /shared
@@ -401,6 +416,11 @@ Init container definition to wait external DNS names.
{{- else if ne .Values.externalAccess.dnsCheck.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.externalAccess.dnsCheck.resourcesPreset) | nindent 12 }}
{{- end }}
{{- if include "common.fips.enabled" . }}
env:
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.externalAccess.dnsCheck.fips "global" .Values.global) | quote }}
{{- end }}
{{- end -}}
{{/*
@@ -644,24 +664,13 @@ Validate values of MongoDB&reg; exporter URI string - auth.enabled and/or tls.en
{{- end -}}
{{- if .Values.metrics.username -}}
{{- $uriAuth := ternary "$(echo $MONGODB_METRICS_USERNAME | sed -r \"s/@/%40/g;s/:/%3A/g\"):$(echo $MONGODB_METRICS_PASSWORD | sed -r \"s/@/%40/g;s/:/%3A/g\")@" "" .Values.auth.enabled -}}
{{- printf "mongodb://%slocalhost:%d/admin?%s" $uriAuth (int .Values.containerPorts.mongodb) $tlsArgs -}}
{{- printf "mongodb://%s$(hostname -s):%d/admin?%s" $uriAuth (int .Values.containerPorts.mongodb) $tlsArgs -}}
{{- else -}}
{{- $uriAuth := ternary "$MONGODB_ROOT_USER:$(echo $MONGODB_ROOT_PASSWORD | sed -r \"s/@/%40/g;s/:/%3A/g\")@" "" .Values.auth.enabled -}}
{{- printf "mongodb://%slocalhost:%d/admin?%s" $uriAuth (int .Values.containerPorts.mongodb) $tlsArgs -}}
{{- printf "mongodb://%s$(hostname -s):%d/admin?%s" $uriAuth (int .Values.containerPorts.mongodb) $tlsArgs -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiGroup for PodSecurityPolicy.
*/}}
{{- define "podSecurityPolicy.apiGroup" -}}
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "policy" -}}
{{- else -}}
{{- print "extensions" -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a TLS secret object should be created
*/}}

37
opencloud/charts/mongodb/templates/arbiter/statefulset.yaml
View File

@@ -87,7 +87,7 @@ spec:
{{- if .Values.arbiter.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.arbiter.initContainers "context" $) | nindent 8 }}
{{- end }}
{{- if and .Values.externalAccess.enabled ( or .Values.externalAccess.service.publicNames .Values.externalAccess.service.domain ) }}
{{- if and .Values.externalAccess.enabled .Values.externalAccess.service.publicNames }}
{{- include "mongodb.initContainers.dnsCheck" . | nindent 8 }}
{{- end }}
{{- if and .Values.tls.enabled .Values.arbiter.enabled }}
@@ -107,6 +107,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.name
{{- if include "common.fips.enabled" . }}
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.tls.fips "global" .Values.global) | quote }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
@@ -126,6 +130,9 @@ spec:
- /bitnami/scripts/generate-certs.sh
args:
- -s {{ include "mongodb.arbiter.service.nameOverride" . }}
{{- if .Values.tls.securityContext }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.tls.securityContext "context" $) | nindent 12 }}
{{- end }}
{{- end }}
containers:
- name: mongodb-arbiter
@@ -164,6 +171,10 @@ spec:
value: {{ include "mongodb.initialPrimaryHost" . | quote }}
- name: MONGODB_REPLICA_SET_NAME
value: {{ .Values.replicaSetName | quote }}
{{- if include "common.fips.enabled" . }}
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.arbiter.fips "global" .Values.global) | quote }}
{{- end }}
- name: MONGODB_ADVERTISED_HOSTNAME
value: "$(MY_POD_NAME).{{ include "mongodb.arbiter.service.nameOverride" . }}.$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}"
- name: MONGODB_PORT_NUMBER
@@ -173,6 +184,12 @@ spec:
{{- if .Values.auth.enabled }}
- name: MONGODB_INITIAL_PRIMARY_ROOT_USER
value: {{ .Values.auth.rootUser | quote }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-root-password"
- name: MONGODB_REPLICA_SET_KEY_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-replica-set-key"
{{- else }}
- name: MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD
valueFrom:
secretKeyRef:
@@ -184,6 +201,7 @@ spec:
name: {{ include "mongodb.secretName" . }}
key: mongodb-replica-set-key
{{- end }}
{{- end }}
- name: ALLOW_EMPTY_PASSWORD
value: {{ ternary "no" "yes" .Values.auth.enabled | quote }}
{{- $extraFlags := .Values.arbiter.extraFlags | join " " -}}
@@ -265,6 +283,10 @@ spec:
- name: empty-dir
mountPath: /bitnami/mongodb
subPath: app-volume-dir
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
- name: mongodb-secrets
mountPath: /opt/bitnami/mongodb/secrets
{{- end }}
{{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap }}
- name: config
mountPath: /opt/bitnami/mongodb/conf/mongodb.conf
@@ -283,11 +305,16 @@ spec:
volumes:
- name: empty-dir
emptyDir: {}
{{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap .Values.arbiter.extraVolumes .Values.tls.enabled }}
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
- name: mongodb-secrets
secret:
secretName: {{ include "mongodb.secretName" . }}
{{- end }}
{{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap .Values.arbiter.extraVolumes .Values.tls.enabled }}
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
defaultMode: 0o555
defaultMode: 0555
{{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap }}
- name: config
configMap:
@@ -303,10 +330,10 @@ spec:
items:
- key: mongodb-ca-cert
path: mongodb-ca-cert
mode: 0o600
mode: 0600
- key: mongodb-ca-key
path: mongodb-ca-key
mode: 0o600
mode: 0600
{{- else }}
- name: mongodb-certs-0
secret:

48
opencloud/charts/mongodb/templates/backup/cronjob.yaml
View File

@@ -28,8 +28,8 @@ metadata:
{{- end }}
spec:
schedule: {{ quote .Values.backup.cronjob.schedule }}
{{- if .Values.backup.cronjob.timezone }}
timeZone: {{ .Values.backup.cronjob.timezone | quote }}
{{- if .Values.backup.cronjob.timeZone }}
timeZone: {{ .Values.backup.cronjob.timeZone | quote }}
{{- end }}
concurrencyPolicy: {{ .Values.backup.cronjob.concurrencyPolicy }}
failedJobsHistoryLimit: {{ .Values.backup.cronjob.failedJobsHistoryLimit }}
@@ -70,6 +70,7 @@ spec:
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 12 }}
{{- end }}
enableServiceLinks: {{ .Values.enableServiceLinks }}
serviceAccountName: {{ .Values.backup.cronjob.serviceAccount.name | quote }}
{{- if .Values.tls.enabled }}
initContainers:
- name: generate-tls-certs
@@ -84,6 +85,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: status.hostIP
{{- if include "common.fips.enabled" . }}
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.tls.fips "global" .Values.global) | quote }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
@@ -114,27 +119,39 @@ spec:
{{- else if ne .Values.tls.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 16 }}
{{- end }}
{{- if .Values.tls.securityContext }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.tls.securityContext "context" $) | nindent 16 }}
{{- end }}
{{- end }}
containers:
- name: {{ include "mongodb.fullname" . }}-mongodump
image: {{ include "mongodb.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
env:
{{- if .Values.auth.enabled }}
{{- if .Values.auth.enabled }}
- name: MONGODB_ROOT_USER
value: {{ .Values.auth.rootUser | quote }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_ROOT_PASSWORD_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-root-password"
{{- else }}
- name: MONGODB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "mongodb.secretName" . }}
key: mongodb-root-password
{{- end }}
{{- end }}
{{- end }}
- name: MONGODB_SERVICE_NAME
value: {{ include "mongodb.service.nameOverride" . }}
- name: MONGODB_PORT_NUMBER
value: {{ .Values.containerPorts.mongodb | quote }}
- name: MONGODUMP_DIR
value: {{ .Values.backup.cronjob.storage.mountPath }}
{{- if include "common.fips.enabled" . }}
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.backup.cronjob.fips "global" .Values.global) | quote }}
{{- end }}
{{- if .Values.tls.enabled }}
- name: MONGODB_CLIENT_EXTRA_FLAGS
value: --ssl --sslPEMKeyFile=/certs/mongodb.pem --sslCAFile=/certs/mongodb-ca-cert
@@ -143,9 +160,13 @@ spec:
command: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.command "context" $) | nindent 14 }}
{{- else }}
command:
- /bin/sh
- /bin/bash
- -c
- "mongodump {{- if .Values.auth.enabled }} --username=${MONGODB_ROOT_USER} --password=${MONGODB_ROOT_PASSWORD} --authenticationDatabase=admin {{- end }} --host=${MONGODB_SERVICE_NAME} --port=${MONGODB_PORT_NUMBER} ${MONGODB_CLIENT_EXTRA_FLAGS} {{- if (eq $.Values.architecture "replicaset") }}--oplog{{- end }} --gzip --archive=${MONGODUMP_DIR}/mongodump-$(date '+%Y-%m-%d-%H-%M').gz"
- |
{{- if and .Values.auth.enabled .Values.usePasswordFiles }}
export MONGODB_ROOT_PASSWORD="$(< $MONGODB_ROOT_PASSWORD_FILE)"
{{- end }}
mongodump {{- if .Values.auth.enabled }} --username=${MONGODB_ROOT_USER} --password=${MONGODB_ROOT_PASSWORD} --authenticationDatabase=admin {{- end }} --host=${MONGODB_SERVICE_NAME} --port=${MONGODB_PORT_NUMBER} ${MONGODB_CLIENT_EXTRA_FLAGS} {{- if (eq $.Values.architecture "replicaset") }}--oplog{{- end }} --gzip --archive=${MONGODUMP_DIR}/mongodump-$(date '+%Y-%m-%d-%H-%M').gz
{{- end }}
{{- if .Values.backup.cronjob.resources }}
resources: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.resources "context" $) | nindent 14 }}
@@ -156,6 +177,10 @@ spec:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
- name: mongodb-secrets
mountPath: /opt/bitnami/mongodb/secrets
{{- end }}
{{- if .Values.tls.enabled }}
- name: certs
mountPath: /certs
@@ -181,7 +206,12 @@ spec:
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
defaultMode: 0o550
defaultMode: 0550
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
- name: mongodb-secrets
secret:
secretName: {{ include "mongodb.secretName" . }}
{{- end }}
{{- if .Values.tls.enabled }}
- name: certs
emptyDir: {}
@@ -192,10 +222,10 @@ spec:
items:
- key: mongodb-ca-cert
path: mongodb-ca-cert
mode: 0o600
mode: 0600
- key: mongodb-ca-key
path: mongodb-ca-key
mode: 0o600
mode: 0600
{{- else }}
- name: mongodb-certs-0
secret:

74
opencloud/charts/mongodb/templates/hidden/statefulset.yaml
View File

@@ -96,7 +96,7 @@ spec:
{{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }}
{{- include "mongodb.initContainers.autoDiscovery" . | indent 8 }}
{{- end }}
{{- if and .Values.externalAccess.enabled ( or .Values.externalAccess.service.publicNames .Values.externalAccess.service.domain ) }}
{{- if and .Values.externalAccess.enabled .Values.externalAccess.service.publicNames }}
{{- include "mongodb.initContainers.dnsCheck" . | indent 8 }}
{{- end }}
{{- include "mongodb.initContainer.prepareLogDir" . | nindent 8 }}
@@ -117,6 +117,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.name
{{- if include "common.fips.enabled" . }}
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.tls.fips "global" .Values.global) | quote }}
{{- end }}
volumeMounts:
{{- if (include "mongodb.autoGenerateCerts" .) }}
- name: certs-volume
@@ -149,6 +153,9 @@ spec:
{{- else if ne .Values.tls.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 12 }}
{{- end }}
{{- if .Values.tls.securityContext }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.tls.securityContext "context" $) | nindent 12 }}
{{- end }}
{{- end }}
containers:
- name: mongodb
@@ -196,6 +203,10 @@ spec:
value: "hidden"
- name: MONGODB_INITIAL_PRIMARY_HOST
value: {{ include "mongodb.initialPrimaryHost" . | quote }}
{{- if include "common.fips.enabled" . }}
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.hidden.fips "global" .Values.global) | quote }}
{{- end }}
- name: MONGODB_REPLICA_SET_NAME
value: {{ .Values.replicaSetName | quote }}
{{- if and .Values.replicaSetHostnames (not .Values.externalAccess.hidden.enabled) }}
@@ -214,14 +225,25 @@ spec:
{{- end }}
{{- if .Values.auth.enabled }}
{{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_EXTRA_PASSWORDS_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-passwords"
{{- else }}
- name: MONGODB_EXTRA_PASSWORDS
valueFrom:
secretKeyRef:
name: {{ include "mongodb.secretName" . }}
key: mongodb-passwords
{{- end }}
{{- end }}
- name: MONGODB_ROOT_USER
value: {{ .Values.auth.rootUser | quote }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_ROOT_PASSWORD_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-root-password"
- name: MONGODB_REPLICA_SET_KEY_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-replica-set-key"
{{- else }}
- name: MONGODB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
@@ -233,10 +255,15 @@ spec:
name: {{ include "mongodb.secretName" . }}
key: mongodb-replica-set-key
{{- end }}
{{- end }}
{{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }}
- name: MONGODB_METRICS_USERNAME
value: {{ .Values.metrics.username | quote }}
{{- if .Values.auth.enabled }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_METRICS_PASSWORD_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-metrics-password"
{{- else }}
- name: MONGODB_METRICS_PASSWORD
valueFrom:
secretKeyRef:
@@ -244,6 +271,7 @@ spec:
key: mongodb-metrics-password
{{- end }}
{{- end }}
{{- end }}
- name: ALLOW_EMPTY_PASSWORD
value: {{ ternary "no" "yes" .Values.auth.enabled | quote }}
- name: MONGODB_SYSTEM_LOG_VERBOSITY
@@ -329,6 +357,10 @@ spec:
subPath: {{ .Values.hidden.persistence.subPath }}
- name: common-scripts
mountPath: /bitnami/scripts
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
- name: mongodb-secrets
mountPath: /opt/bitnami/mongodb/secrets
{{- end }}
{{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }}
- name: custom-init-scripts
mountPath: /docker-entrypoint-initdb.d
@@ -390,6 +422,13 @@ spec:
{{- else }}
args:
- |
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
{{- if .Values.metrics.username }}
export MONGODB_METRICS_PASSWORD="$(< $MONGODB_METRICS_PASSWORD_FILE)"
{{- else }}
export MONGODB_ROOT_PASSWORD="$(< $MONGODB_ROOT_PASSWORD_FILE)"
{{- end }}
{{- end }}
/bin/mongodb_exporter {{ include "mongodb.exporterArgs" $ }} --mongodb.direct-connect --mongodb.global-conn-pool --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }}
{{- end }}
env:
@@ -397,14 +436,23 @@ spec:
{{- if not .Values.metrics.username }}
- name: MONGODB_ROOT_USER
value: {{ .Values.auth.rootUser | quote }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_ROOT_PASSWORD_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-root-password"
{{- else }}
- name: MONGODB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "mongodb.secretName" . }}
key: mongodb-root-password
{{- end }}
{{- else }}
- name: MONGODB_METRICS_USERNAME
value: {{ .Values.metrics.username | quote }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_METRICS_PASSWORD_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-metrics-password"
{{- else }}
- name: MONGODB_METRICS_PASSWORD
valueFrom:
secretKeyRef:
@@ -412,10 +460,21 @@ spec:
key: mongodb-metrics-password
{{- end }}
{{- end }}
{{- end }}
{{- if include "common.fips.enabled" . }}
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.metrics.fips "global" .Values.global) | quote }}
- name: GODEBUG
value: {{ include "common.fips.config" (dict "tech" "golang" "fips" .Values.metrics.fips "global" .Values.global) | quote }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
- name: mongodb-secrets
mountPath: /opt/bitnami/mongodb/secrets
{{- end }}
{{- if .Values.tls.enabled }}
- name: certs
mountPath: /certs
@@ -468,7 +527,12 @@ spec:
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
defaultMode: 0o555
defaultMode: 0555
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
- name: mongodb-secrets
secret:
secretName: {{ include "mongodb.secretName" . }}
{{- end }}
{{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }}
- name: custom-init-scripts
configMap:
@@ -486,7 +550,7 @@ spec:
- name: scripts
configMap:
name: {{ printf "%s-scripts" (include "mongodb.fullname" .) }}
defaultMode: 0o755
defaultMode: 0755
{{- if .Values.hidden.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.hidden.extraVolumes "context" $) | nindent 8 }}
{{- end }}
@@ -500,10 +564,10 @@ spec:
items:
- key: mongodb-ca-cert
path: mongodb-ca-cert
mode: 0o600
mode: 0600
- key: mongodb-ca-key
path: mongodb-ca-key
mode: 0o600
mode: 0600
{{- else }}
{{- range $index, $secret := .Values.tls.hidden.existingSecrets }}
- name: mongodb-certs-{{ $index }}

2
opencloud/charts/mongodb/templates/networkpolicy.yaml
View File

@@ -57,7 +57,7 @@ spec:
{{- end }}
{{- end }}
{{- if .Values.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.rts.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
ingress:

34
opencloud/charts/mongodb/templates/replicaset/scripts-configmap.yaml
View File

@@ -111,11 +111,12 @@ data:
{{- $replicaCount := int .Values.replicaCount }}
{{- $portNumber := int .Values.service.ports.mongodb }}
{{- $fullname := include "mongodb.fullname" . }}
{{- $serviceName := include "mongodb.service.nameOverride" . }}
{{- $releaseNamespace := include "mongodb.namespace" . }}
{{- $clusterDomain := .Values.clusterDomain }}
{{- $mongoList := list }}
{{- range $e, $i := until $replicaCount }}
{{- $mongoList = append $mongoList (printf "%s-%d.%s-headless.%s.svc.%s:%d" $fullname $i $fullname $releaseNamespace $clusterDomain $portNumber) }}
{{- $mongoList = append $mongoList (printf "%s-%d.%s.%s.svc.%s:%d" $fullname $i $serviceName $releaseNamespace $clusterDomain $portNumber) }}
{{- end }}
{{- if .Values.externalAccess.externalMaster.enabled }}
@@ -254,28 +255,34 @@ data:
# read rs.conf again and store it. settings format is '"<key>" : <value>,'
currentRsConf=$(mongosh ${usernameAndPassword} --eval 'rs.conf()')
desiredEqualsactual=unknown
desiredEqualsActual=unknown
settingsToConfigure=""
for key in ${!desiredRsConf[@]}; do
value=${desiredRsConf[$key]}
if ! $(echo "\"${currentRsConf}"\" | grep -q -e "${key}: ${value},"); then
if [[ $key =~ ^members\[[0-9]+\]\..+ ]]; then
memberIndex=$(echo $key | grep -o -E '[0-9]+')
nodeConfigKey=${key#*.}
settingsToConfigure="${settingsToConfigure}cfg.members[${memberIndex}].${nodeConfigKey} = ${value}; "
if [[ $key =~ ^members\[[0-9]+\]\..+ ]]; then
# Replica set member specific setting
if [[ "$(mongosh --eval "cfg=${currentRsConf}; cfg.${key}" 2>/dev/null)" != "${value}" ]]; then
desiredEqualsActual=false
logger "rs conf: ${key} needs to be updated to desired value: ${value}"
settingsToConfigure="${settingsToConfigure}cfg.${key} = ${value}; "
else
# General rs settings
settingsToConfigure="${settingsToConfigure}cfg.settings.${key} = ${value}; "
logger "rs conf: ${key} is already at desired value: ${value}"
fi
desiredEqualsactual=false
else
logger "rs conf: ${key} is already at desired value: ${value}"
# General rs setting
if [[ "$(mongosh --eval "cfg=${currentRsConf}; cfg.settings.${key}" 2>/dev/null)" != "${value}" ]]; then
desiredEqualsActual=false
logger "rs conf: ${key} needs to be updated to desired value: ${value}"
settingsToConfigure="${settingsToConfigure}cfg.settings.${key} = ${value}; "
else
logger "rs conf: ${key} is already at desired value: ${value}"
fi
fi
done
if [[ "${desiredEqualsactual}" != "false" ]]; then
if [[ "${desiredEqualsActual}" != "false" ]]; then
logger "replicaSetConfigurationSettings match the settings of the currently running rs"
desiredEqualsactual=true
desiredEqualsActual=true
rs_conf_configured_ok=true
logger "Current settings match desired settings (There have been ${rsConfWriteAttempts} attempts to write to mongoDB rs configuration)"
exit
@@ -313,4 +320,3 @@ data:
done
{{- end }}
{{- end }}

75
opencloud/charts/mongodb/templates/replicaset/statefulset.yaml
View File

@@ -97,7 +97,7 @@ spec:
{{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }}
{{- include "mongodb.initContainers.autoDiscovery" . | nindent 8 }}
{{- end }}
{{- if and .Values.externalAccess.enabled ( or .Values.externalAccess.service.publicNames .Values.externalAccess.service.domain ) }}
{{- if and .Values.externalAccess.enabled .Values.externalAccess.service.publicNames }}
{{- include "mongodb.initContainers.dnsCheck" . | nindent 8 }}
{{- end }}
{{- include "mongodb.initContainer.prepareLogDir" . | nindent 8 }}
@@ -118,6 +118,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.name
{{- if include "common.fips.enabled" . }}
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.tls.fips "global" .Values.global) | quote }}
{{- end }}
volumeMounts:
{{- if (include "mongodb.autoGenerateCerts" .) }}
- name: certs-volume
@@ -200,6 +204,10 @@ spec:
value: {{ include "mongodb.initialPrimaryHost" . | quote }}
- name: MONGODB_REPLICA_SET_NAME
value: {{ .Values.replicaSetName | quote }}
{{- if include "common.fips.enabled" . }}
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.fips "global" .Values.global) | quote }}
{{- end }}
{{- if and .Values.replicaSetHostnames (not .Values.externalAccess.enabled) }}
- name: MONGODB_ADVERTISED_HOSTNAME
value: "$(MY_POD_NAME).{{ include "mongodb.service.nameOverride" . }}.$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}"
@@ -216,14 +224,25 @@ spec:
{{- end }}
{{- if .Values.auth.enabled }}
{{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_EXTRA_PASSWORDS_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-passwords"
{{- else }}
- name: MONGODB_EXTRA_PASSWORDS
valueFrom:
secretKeyRef:
name: {{ include "mongodb.secretName" . }}
key: mongodb-passwords
{{- end }}
{{- end }}
- name: MONGODB_ROOT_USER
value: {{ .Values.auth.rootUser | quote }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_ROOT_PASSWORD_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-root-password"
- name: MONGODB_REPLICA_SET_KEY_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-replica-set-key"
{{- else }}
- name: MONGODB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
@@ -235,10 +254,15 @@ spec:
name: {{ include "mongodb.secretName" . }}
key: mongodb-replica-set-key
{{- end }}
{{- end }}
{{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }}
- name: MONGODB_METRICS_USERNAME
value: {{ .Values.metrics.username | quote }}
{{- if .Values.auth.enabled }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_METRICS_PASSWORD_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-metrics-password"
{{- else }}
- name: MONGODB_METRICS_PASSWORD
valueFrom:
secretKeyRef:
@@ -246,6 +270,7 @@ spec:
key: mongodb-metrics-password
{{- end }}
{{- end }}
{{- end }}
- name: ALLOW_EMPTY_PASSWORD
value: {{ ternary "no" "yes" .Values.auth.enabled | quote }}
- name: MONGODB_SYSTEM_LOG_VERBOSITY
@@ -341,6 +366,10 @@ spec:
- name: empty-dir
mountPath: /.mongodb
subPath: mongosh-home
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
- name: mongodb-secrets
mountPath: /opt/bitnami/mongodb/secrets
{{- end }}
- name: {{ .Values.persistence.name | default "datadir" }}
mountPath: {{ .Values.persistence.mountPath }}
subPath: {{ .Values.persistence.subPath }}
@@ -397,6 +426,13 @@ spec:
{{- else }}
args:
- |
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
{{- if .Values.metrics.username }}
export MONGODB_METRICS_PASSWORD="$(< $MONGODB_METRICS_PASSWORD_FILE)"
{{- else }}
export MONGODB_ROOT_PASSWORD="$(< $MONGODB_ROOT_PASSWORD_FILE)"
{{- end }}
{{- end }}
/bin/mongodb_exporter {{ include "mongodb.exporterArgs" $ }} --mongodb.direct-connect --mongodb.global-conn-pool --web.listen-address ":{{ .Values.metrics.containerPort }}" --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }}
{{- end }}
env:
@@ -404,14 +440,23 @@ spec:
{{- if not .Values.metrics.username }}
- name: MONGODB_ROOT_USER
value: {{ .Values.auth.rootUser | quote }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_ROOT_PASSWORD_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-root-password"
{{- else }}
- name: MONGODB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "mongodb.secretName" . }}
key: mongodb-root-password
{{- end }}
{{- else }}
- name: MONGODB_METRICS_USERNAME
value: {{ .Values.metrics.username | quote }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_METRICS_PASSWORD_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-metrics-password"
{{- else }}
- name: MONGODB_METRICS_PASSWORD
valueFrom:
secretKeyRef:
@@ -419,10 +464,21 @@ spec:
key: mongodb-metrics-password
{{- end }}
{{- end }}
{{- end }}
{{- if include "common.fips.enabled" . }}
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.metrics.fips "global" .Values.global) | quote }}
- name: GODEBUG
value: {{ include "common.fips.config" (dict "tech" "golang" "fips" .Values.metrics.fips "global" .Values.global) | quote }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
- name: mongodb-secrets
mountPath: /opt/bitnami/mongodb/secrets
{{- end }}
{{- if .Values.tls.enabled }}
- name: certs
mountPath: /certs
@@ -472,7 +528,12 @@ spec:
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
defaultMode: 0o550
defaultMode: 0550
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
- name: mongodb-secrets
secret:
secretName: {{ include "mongodb.secretName" . }}
{{- end }}
{{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }}
- name: custom-init-scripts
configMap:
@@ -490,7 +551,7 @@ spec:
- name: scripts
configMap:
name: {{ printf "%s-scripts" (include "mongodb.fullname" .) }}
defaultMode: 0o755
defaultMode: 0755
{{- if .Values.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }}
{{- end }}
@@ -504,10 +565,10 @@ spec:
items:
- key: mongodb-ca-cert
path: mongodb-ca-cert
mode: 0o600
mode: 0600
- key: mongodb-ca-key
path: mongodb-ca-key
mode: 0o600
mode: 0600
{{- else }}
{{- range $index, $secret := .Values.tls.replicaset.existingSecrets }}
- name: mongodb-certs-{{ $index }}
@@ -532,9 +593,7 @@ spec:
whenScaled: {{ .Values.persistentVolumeClaimRetentionPolicy.whenScaled }}
{{- end }}
volumeClaimTemplates:
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
- metadata:
name: datadir
{{- if .Values.persistence.annotations }}
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.annotations "context" $) | nindent 10 }}

1
opencloud/charts/mongodb/templates/replicaset/svc.yaml
View File

@@ -25,6 +25,7 @@ metadata:
{{- end }}
spec:
type: ClusterIP
publishNotReadyAddresses: {{ $root.Values.service.publishNotReadyAddresses }}
ports:
- name: {{ $root.Values.service.portName | quote }}
port: {{ $root.Values.service.ports.mongodb }}

Some files were not shown because too many files have changed in this diff Show More