Compare commits
17 Commits
bootstrapi
...
main
Author | SHA1 | Date | |
---|---|---|---|
5825c89a23 | |||
f868400b7a | |||
10b01fdc40 | |||
5e1503f0bc | |||
11bdecd80d | |||
f7ae1165b9 | |||
ba9a971964 | |||
519fb80ee7 | |||
cde967a404 | |||
d0118ed095 | |||
b4edaba6d8 | |||
324f0f6828 | |||
fd81d1b020 | |||
98ef81fe2d | |||
ffff95b694 | |||
55927fb5d4 | |||
18f7a91bf3 |
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
opencloud/Chart.lock
|
@ -2,4 +2,4 @@
|
|||||||
RELEASE_NAME=dev
|
RELEASE_NAME=dev
|
||||||
RELEASE_NAMESPACE=dev
|
RELEASE_NAMESPACE=dev
|
||||||
|
|
||||||
helm upgrade ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} --create-namespace --install -f opencloud/dev-values.yaml
|
helm install ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} --create-namespace -f opencloud/dev-values.yaml
|
||||||
|
@ -1,9 +0,0 @@
|
|||||||
dependencies:
|
|
||||||
- name: openldap
|
|
||||||
repository: https://jp-gouin.github.io/helm-openldap/
|
|
||||||
version: 2.0.4
|
|
||||||
- name: traefik
|
|
||||||
repository: https://helm.traefik.io/traefik
|
|
||||||
version: 33.0.0
|
|
||||||
digest: sha256:5562ae89207a555f8f4afaf100b255083c27c8f98b990345a4523bd283c7a4c7
|
|
||||||
generated: "2024-11-28T10:18:30.724260729+01:00"
|
|
@ -5,13 +5,41 @@ type: application
|
|||||||
version: 0.0.1
|
version: 0.0.1
|
||||||
appVersion: "0.0.1"
|
appVersion: "0.0.1"
|
||||||
|
|
||||||
# TODO: ldap, mongo, mongo-express, nats, ory hydra, keto, traefik
|
# TODO: grafana, loki
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: openldap
|
- name: openldap
|
||||||
|
repository: https://jp-gouin.github.io/helm-openldap/
|
||||||
version: "2.0.4"
|
version: "2.0.4"
|
||||||
repository: "https://jp-gouin.github.io/helm-openldap/"
|
|
||||||
condition: openldap.enabled
|
condition: openldap.enabled
|
||||||
- name: traefik
|
- name: traefik
|
||||||
version: "33.0.0"
|
version: "33.0.0"
|
||||||
repository: "https://helm.traefik.io/traefik"
|
repository: "https://helm.traefik.io/traefik"
|
||||||
condition: traefik.enabled
|
condition: traefik.enabled
|
||||||
|
- name: nats
|
||||||
|
version: "1.2.6"
|
||||||
|
repository: "https://nats-io.github.io/k8s/helm/charts/"
|
||||||
|
condition: nats.enabled
|
||||||
|
- name: mongodb
|
||||||
|
version: "16.3.1"
|
||||||
|
repository: "https://charts.bitnami.com/bitnami"
|
||||||
|
condition: mongodb.enabled
|
||||||
|
- name: mongo-express
|
||||||
|
version: "6.5.2"
|
||||||
|
repository: "https://cowboysysop.github.io/charts/"
|
||||||
|
condition: mongo-express.enabled
|
||||||
|
- name: hydra
|
||||||
|
version: "0.50.2"
|
||||||
|
repository: "https://k8s.ory.sh/helm/charts"
|
||||||
|
condition: hydra.enabled
|
||||||
|
- name: keto
|
||||||
|
version: "0.50.2"
|
||||||
|
repository: "https://k8s.ory.sh/helm/charts"
|
||||||
|
condition: keto.enabled
|
||||||
|
- name: loki
|
||||||
|
version: "6.23.0"
|
||||||
|
repository: "https://grafana.github.io/helm-charts"
|
||||||
|
condition: loki.enabled
|
||||||
|
- name: grafana
|
||||||
|
version: "8.6.4"
|
||||||
|
repository: "https://grafana.github.io/helm-charts"
|
||||||
|
condition: grafana.enabled
|
||||||
|
23
opencloud/charts/grafana/.helmignore
Normal file
23
opencloud/charts/grafana/.helmignore
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
# Patterns to ignore when building packages.
|
||||||
|
# This supports shell glob matching, relative path matching, and
|
||||||
|
# negation (prefixed with !). Only one pattern per line.
|
||||||
|
.DS_Store
|
||||||
|
# Common VCS dirs
|
||||||
|
.git/
|
||||||
|
.gitignore
|
||||||
|
.bzr/
|
||||||
|
.bzrignore
|
||||||
|
.hg/
|
||||||
|
.hgignore
|
||||||
|
.svn/
|
||||||
|
# Common backup files
|
||||||
|
*.swp
|
||||||
|
*.bak
|
||||||
|
*.tmp
|
||||||
|
*~
|
||||||
|
# Various IDEs
|
||||||
|
.vscode
|
||||||
|
.project
|
||||||
|
.idea/
|
||||||
|
*.tmproj
|
||||||
|
OWNERS
|
35
opencloud/charts/grafana/Chart.yaml
Normal file
35
opencloud/charts/grafana/Chart.yaml
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
annotations:
|
||||||
|
artifacthub.io/license: Apache-2.0
|
||||||
|
artifacthub.io/links: |
|
||||||
|
- name: Chart Source
|
||||||
|
url: https://github.com/grafana/helm-charts
|
||||||
|
- name: Upstream Project
|
||||||
|
url: https://github.com/grafana/grafana
|
||||||
|
apiVersion: v2
|
||||||
|
appVersion: 11.3.1
|
||||||
|
description: The leading tool for querying and visualizing time series and metrics.
|
||||||
|
home: https://grafana.com
|
||||||
|
icon: https://artifacthub.io/image/b4fed1a7-6c8f-4945-b99d-096efa3e4116
|
||||||
|
keywords:
|
||||||
|
- monitoring
|
||||||
|
- metric
|
||||||
|
kubeVersion: ^1.8.0-0
|
||||||
|
maintainers:
|
||||||
|
- email: zanhsieh@gmail.com
|
||||||
|
name: zanhsieh
|
||||||
|
- email: rluckie@cisco.com
|
||||||
|
name: rtluckie
|
||||||
|
- email: maor.friedman@redhat.com
|
||||||
|
name: maorfr
|
||||||
|
- email: miroslav.hadzhiev@gmail.com
|
||||||
|
name: Xtigyro
|
||||||
|
- email: mail@torstenwalter.de
|
||||||
|
name: torstenwalter
|
||||||
|
- email: github@jkroepke.de
|
||||||
|
name: jkroepke
|
||||||
|
name: grafana
|
||||||
|
sources:
|
||||||
|
- https://github.com/grafana/grafana
|
||||||
|
- https://github.com/grafana/helm-charts
|
||||||
|
type: application
|
||||||
|
version: 8.6.4
|
783
opencloud/charts/grafana/README.md
Normal file
783
opencloud/charts/grafana/README.md
Normal file
@ -0,0 +1,783 @@
|
|||||||
|
# Grafana Helm Chart
|
||||||
|
|
||||||
|
* Installs the web dashboarding system [Grafana](http://grafana.org/)
|
||||||
|
|
||||||
|
## Get Repo Info
|
||||||
|
|
||||||
|
```console
|
||||||
|
helm repo add grafana https://grafana.github.io/helm-charts
|
||||||
|
helm repo update
|
||||||
|
```
|
||||||
|
|
||||||
|
_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
|
||||||
|
|
||||||
|
## Installing the Chart
|
||||||
|
|
||||||
|
To install the chart with the release name `my-release`:
|
||||||
|
|
||||||
|
```console
|
||||||
|
helm install my-release grafana/grafana
|
||||||
|
```
|
||||||
|
|
||||||
|
## Uninstalling the Chart
|
||||||
|
|
||||||
|
To uninstall/delete the my-release deployment:
|
||||||
|
|
||||||
|
```console
|
||||||
|
helm delete my-release
|
||||||
|
```
|
||||||
|
|
||||||
|
The command removes all the Kubernetes components associated with the chart and deletes the release.
|
||||||
|
|
||||||
|
## Upgrading an existing Release to a new major version
|
||||||
|
|
||||||
|
A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an
|
||||||
|
incompatible breaking change needing manual actions.
|
||||||
|
|
||||||
|
### To 4.0.0 (And 3.12.1)
|
||||||
|
|
||||||
|
This version requires Helm >= 2.12.0.
|
||||||
|
|
||||||
|
### To 5.0.0
|
||||||
|
|
||||||
|
You have to add --force to your helm upgrade command as the labels of the chart have changed.
|
||||||
|
|
||||||
|
### To 6.0.0
|
||||||
|
|
||||||
|
This version requires Helm >= 3.1.0.
|
||||||
|
|
||||||
|
### To 7.0.0
|
||||||
|
|
||||||
|
For consistency with other Helm charts, the `global.image.registry` parameter was renamed
|
||||||
|
to `global.imageRegistry`. If you were not previously setting `global.image.registry`, no action
|
||||||
|
is required on upgrade. If you were previously setting `global.image.registry`, you will
|
||||||
|
need to instead set `global.imageRegistry`.
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
|
||||||
|
| Parameter | Description | Default |
|
||||||
|
|-------------------------------------------|-----------------------------------------------|---------------------------------------------------------|
|
||||||
|
| `replicas` | Number of nodes | `1` |
|
||||||
|
| `podDisruptionBudget.minAvailable` | Pod disruption minimum available | `nil` |
|
||||||
|
| `podDisruptionBudget.maxUnavailable` | Pod disruption maximum unavailable | `nil` |
|
||||||
|
| `podDisruptionBudget.apiVersion` | Pod disruption apiVersion | `nil` |
|
||||||
|
| `deploymentStrategy` | Deployment strategy | `{ "type": "RollingUpdate" }` |
|
||||||
|
| `livenessProbe` | Liveness Probe settings | `{ "httpGet": { "path": "/api/health", "port": 3000 } "initialDelaySeconds": 60, "timeoutSeconds": 30, "failureThreshold": 10 }` |
|
||||||
|
| `readinessProbe` | Readiness Probe settings | `{ "httpGet": { "path": "/api/health", "port": 3000 } }`|
|
||||||
|
| `securityContext` | Deployment securityContext | `{"runAsUser": 472, "runAsGroup": 472, "fsGroup": 472}` |
|
||||||
|
| `priorityClassName` | Name of Priority Class to assign pods | `nil` |
|
||||||
|
| `image.registry` | Image registry | `docker.io` |
|
||||||
|
| `image.repository` | Image repository | `grafana/grafana` |
|
||||||
|
| `image.tag` | Overrides the Grafana image tag whose default is the chart appVersion (`Must be >= 5.0.0`) | `` |
|
||||||
|
| `image.sha` | Image sha (optional) | `` |
|
||||||
|
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
|
||||||
|
| `image.pullSecrets` | Image pull secrets (can be templated) | `[]` |
|
||||||
|
| `service.enabled` | Enable grafana service | `true` |
|
||||||
|
| `service.ipFamilies` | Kubernetes service IP families | `[]` |
|
||||||
|
| `service.ipFamilyPolicy` | Kubernetes service IP family policy | `""` |
|
||||||
|
| `service.type` | Kubernetes service type | `ClusterIP` |
|
||||||
|
| `service.port` | Kubernetes port where service is exposed | `80` |
|
||||||
|
| `service.portName` | Name of the port on the service | `service` |
|
||||||
|
| `service.appProtocol` | Adds the appProtocol field to the service | `` |
|
||||||
|
| `service.targetPort` | Internal service is port | `3000` |
|
||||||
|
| `service.nodePort` | Kubernetes service nodePort | `nil` |
|
||||||
|
| `service.annotations` | Service annotations (can be templated) | `{}` |
|
||||||
|
| `service.labels` | Custom labels | `{}` |
|
||||||
|
| `service.clusterIP` | internal cluster service IP | `nil` |
|
||||||
|
| `service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `nil` |
|
||||||
|
| `service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to lb (if supported) | `[]` |
|
||||||
|
| `service.externalIPs` | service external IP addresses | `[]` |
|
||||||
|
| `service.externalTrafficPolicy` | change the default externalTrafficPolicy | `nil` |
|
||||||
|
| `headlessService` | Create a headless service | `false` |
|
||||||
|
| `extraExposePorts` | Additional service ports for sidecar containers| `[]` |
|
||||||
|
| `hostAliases` | adds rules to the pod's /etc/hosts | `[]` |
|
||||||
|
| `ingress.enabled` | Enables Ingress | `false` |
|
||||||
|
| `ingress.annotations` | Ingress annotations (values are templated) | `{}` |
|
||||||
|
| `ingress.labels` | Custom labels | `{}` |
|
||||||
|
| `ingress.path` | Ingress accepted path | `/` |
|
||||||
|
| `ingress.pathType` | Ingress type of path | `Prefix` |
|
||||||
|
| `ingress.hosts` | Ingress accepted hostnames | `["chart-example.local"]` |
|
||||||
|
| `ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.6/guide/ingress/annotations/#actions). Requires `ingress.hosts` to have one or more host entries. | `[]` |
|
||||||
|
| `ingress.tls` | Ingress TLS configuration | `[]` |
|
||||||
|
| `ingress.ingressClassName` | Ingress Class Name. MAY be required for Kubernetes versions >= 1.18 | `""` |
|
||||||
|
| `resources` | CPU/Memory resource requests/limits | `{}` |
|
||||||
|
| `nodeSelector` | Node labels for pod assignment | `{}` |
|
||||||
|
| `tolerations` | Toleration labels for pod assignment | `[]` |
|
||||||
|
| `affinity` | Affinity settings for pod assignment | `{}` |
|
||||||
|
| `extraInitContainers` | Init containers to add to the grafana pod | `{}` |
|
||||||
|
| `extraContainers` | Sidecar containers to add to the grafana pod | `""` |
|
||||||
|
| `extraContainerVolumes` | Volumes that can be mounted in sidecar containers | `[]` |
|
||||||
|
| `extraLabels` | Custom labels for all manifests | `{}` |
|
||||||
|
| `schedulerName` | Name of the k8s scheduler (other than default) | `nil` |
|
||||||
|
| `persistence.enabled` | Use persistent volume to store data | `false` |
|
||||||
|
| `persistence.type` | Type of persistence (`pvc` or `statefulset`) | `pvc` |
|
||||||
|
| `persistence.size` | Size of persistent volume claim | `10Gi` |
|
||||||
|
| `persistence.existingClaim` | Use an existing PVC to persist data (can be templated) | `nil` |
|
||||||
|
| `persistence.storageClassName` | Type of persistent volume claim | `nil` |
|
||||||
|
| `persistence.accessModes` | Persistence access modes | `[ReadWriteOnce]` |
|
||||||
|
| `persistence.annotations` | PersistentVolumeClaim annotations | `{}` |
|
||||||
|
| `persistence.finalizers` | PersistentVolumeClaim finalizers | `[ "kubernetes.io/pvc-protection" ]` |
|
||||||
|
| `persistence.extraPvcLabels` | Extra labels to apply to a PVC. | `{}` |
|
||||||
|
| `persistence.subPath` | Mount a sub dir of the persistent volume (can be templated) | `nil` |
|
||||||
|
| `persistence.inMemory.enabled` | If persistence is not enabled, whether to mount the local storage in-memory to improve performance | `false` |
|
||||||
|
| `persistence.inMemory.sizeLimit` | SizeLimit for the in-memory local storage | `nil` |
|
||||||
|
| `persistence.disableWarning` | Hide NOTES warning, useful when persisting to a database | `false` |
|
||||||
|
| `initChownData.enabled` | If false, don't reset data ownership at startup | true |
|
||||||
|
| `initChownData.image.registry` | init-chown-data container image registry | `docker.io` |
|
||||||
|
| `initChownData.image.repository` | init-chown-data container image repository | `busybox` |
|
||||||
|
| `initChownData.image.tag` | init-chown-data container image tag | `1.31.1` |
|
||||||
|
| `initChownData.image.sha` | init-chown-data container image sha (optional)| `""` |
|
||||||
|
| `initChownData.image.pullPolicy` | init-chown-data container image pull policy | `IfNotPresent` |
|
||||||
|
| `initChownData.resources` | init-chown-data pod resource requests & limits | `{}` |
|
||||||
|
| `schedulerName` | Alternate scheduler name | `nil` |
|
||||||
|
| `env` | Extra environment variables passed to pods | `{}` |
|
||||||
|
| `envValueFrom` | Environment variables from alternate sources. See the API docs on [EnvVarSource](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#envvarsource-v1-core) for format details. Can be templated | `{}` |
|
||||||
|
| `envFromSecret` | Name of a Kubernetes secret (must be manually created in the same namespace) containing values to be added to the environment. Can be templated | `""` |
|
||||||
|
| `envFromSecrets` | List of Kubernetes secrets (must be manually created in the same namespace) containing values to be added to the environment. Can be templated | `[]` |
|
||||||
|
| `envFromConfigMaps` | List of Kubernetes ConfigMaps (must be manually created in the same namespace) containing values to be added to the environment. Can be templated | `[]` |
|
||||||
|
| `envRenderSecret` | Sensible environment variables passed to pods and stored as secret. (passed through [tpl](https://helm.sh/docs/howto/charts_tips_and_tricks/#using-the-tpl-function)) | `{}` |
|
||||||
|
| `enableServiceLinks` | Inject Kubernetes services as environment variables. | `true` |
|
||||||
|
| `extraSecretMounts` | Additional grafana server secret mounts | `[]` |
|
||||||
|
| `extraVolumeMounts` | Additional grafana server volume mounts | `[]` |
|
||||||
|
| `extraVolumes` | Additional Grafana server volumes | `[]` |
|
||||||
|
| `automountServiceAccountToken` | Mounted the service account token on the grafana pod. Mandatory, if sidecars are enabled | `true` |
|
||||||
|
| `createConfigmap` | Enable creating the grafana configmap | `true` |
|
||||||
|
| `extraConfigmapMounts` | Additional grafana server configMap volume mounts (values are templated) | `[]` |
|
||||||
|
| `extraEmptyDirMounts` | Additional grafana server emptyDir volume mounts | `[]` |
|
||||||
|
| `plugins` | Plugins to be loaded along with Grafana | `[]` |
|
||||||
|
| `datasources` | Configure grafana datasources (passed through tpl) | `{}` |
|
||||||
|
| `alerting` | Configure grafana alerting (passed through tpl) | `{}` |
|
||||||
|
| `notifiers` | Configure grafana notifiers | `{}` |
|
||||||
|
| `dashboardProviders` | Configure grafana dashboard providers | `{}` |
|
||||||
|
| `dashboards` | Dashboards to import | `{}` |
|
||||||
|
| `dashboardsConfigMaps` | ConfigMaps reference that contains dashboards | `{}` |
|
||||||
|
| `grafana.ini` | Grafana's primary configuration | `{}` |
|
||||||
|
| `global.imageRegistry` | Global image pull registry for all images. | `null` |
|
||||||
|
| `global.imagePullSecrets` | Global image pull secrets (can be templated). Allows either an array of {name: pullSecret} maps (k8s-style), or an array of strings (more common helm-style). | `[]` |
|
||||||
|
| `ldap.enabled` | Enable LDAP authentication | `false` |
|
||||||
|
| `ldap.existingSecret` | The name of an existing secret containing the `ldap.toml` file, this must have the key `ldap-toml`. | `""` |
|
||||||
|
| `ldap.config` | Grafana's LDAP configuration | `""` |
|
||||||
|
| `annotations` | Deployment annotations | `{}` |
|
||||||
|
| `labels` | Deployment labels | `{}` |
|
||||||
|
| `podAnnotations` | Pod annotations | `{}` |
|
||||||
|
| `podLabels` | Pod labels | `{}` |
|
||||||
|
| `podPortName` | Name of the grafana port on the pod | `grafana` |
|
||||||
|
| `lifecycleHooks` | Lifecycle hooks for podStart and preStop [Example](https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/#define-poststart-and-prestop-handlers) | `{}` |
|
||||||
|
| `sidecar.image.registry` | Sidecar image registry | `quay.io` |
|
||||||
|
| `sidecar.image.repository` | Sidecar image repository | `kiwigrid/k8s-sidecar` |
|
||||||
|
| `sidecar.image.tag` | Sidecar image tag | `1.28.0` |
|
||||||
|
| `sidecar.image.sha` | Sidecar image sha (optional) | `""` |
|
||||||
|
| `sidecar.imagePullPolicy` | Sidecar image pull policy | `IfNotPresent` |
|
||||||
|
| `sidecar.resources` | Sidecar resources | `{}` |
|
||||||
|
| `sidecar.securityContext` | Sidecar securityContext | `{}` |
|
||||||
|
| `sidecar.enableUniqueFilenames` | Sets the kiwigrid/k8s-sidecar UNIQUE_FILENAMES environment variable. If set to `true` the sidecar will create unique filenames where duplicate data keys exist between ConfigMaps and/or Secrets within the same or multiple Namespaces. | `false` |
|
||||||
|
| `sidecar.alerts.enabled` | Enables the cluster wide search for alerts and adds/updates/deletes them in grafana |`false` |
|
||||||
|
| `sidecar.alerts.label` | Label that config maps with alerts should have to be added | `grafana_alert` |
|
||||||
|
| `sidecar.alerts.labelValue` | Label value that config maps with alerts should have to be added | `""` |
|
||||||
|
| `sidecar.alerts.searchNamespace` | Namespaces list. If specified, the sidecar will search for alerts config-maps inside these namespaces. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces. | `nil` |
|
||||||
|
| `sidecar.alerts.watchMethod` | Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. | `WATCH` |
|
||||||
|
| `sidecar.alerts.resource` | Should the sidecar looks into secrets, configmaps or both. | `both` |
|
||||||
|
| `sidecar.alerts.reloadURL` | Full url of datasource configuration reload API endpoint, to invoke after a config-map change | `"http://localhost:3000/api/admin/provisioning/alerting/reload"` |
|
||||||
|
| `sidecar.alerts.skipReload` | Enabling this omits defining the REQ_URL and REQ_METHOD environment variables | `false` |
|
||||||
|
| `sidecar.alerts.initAlerts` | Set to true to deploy the alerts sidecar as an initContainer. This is needed if skipReload is true, to load any alerts defined at startup time. | `false` |
|
||||||
|
| `sidecar.alerts.extraMounts` | Additional alerts sidecar volume mounts. | `[]` |
|
||||||
|
| `sidecar.dashboards.enabled` | Enables the cluster wide search for dashboards and adds/updates/deletes them in grafana | `false` |
|
||||||
|
| `sidecar.dashboards.SCProvider` | Enables creation of sidecar provider | `true` |
|
||||||
|
| `sidecar.dashboards.provider.name` | Unique name of the grafana provider | `sidecarProvider` |
|
||||||
|
| `sidecar.dashboards.provider.orgid` | Id of the organisation, to which the dashboards should be added | `1` |
|
||||||
|
| `sidecar.dashboards.provider.folder` | Logical folder in which grafana groups dashboards | `""` |
|
||||||
|
| `sidecar.dashboards.provider.folderUid` | Allows you to specify the static UID for the logical folder above | `""` |
|
||||||
|
| `sidecar.dashboards.provider.disableDelete` | Activate to avoid the deletion of imported dashboards | `false` |
|
||||||
|
| `sidecar.dashboards.provider.allowUiUpdates` | Allow updating provisioned dashboards from the UI | `false` |
|
||||||
|
| `sidecar.dashboards.provider.type` | Provider type | `file` |
|
||||||
|
| `sidecar.dashboards.provider.foldersFromFilesStructure` | Allow Grafana to replicate dashboard structure from filesystem. | `false` |
|
||||||
|
| `sidecar.dashboards.watchMethod` | Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. | `WATCH` |
|
||||||
|
| `sidecar.skipTlsVerify` | Set to true to skip tls verification for kube api calls | `nil` |
|
||||||
|
| `sidecar.dashboards.label` | Label that config maps with dashboards should have to be added | `grafana_dashboard` |
|
||||||
|
| `sidecar.dashboards.labelValue` | Label value that config maps with dashboards should have to be added | `""` |
|
||||||
|
| `sidecar.dashboards.folder` | Folder in the pod that should hold the collected dashboards (unless `sidecar.dashboards.defaultFolderName` is set). This path will be mounted. | `/tmp/dashboards` |
|
||||||
|
| `sidecar.dashboards.folderAnnotation` | The annotation the sidecar will look for in configmaps to override the destination folder for files | `nil` |
|
||||||
|
| `sidecar.dashboards.defaultFolderName` | The default folder name, it will create a subfolder under the `sidecar.dashboards.folder` and put dashboards in there instead | `nil` |
|
||||||
|
| `sidecar.dashboards.searchNamespace` | Namespaces list. If specified, the sidecar will search for dashboards config-maps inside these namespaces. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces. | `nil` |
|
||||||
|
| `sidecar.dashboards.script` | Absolute path to shell script to execute after a configmap got reloaded. | `nil` |
|
||||||
|
| `sidecar.dashboards.reloadURL` | Full url of dashboards configuration reload API endpoint, to invoke after a config-map change | `"http://localhost:3000/api/admin/provisioning/dashboards/reload"` |
|
||||||
|
| `sidecar.dashboards.skipReload` | Enabling this omits defining the REQ_USERNAME, REQ_PASSWORD, REQ_URL and REQ_METHOD environment variables | `false` |
|
||||||
|
| `sidecar.dashboards.resource` | Should the sidecar looks into secrets, configmaps or both. | `both` |
|
||||||
|
| `sidecar.dashboards.extraMounts` | Additional dashboard sidecar volume mounts. | `[]` |
|
||||||
|
| `sidecar.datasources.enabled` | Enables the cluster wide search for datasources and adds/updates/deletes them in grafana |`false` |
|
||||||
|
| `sidecar.datasources.label` | Label that config maps with datasources should have to be added | `grafana_datasource` |
|
||||||
|
| `sidecar.datasources.labelValue` | Label value that config maps with datasources should have to be added | `""` |
|
||||||
|
| `sidecar.datasources.searchNamespace` | Namespaces list. If specified, the sidecar will search for datasources config-maps inside these namespaces. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces. | `nil` |
|
||||||
|
| `sidecar.datasources.watchMethod` | Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. | `WATCH` |
|
||||||
|
| `sidecar.datasources.resource` | Should the sidecar looks into secrets, configmaps or both. | `both` |
|
||||||
|
| `sidecar.datasources.reloadURL` | Full url of datasource configuration reload API endpoint, to invoke after a config-map change | `"http://localhost:3000/api/admin/provisioning/datasources/reload"` |
|
||||||
|
| `sidecar.datasources.skipReload` | Enabling this omits defining the REQ_URL and REQ_METHOD environment variables | `false` |
|
||||||
|
| `sidecar.datasources.initDatasources` | Set to true to deploy the datasource sidecar as an initContainer in addition to a container. This is needed if skipReload is true, to load any datasources defined at startup time. | `false` |
|
||||||
|
| `sidecar.notifiers.enabled` | Enables the cluster wide search for notifiers and adds/updates/deletes them in grafana | `false` |
|
||||||
|
| `sidecar.notifiers.label` | Label that config maps with notifiers should have to be added | `grafana_notifier` |
|
||||||
|
| `sidecar.notifiers.labelValue` | Label value that config maps with notifiers should have to be added | `""` |
|
||||||
|
| `sidecar.notifiers.searchNamespace` | Namespaces list. If specified, the sidecar will search for notifiers config-maps (or secrets) inside these namespaces. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces. | `nil` |
|
||||||
|
| `sidecar.notifiers.watchMethod` | Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. | `WATCH` |
|
||||||
|
| `sidecar.notifiers.resource` | Should the sidecar looks into secrets, configmaps or both. | `both` |
|
||||||
|
| `sidecar.notifiers.reloadURL` | Full url of notifier configuration reload API endpoint, to invoke after a config-map change | `"http://localhost:3000/api/admin/provisioning/notifications/reload"` |
|
||||||
|
| `sidecar.notifiers.skipReload` | Enabling this omits defining the REQ_URL and REQ_METHOD environment variables | `false` |
|
||||||
|
| `sidecar.notifiers.initNotifiers` | Set to true to deploy the notifier sidecar as an initContainer in addition to a container. This is needed if skipReload is true, to load any notifiers defined at startup time. | `false` |
|
||||||
|
| `smtp.existingSecret` | The name of an existing secret containing the SMTP credentials. | `""` |
|
||||||
|
| `smtp.userKey` | The key in the existing SMTP secret containing the username. | `"user"` |
|
||||||
|
| `smtp.passwordKey` | The key in the existing SMTP secret containing the password. | `"password"` |
|
||||||
|
| `admin.existingSecret` | The name of an existing secret containing the admin credentials (can be templated). | `""` |
|
||||||
|
| `admin.userKey` | The key in the existing admin secret containing the username. | `"admin-user"` |
|
||||||
|
| `admin.passwordKey` | The key in the existing admin secret containing the password. | `"admin-password"` |
|
||||||
|
| `serviceAccount.automountServiceAccountToken` | Automount the service account token on all pods where is service account is used | `false` |
|
||||||
|
| `serviceAccount.annotations` | ServiceAccount annotations | |
|
||||||
|
| `serviceAccount.create` | Create service account | `true` |
|
||||||
|
| `serviceAccount.labels` | ServiceAccount labels | `{}` |
|
||||||
|
| `serviceAccount.name` | Service account name to use, when empty will be set to created account if `serviceAccount.create` is set else to `default` | `` |
|
||||||
|
| `serviceAccount.nameTest` | Service account name to use for test, when empty will be set to created account if `serviceAccount.create` is set else to `default` | `nil` |
|
||||||
|
| `rbac.create` | Create and use RBAC resources | `true` |
|
||||||
|
| `rbac.namespaced` | Creates Role and Rolebinding instead of the default ClusterRole and ClusteRoleBindings for the grafana instance | `false` |
|
||||||
|
| `rbac.useExistingRole` | Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to the rolename set here. | `nil` |
|
||||||
|
| `rbac.pspEnabled` | Create PodSecurityPolicy (with `rbac.create`, grant roles permissions as well) | `false` |
|
||||||
|
| `rbac.pspUseAppArmor` | Enforce AppArmor in created PodSecurityPolicy (requires `rbac.pspEnabled`) | `false` |
|
||||||
|
| `rbac.extraRoleRules` | Additional rules to add to the Role | [] |
|
||||||
|
| `rbac.extraClusterRoleRules` | Additional rules to add to the ClusterRole | [] |
|
||||||
|
| `command` | Define command to be executed by grafana container at startup | `nil` |
|
||||||
|
| `args` | Define additional args if command is used | `nil` |
|
||||||
|
| `testFramework.enabled` | Whether to create test-related resources | `true` |
|
||||||
|
| `testFramework.image.registry` | `test-framework` image registry. | `docker.io` |
|
||||||
|
| `testFramework.image.repository` | `test-framework` image repository. | `bats/bats` |
|
||||||
|
| `testFramework.image.tag` | `test-framework` image tag. | `v1.4.1` |
|
||||||
|
| `testFramework.imagePullPolicy` | `test-framework` image pull policy. | `IfNotPresent` |
|
||||||
|
| `testFramework.securityContext` | `test-framework` securityContext | `{}` |
|
||||||
|
| `downloadDashboards.env` | Environment variables to be passed to the `download-dashboards` container | `{}` |
|
||||||
|
| `downloadDashboards.envFromSecret` | Name of a Kubernetes secret (must be manually created in the same namespace) containing values to be added to the environment. Can be templated | `""` |
|
||||||
|
| `downloadDashboards.resources` | Resources of `download-dashboards` container | `{}` |
|
||||||
|
| `downloadDashboardsImage.registry` | Curl docker image registry | `docker.io` |
|
||||||
|
| `downloadDashboardsImage.repository` | Curl docker image repository | `curlimages/curl` |
|
||||||
|
| `downloadDashboardsImage.tag` | Curl docker image tag | `7.73.0` |
|
||||||
|
| `downloadDashboardsImage.sha` | Curl docker image sha (optional) | `""` |
|
||||||
|
| `downloadDashboardsImage.pullPolicy` | Curl docker image pull policy | `IfNotPresent` |
|
||||||
|
| `namespaceOverride` | Override the deployment namespace | `""` (`Release.Namespace`) |
|
||||||
|
| `serviceMonitor.enabled` | Use servicemonitor from prometheus operator | `false` |
|
||||||
|
| `serviceMonitor.namespace` | Namespace this servicemonitor is installed in | |
|
||||||
|
| `serviceMonitor.interval` | How frequently Prometheus should scrape | `1m` |
|
||||||
|
| `serviceMonitor.path` | Path to scrape | `/metrics` |
|
||||||
|
| `serviceMonitor.scheme` | Scheme to use for metrics scraping | `http` |
|
||||||
|
| `serviceMonitor.tlsConfig` | TLS configuration block for the endpoint | `{}` |
|
||||||
|
| `serviceMonitor.labels` | Labels for the servicemonitor passed to Prometheus Operator | `{}` |
|
||||||
|
| `serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `30s` |
|
||||||
|
| `serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. | `[]` |
|
||||||
|
| `serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion. | `[]` |
|
||||||
|
| `revisionHistoryLimit` | Number of old ReplicaSets to retain | `10` |
|
||||||
|
| `imageRenderer.enabled` | Enable the image-renderer deployment & service | `false` |
|
||||||
|
| `imageRenderer.image.registry` | image-renderer Image registry | `docker.io` |
|
||||||
|
| `imageRenderer.image.repository` | image-renderer Image repository | `grafana/grafana-image-renderer` |
|
||||||
|
| `imageRenderer.image.tag` | image-renderer Image tag | `latest` |
|
||||||
|
| `imageRenderer.image.sha` | image-renderer Image sha (optional) | `""` |
|
||||||
|
| `imageRenderer.image.pullPolicy` | image-renderer ImagePullPolicy | `Always` |
|
||||||
|
| `imageRenderer.env` | extra env-vars for image-renderer | `{}` |
|
||||||
|
| `imageRenderer.envValueFrom` | Environment variables for image-renderer from alternate sources. See the API docs on [EnvVarSource](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#envvarsource-v1-core) for format details. Can be templated | `{}` |
|
||||||
|
| `imageRenderer.extraConfigmapMounts` | Additional image-renderer configMap volume mounts (values are templated) | `[]` |
|
||||||
|
| `imageRenderer.extraSecretMounts` | Additional image-renderer secret volume mounts | `[]` |
|
||||||
|
| `imageRenderer.extraVolumeMounts` | Additional image-renderer volume mounts | `[]` |
|
||||||
|
| `imageRenderer.extraVolumes` | Additional image-renderer volumes | `[]` |
|
||||||
|
| `imageRenderer.serviceAccountName` | image-renderer deployment serviceAccountName | `""` |
|
||||||
|
| `imageRenderer.securityContext` | image-renderer deployment securityContext | `{}` |
|
||||||
|
| `imageRenderer.podAnnotations` | image-renderer image-renderer pod annotation | `{}` |
|
||||||
|
| `imageRenderer.hostAliases` | image-renderer deployment Host Aliases | `[]` |
|
||||||
|
| `imageRenderer.priorityClassName` | image-renderer deployment priority class | `''` |
|
||||||
|
| `imageRenderer.service.enabled` | Enable the image-renderer service | `true` |
|
||||||
|
| `imageRenderer.service.portName` | image-renderer service port name | `http` |
|
||||||
|
| `imageRenderer.service.port` | image-renderer port used by deployment | `8081` |
|
||||||
|
| `imageRenderer.service.targetPort` | image-renderer service port used by service | `8081` |
|
||||||
|
| `imageRenderer.appProtocol` | Adds the appProtocol field to the service | `` |
|
||||||
|
| `imageRenderer.grafanaSubPath` | Grafana sub path to use for image renderer callback url | `''` |
|
||||||
|
| `imageRenderer.serverURL` | Remote image renderer url | `''` |
|
||||||
|
| `imageRenderer.renderingCallbackURL` | Callback url for the Grafana image renderer | `''` |
|
||||||
|
| `imageRenderer.podPortName` | name of the image-renderer port on the pod | `http` |
|
||||||
|
| `imageRenderer.revisionHistoryLimit` | number of image-renderer replica sets to keep | `10` |
|
||||||
|
| `imageRenderer.networkPolicy.limitIngress` | Enable a NetworkPolicy to limit inbound traffic from only the created grafana pods | `true` |
|
||||||
|
| `imageRenderer.networkPolicy.limitEgress` | Enable a NetworkPolicy to limit outbound traffic to only the created grafana pods | `false` |
|
||||||
|
| `imageRenderer.resources` | Set resource limits for image-renderer pods | `{}` |
|
||||||
|
| `imageRenderer.nodeSelector` | Node labels for pod assignment | `{}` |
|
||||||
|
| `imageRenderer.tolerations` | Toleration labels for pod assignment | `[]` |
|
||||||
|
| `imageRenderer.affinity` | Affinity settings for pod assignment | `{}` |
|
||||||
|
| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources. | `false` |
|
||||||
|
| `networkPolicy.allowExternal` | Don't require client label for connections | `true` |
|
||||||
|
| `networkPolicy.explicitNamespacesSelector` | A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed | `{}` |
|
||||||
|
| `networkPolicy.ingress` | Enable the creation of an ingress network policy | `true` |
|
||||||
|
| `networkPolicy.egress.enabled` | Enable the creation of an egress network policy | `false` |
|
||||||
|
| `networkPolicy.egress.ports` | An array of ports to allow for the egress | `[]` |
|
||||||
|
| `enableKubeBackwardCompatibility` | Enable backward compatibility of kubernetes where pod's defintion version below 1.13 doesn't have the enableServiceLinks option | `false` |
|
||||||
|
|
||||||
|
### Example ingress with path
|
||||||
|
|
||||||
|
With grafana 6.3 and above
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
grafana.ini:
|
||||||
|
server:
|
||||||
|
domain: monitoring.example.com
|
||||||
|
root_url: "%(protocol)s://%(domain)s/grafana"
|
||||||
|
serve_from_sub_path: true
|
||||||
|
ingress:
|
||||||
|
enabled: true
|
||||||
|
hosts:
|
||||||
|
- "monitoring.example.com"
|
||||||
|
path: "/grafana"
|
||||||
|
```
|
||||||
|
|
||||||
|
### Example of extraVolumeMounts and extraVolumes
|
||||||
|
|
||||||
|
Configure additional volumes with `extraVolumes` and volume mounts with `extraVolumeMounts`.
|
||||||
|
|
||||||
|
Example for `extraVolumeMounts` and corresponding `extraVolumes`:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
extraVolumeMounts:
|
||||||
|
- name: plugins
|
||||||
|
mountPath: /var/lib/grafana/plugins
|
||||||
|
subPath: configs/grafana/plugins
|
||||||
|
readOnly: false
|
||||||
|
- name: dashboards
|
||||||
|
mountPath: /var/lib/grafana/dashboards
|
||||||
|
hostPath: /usr/shared/grafana/dashboards
|
||||||
|
readOnly: false
|
||||||
|
|
||||||
|
extraVolumes:
|
||||||
|
- name: plugins
|
||||||
|
existingClaim: existing-grafana-claim
|
||||||
|
- name: dashboards
|
||||||
|
hostPath: /usr/shared/grafana/dashboards
|
||||||
|
```
|
||||||
|
|
||||||
|
Volumes default to `emptyDir`. Set to `persistentVolumeClaim`,
|
||||||
|
`hostPath`, `csi`, or `configMap` for other types. For a
|
||||||
|
`persistentVolumeClaim`, specify an existing claim name with
|
||||||
|
`existingClaim`.
|
||||||
|
|
||||||
|
## Import dashboards
|
||||||
|
|
||||||
|
There are a few methods to import dashboards to Grafana. Below are some examples and explanations as to how to use each method:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
dashboards:
|
||||||
|
default:
|
||||||
|
some-dashboard:
|
||||||
|
json: |
|
||||||
|
{
|
||||||
|
"annotations":
|
||||||
|
|
||||||
|
...
|
||||||
|
# Complete json file here
|
||||||
|
...
|
||||||
|
|
||||||
|
"title": "Some Dashboard",
|
||||||
|
"uid": "abcd1234",
|
||||||
|
"version": 1
|
||||||
|
}
|
||||||
|
custom-dashboard:
|
||||||
|
# This is a path to a file inside the dashboards directory inside the chart directory
|
||||||
|
file: dashboards/custom-dashboard.json
|
||||||
|
prometheus-stats:
|
||||||
|
# Ref: https://grafana.com/dashboards/2
|
||||||
|
gnetId: 2
|
||||||
|
revision: 2
|
||||||
|
datasource: Prometheus
|
||||||
|
loki-dashboard-quick-search:
|
||||||
|
gnetId: 12019
|
||||||
|
revision: 2
|
||||||
|
datasource:
|
||||||
|
- name: DS_PROMETHEUS
|
||||||
|
value: Prometheus
|
||||||
|
- name: DS_LOKI
|
||||||
|
value: Loki
|
||||||
|
local-dashboard:
|
||||||
|
url: https://raw.githubusercontent.com/user/repository/master/dashboards/dashboard.json
|
||||||
|
```
|
||||||
|
|
||||||
|
## BASE64 dashboards
|
||||||
|
|
||||||
|
Dashboards could be stored on a server that does not return JSON directly and instead of it returns a Base64 encoded file (e.g. Gerrit)
|
||||||
|
A new parameter has been added to the url use case so if you specify a b64content value equals to true after the url entry a Base64 decoding is applied before save the file to disk.
|
||||||
|
If this entry is not set or is equals to false not decoding is applied to the file before saving it to disk.
|
||||||
|
|
||||||
|
### Gerrit use case
|
||||||
|
|
||||||
|
Gerrit API for download files has the following schema: <https://yourgerritserver/a/{project-name}/branches/{branch-id}/files/{file-id}/content> where {project-name} and
|
||||||
|
{file-id} usually has '/' in their values and so they MUST be replaced by %2F so if project-name is user/repo, branch-id is master and file-id is equals to dir1/dir2/dashboard
|
||||||
|
the url value is <https://yourgerritserver/a/user%2Frepo/branches/master/files/dir1%2Fdir2%2Fdashboard/content>
|
||||||
|
|
||||||
|
## Sidecar for dashboards
|
||||||
|
|
||||||
|
If the parameter `sidecar.dashboards.enabled` is set, a sidecar container is deployed in the grafana
|
||||||
|
pod. This container watches all configmaps (or secrets) in the cluster and filters out the ones with
|
||||||
|
a label as defined in `sidecar.dashboards.label`. The files defined in those configmaps are written
|
||||||
|
to a folder and accessed by grafana. Changes to the configmaps are monitored and the imported
|
||||||
|
dashboards are deleted/updated.
|
||||||
|
|
||||||
|
A recommendation is to use one configmap per dashboard, as a reduction of multiple dashboards inside
|
||||||
|
one configmap is currently not properly mirrored in grafana.
|
||||||
|
|
||||||
|
Example dashboard config:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: sample-grafana-dashboard
|
||||||
|
labels:
|
||||||
|
grafana_dashboard: "1"
|
||||||
|
data:
|
||||||
|
k8s-dashboard.json: |-
|
||||||
|
[...]
|
||||||
|
```
|
||||||
|
|
||||||
|
## Sidecar for datasources
|
||||||
|
|
||||||
|
If the parameter `sidecar.datasources.enabled` is set, an init container is deployed in the grafana
|
||||||
|
pod. This container lists all secrets (or configmaps, though not recommended) in the cluster and
|
||||||
|
filters out the ones with a label as defined in `sidecar.datasources.label`. The files defined in
|
||||||
|
those secrets are written to a folder and accessed by grafana on startup. Using these yaml files,
|
||||||
|
the data sources in grafana can be imported.
|
||||||
|
|
||||||
|
Should you aim for reloading datasources in Grafana each time the config is changed, set `sidecar.datasources.skipReload: false` and adjust `sidecar.datasources.reloadURL` to `http://<svc-name>.<namespace>.svc.cluster.local/api/admin/provisioning/datasources/reload`.
|
||||||
|
|
||||||
|
Secrets are recommended over configmaps for this usecase because datasources usually contain private
|
||||||
|
data like usernames and passwords. Secrets are the more appropriate cluster resource to manage those.
|
||||||
|
|
||||||
|
Example values to add a postgres datasource as a kubernetes secret:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: grafana-datasources
|
||||||
|
labels:
|
||||||
|
grafana_datasource: 'true' # default value for: sidecar.datasources.label
|
||||||
|
stringData:
|
||||||
|
pg-db.yaml: |-
|
||||||
|
apiVersion: 1
|
||||||
|
datasources:
|
||||||
|
- name: My pg db datasource
|
||||||
|
type: postgres
|
||||||
|
url: my-postgresql-db:5432
|
||||||
|
user: db-readonly-user
|
||||||
|
secureJsonData:
|
||||||
|
password: 'SUperSEcretPa$$word'
|
||||||
|
jsonData:
|
||||||
|
database: my_datase
|
||||||
|
sslmode: 'disable' # disable/require/verify-ca/verify-full
|
||||||
|
maxOpenConns: 0 # Grafana v5.4+
|
||||||
|
maxIdleConns: 2 # Grafana v5.4+
|
||||||
|
connMaxLifetime: 14400 # Grafana v5.4+
|
||||||
|
postgresVersion: 1000 # 903=9.3, 904=9.4, 905=9.5, 906=9.6, 1000=10
|
||||||
|
timescaledb: false
|
||||||
|
# <bool> allow users to edit datasources from the UI.
|
||||||
|
editable: false
|
||||||
|
```
|
||||||
|
|
||||||
|
Example values to add a datasource adapted from [Grafana](http://docs.grafana.org/administration/provisioning/#example-datasource-config-file):
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
datasources:
|
||||||
|
datasources.yaml:
|
||||||
|
apiVersion: 1
|
||||||
|
datasources:
|
||||||
|
# <string, required> name of the datasource. Required
|
||||||
|
- name: Graphite
|
||||||
|
# <string, required> datasource type. Required
|
||||||
|
type: graphite
|
||||||
|
# <string, required> access mode. proxy or direct (Server or Browser in the UI). Required
|
||||||
|
access: proxy
|
||||||
|
# <int> org id. will default to orgId 1 if not specified
|
||||||
|
orgId: 1
|
||||||
|
# <string> url
|
||||||
|
url: http://localhost:8080
|
||||||
|
# <string> database password, if used
|
||||||
|
password:
|
||||||
|
# <string> database user, if used
|
||||||
|
user:
|
||||||
|
# <string> database name, if used
|
||||||
|
database:
|
||||||
|
# <bool> enable/disable basic auth
|
||||||
|
basicAuth:
|
||||||
|
# <string> basic auth username
|
||||||
|
basicAuthUser:
|
||||||
|
# <string> basic auth password
|
||||||
|
basicAuthPassword:
|
||||||
|
# <bool> enable/disable with credentials headers
|
||||||
|
withCredentials:
|
||||||
|
# <bool> mark as default datasource. Max one per org
|
||||||
|
isDefault:
|
||||||
|
# <map> fields that will be converted to json and stored in json_data
|
||||||
|
jsonData:
|
||||||
|
graphiteVersion: "1.1"
|
||||||
|
tlsAuth: true
|
||||||
|
tlsAuthWithCACert: true
|
||||||
|
# <string> json object of data that will be encrypted.
|
||||||
|
secureJsonData:
|
||||||
|
tlsCACert: "..."
|
||||||
|
tlsClientCert: "..."
|
||||||
|
tlsClientKey: "..."
|
||||||
|
version: 1
|
||||||
|
# <bool> allow users to edit datasources from the UI.
|
||||||
|
editable: false
|
||||||
|
```
|
||||||
|
|
||||||
|
## Sidecar for notifiers
|
||||||
|
|
||||||
|
If the parameter `sidecar.notifiers.enabled` is set, an init container is deployed in the grafana
|
||||||
|
pod. This container lists all secrets (or configmaps, though not recommended) in the cluster and
|
||||||
|
filters out the ones with a label as defined in `sidecar.notifiers.label`. The files defined in
|
||||||
|
those secrets are written to a folder and accessed by grafana on startup. Using these yaml files,
|
||||||
|
the notification channels in grafana can be imported. The secrets must be created before
|
||||||
|
`helm install` so that the notifiers init container can list the secrets.
|
||||||
|
|
||||||
|
Secrets are recommended over configmaps for this usecase because alert notification channels usually contain
|
||||||
|
private data like SMTP usernames and passwords. Secrets are the more appropriate cluster resource to manage those.
|
||||||
|
|
||||||
|
Example datasource config adapted from [Grafana](https://grafana.com/docs/grafana/latest/administration/provisioning/#alert-notification-channels):
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
notifiers:
|
||||||
|
- name: notification-channel-1
|
||||||
|
type: slack
|
||||||
|
uid: notifier1
|
||||||
|
# either
|
||||||
|
org_id: 2
|
||||||
|
# or
|
||||||
|
org_name: Main Org.
|
||||||
|
is_default: true
|
||||||
|
send_reminder: true
|
||||||
|
frequency: 1h
|
||||||
|
disable_resolve_message: false
|
||||||
|
# See `Supported Settings` section for settings supporter for each
|
||||||
|
# alert notification type.
|
||||||
|
settings:
|
||||||
|
recipient: 'XXX'
|
||||||
|
token: 'xoxb'
|
||||||
|
uploadImage: true
|
||||||
|
url: https://slack.com
|
||||||
|
|
||||||
|
delete_notifiers:
|
||||||
|
- name: notification-channel-1
|
||||||
|
uid: notifier1
|
||||||
|
org_id: 2
|
||||||
|
- name: notification-channel-2
|
||||||
|
# default org_id: 1
|
||||||
|
```
|
||||||
|
|
||||||
|
## Sidecar for alerting resources
|
||||||
|
|
||||||
|
If the parameter `sidecar.alerts.enabled` is set, a sidecar container is deployed in the grafana
|
||||||
|
pod. This container watches all configmaps (or secrets) in the cluster (namespace defined by `sidecar.alerts.searchNamespace`) and filters out the ones with
|
||||||
|
a label as defined in `sidecar.alerts.label` (default is `grafana_alert`). The files defined in those configmaps are written
|
||||||
|
to a folder and accessed by grafana. Changes to the configmaps are monitored and the imported alerting resources are updated, however, deletions are a little more complicated (see below).
|
||||||
|
|
||||||
|
This sidecar can be used to provision alert rules, contact points, notification policies, notification templates and mute timings as shown in [Grafana Documentation](https://grafana.com/docs/grafana/next/alerting/set-up/provision-alerting-resources/file-provisioning/).
|
||||||
|
|
||||||
|
To fetch the alert config which will be provisioned, use the alert provisioning API ([Grafana Documentation](https://grafana.com/docs/grafana/next/developers/http_api/alerting_provisioning/)).
|
||||||
|
You can use either JSON or YAML format.
|
||||||
|
|
||||||
|
Example config for an alert rule:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: sample-grafana-alert
|
||||||
|
labels:
|
||||||
|
grafana_alert: "1"
|
||||||
|
data:
|
||||||
|
k8s-alert.yml: |-
|
||||||
|
apiVersion: 1
|
||||||
|
groups:
|
||||||
|
- orgId: 1
|
||||||
|
name: k8s-alert
|
||||||
|
[...]
|
||||||
|
```
|
||||||
|
|
||||||
|
To delete provisioned alert rules is a two step process, you need to delete the configmap which defined the alert rule
|
||||||
|
and then create a configuration which deletes the alert rule.
|
||||||
|
|
||||||
|
Example deletion configuration:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: delete-sample-grafana-alert
|
||||||
|
namespace: monitoring
|
||||||
|
labels:
|
||||||
|
grafana_alert: "1"
|
||||||
|
data:
|
||||||
|
delete-k8s-alert.yml: |-
|
||||||
|
apiVersion: 1
|
||||||
|
deleteRules:
|
||||||
|
- orgId: 1
|
||||||
|
uid: 16624780-6564-45dc-825c-8bded4ad92d3
|
||||||
|
```
|
||||||
|
|
||||||
|
## Statically provision alerting resources
|
||||||
|
|
||||||
|
If you don't need to change alerting resources (alert rules, contact points, notification policies and notification templates) regularly you could use the `alerting` config option instead of the sidecar option above.
|
||||||
|
This will grab the alerting config and apply it statically at build time for the helm file.
|
||||||
|
|
||||||
|
There are two methods to statically provision alerting configuration in Grafana. Below are some examples and explanations as to how to use each method:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
alerting:
|
||||||
|
team1-alert-rules.yaml:
|
||||||
|
file: alerting/team1/rules.yaml
|
||||||
|
team2-alert-rules.yaml:
|
||||||
|
file: alerting/team2/rules.yaml
|
||||||
|
team3-alert-rules.yaml:
|
||||||
|
file: alerting/team3/rules.yaml
|
||||||
|
notification-policies.yaml:
|
||||||
|
file: alerting/shared/notification-policies.yaml
|
||||||
|
notification-templates.yaml:
|
||||||
|
file: alerting/shared/notification-templates.yaml
|
||||||
|
contactpoints.yaml:
|
||||||
|
apiVersion: 1
|
||||||
|
contactPoints:
|
||||||
|
- orgId: 1
|
||||||
|
name: Slack channel
|
||||||
|
receivers:
|
||||||
|
- uid: default-receiver
|
||||||
|
type: slack
|
||||||
|
settings:
|
||||||
|
# Webhook URL to be filled in
|
||||||
|
url: ""
|
||||||
|
# We need to escape double curly braces for the tpl function.
|
||||||
|
text: '{{ `{{ template "default.message" . }}` }}'
|
||||||
|
title: '{{ `{{ template "default.title" . }}` }}'
|
||||||
|
```
|
||||||
|
|
||||||
|
The two possibilities for static alerting resource provisioning are:
|
||||||
|
|
||||||
|
* Inlining the file contents as shown for contact points in the above example.
|
||||||
|
* Importing a file using a relative path starting from the chart root directory as shown for the alert rules in the above example.
|
||||||
|
|
||||||
|
### Important notes on file provisioning
|
||||||
|
|
||||||
|
* The format of the files is defined in the [Grafana documentation](https://grafana.com/docs/grafana/next/alerting/set-up/provision-alerting-resources/file-provisioning/) on file provisioning.
|
||||||
|
* The chart supports importing YAML and JSON files.
|
||||||
|
* The filename must be unique, otherwise one volume mount will overwrite the other.
|
||||||
|
* In case of inlining, double curly braces that arise from the Grafana configuration format and are not intended as templates for the chart must be escaped.
|
||||||
|
* The number of total files under `alerting:` is not limited. Each file will end up as a volume mount in the corresponding provisioning folder of the deployed Grafana instance.
|
||||||
|
* The file size for each import is limited by what the function `.Files.Get` can handle, which suffices for most cases.
|
||||||
|
|
||||||
|
## How to serve Grafana with a path prefix (/grafana)
|
||||||
|
|
||||||
|
In order to serve Grafana with a prefix (e.g., <http://example.com/grafana>), add the following to your values.yaml.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
ingress:
|
||||||
|
enabled: true
|
||||||
|
annotations:
|
||||||
|
kubernetes.io/ingress.class: "nginx"
|
||||||
|
nginx.ingress.kubernetes.io/rewrite-target: /$1
|
||||||
|
nginx.ingress.kubernetes.io/use-regex: "true"
|
||||||
|
|
||||||
|
path: /grafana/?(.*)
|
||||||
|
hosts:
|
||||||
|
- k8s.example.dev
|
||||||
|
|
||||||
|
grafana.ini:
|
||||||
|
server:
|
||||||
|
root_url: http://localhost:3000/grafana # this host can be localhost
|
||||||
|
```
|
||||||
|
|
||||||
|
## How to securely reference secrets in grafana.ini
|
||||||
|
|
||||||
|
This example uses Grafana [file providers](https://grafana.com/docs/grafana/latest/administration/configuration/#file-provider) for secret values and the `extraSecretMounts` configuration flag (Additional grafana server secret mounts) to mount the secrets.
|
||||||
|
|
||||||
|
In grafana.ini:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
grafana.ini:
|
||||||
|
[auth.generic_oauth]
|
||||||
|
enabled = true
|
||||||
|
client_id = $__file{/etc/secrets/auth_generic_oauth/client_id}
|
||||||
|
client_secret = $__file{/etc/secrets/auth_generic_oauth/client_secret}
|
||||||
|
```
|
||||||
|
|
||||||
|
Existing secret, or created along with helm:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: auth-generic-oauth-secret
|
||||||
|
type: Opaque
|
||||||
|
stringData:
|
||||||
|
client_id: <value>
|
||||||
|
client_secret: <value>
|
||||||
|
```
|
||||||
|
|
||||||
|
Include in the `extraSecretMounts` configuration flag:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
extraSecretMounts:
|
||||||
|
- name: auth-generic-oauth-secret-mount
|
||||||
|
secretName: auth-generic-oauth-secret
|
||||||
|
defaultMode: 0440
|
||||||
|
mountPath: /etc/secrets/auth_generic_oauth
|
||||||
|
readOnly: true
|
||||||
|
```
|
||||||
|
|
||||||
|
### extraSecretMounts using a Container Storage Interface (CSI) provider
|
||||||
|
|
||||||
|
This example uses a CSI driver e.g. retrieving secrets using [Azure Key Vault Provider](https://github.com/Azure/secrets-store-csi-driver-provider-azure)
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
extraSecretMounts:
|
||||||
|
- name: secrets-store-inline
|
||||||
|
mountPath: /run/secrets
|
||||||
|
readOnly: true
|
||||||
|
csi:
|
||||||
|
driver: secrets-store.csi.k8s.io
|
||||||
|
readOnly: true
|
||||||
|
volumeAttributes:
|
||||||
|
secretProviderClass: "my-provider"
|
||||||
|
nodePublishSecretRef:
|
||||||
|
name: akv-creds
|
||||||
|
```
|
||||||
|
|
||||||
|
## Image Renderer Plug-In
|
||||||
|
|
||||||
|
This chart supports enabling [remote image rendering](https://github.com/grafana/grafana-image-renderer/blob/master/README.md#run-in-docker)
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
imageRenderer:
|
||||||
|
enabled: true
|
||||||
|
```
|
||||||
|
|
||||||
|
### Image Renderer NetworkPolicy
|
||||||
|
|
||||||
|
By default the image-renderer pods will have a network policy which only allows ingress traffic from the created grafana instance
|
||||||
|
|
||||||
|
### High Availability for unified alerting
|
||||||
|
|
||||||
|
If you want to run Grafana in a high availability cluster you need to enable
|
||||||
|
the headless service by setting `headlessService: true` in your `values.yaml`
|
||||||
|
file.
|
||||||
|
|
||||||
|
As next step you have to setup the `grafana.ini` in your `values.yaml` in a way
|
||||||
|
that it will make use of the headless service to obtain all the IPs of the
|
||||||
|
cluster. You should replace ``{{ Name }}`` with the name of your helm deployment.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
grafana.ini:
|
||||||
|
...
|
||||||
|
unified_alerting:
|
||||||
|
enabled: true
|
||||||
|
ha_peers: {{ Name }}-headless:9094
|
||||||
|
ha_listen_address: ${POD_IP}:9094
|
||||||
|
ha_advertise_address: ${POD_IP}:9094
|
||||||
|
|
||||||
|
alerting:
|
||||||
|
enabled: false
|
||||||
|
```
|
1
opencloud/charts/grafana/ci/default-values.yaml
Normal file
1
opencloud/charts/grafana/ci/default-values.yaml
Normal file
@ -0,0 +1 @@
|
|||||||
|
# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml.
|
16
opencloud/charts/grafana/ci/with-affinity-values.yaml
Normal file
16
opencloud/charts/grafana/ci/with-affinity-values.yaml
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
affinity:
|
||||||
|
podAntiAffinity:
|
||||||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
- podAffinityTerm:
|
||||||
|
labelSelector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/instance: grafana-test
|
||||||
|
app.kubernetes.io/name: grafana
|
||||||
|
topologyKey: failure-domain.beta.kubernetes.io/zone
|
||||||
|
weight: 100
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
- labelSelector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/instance: grafana-test
|
||||||
|
app.kubernetes.io/name: grafana
|
||||||
|
topologyKey: kubernetes.io/hostname
|
53
opencloud/charts/grafana/ci/with-dashboard-json-values.yaml
Normal file
53
opencloud/charts/grafana/ci/with-dashboard-json-values.yaml
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
dashboards:
|
||||||
|
my-provider:
|
||||||
|
my-awesome-dashboard:
|
||||||
|
# An empty but valid dashboard
|
||||||
|
json: |
|
||||||
|
{
|
||||||
|
"__inputs": [],
|
||||||
|
"__requires": [
|
||||||
|
{
|
||||||
|
"type": "grafana",
|
||||||
|
"id": "grafana",
|
||||||
|
"name": "Grafana",
|
||||||
|
"version": "6.3.5"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"annotations": {
|
||||||
|
"list": [
|
||||||
|
{
|
||||||
|
"builtIn": 1,
|
||||||
|
"datasource": "-- Grafana --",
|
||||||
|
"enable": true,
|
||||||
|
"hide": true,
|
||||||
|
"iconColor": "rgba(0, 211, 255, 1)",
|
||||||
|
"name": "Annotations & Alerts",
|
||||||
|
"type": "dashboard"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"editable": true,
|
||||||
|
"gnetId": null,
|
||||||
|
"graphTooltip": 0,
|
||||||
|
"id": null,
|
||||||
|
"links": [],
|
||||||
|
"panels": [],
|
||||||
|
"schemaVersion": 19,
|
||||||
|
"style": "dark",
|
||||||
|
"tags": [],
|
||||||
|
"templating": {
|
||||||
|
"list": []
|
||||||
|
},
|
||||||
|
"time": {
|
||||||
|
"from": "now-6h",
|
||||||
|
"to": "now"
|
||||||
|
},
|
||||||
|
"timepicker": {
|
||||||
|
"refresh_intervals": ["5s"]
|
||||||
|
},
|
||||||
|
"timezone": "",
|
||||||
|
"title": "Dummy Dashboard",
|
||||||
|
"uid": "IdcYQooWk",
|
||||||
|
"version": 1
|
||||||
|
}
|
||||||
|
datasource: Prometheus
|
19
opencloud/charts/grafana/ci/with-dashboard-values.yaml
Normal file
19
opencloud/charts/grafana/ci/with-dashboard-values.yaml
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
dashboards:
|
||||||
|
my-provider:
|
||||||
|
my-awesome-dashboard:
|
||||||
|
gnetId: 10000
|
||||||
|
revision: 1
|
||||||
|
datasource: Prometheus
|
||||||
|
dashboardProviders:
|
||||||
|
dashboardproviders.yaml:
|
||||||
|
apiVersion: 1
|
||||||
|
providers:
|
||||||
|
- name: 'my-provider'
|
||||||
|
orgId: 1
|
||||||
|
folder: ''
|
||||||
|
type: file
|
||||||
|
updateIntervalSeconds: 10
|
||||||
|
disableDeletion: true
|
||||||
|
editable: true
|
||||||
|
options:
|
||||||
|
path: /var/lib/grafana/dashboards/my-provider
|
@ -0,0 +1,7 @@
|
|||||||
|
extraConfigmapMounts:
|
||||||
|
- name: '{{ include "grafana.fullname" . }}'
|
||||||
|
configMap: '{{ include "grafana.fullname" . }}'
|
||||||
|
mountPath: /var/lib/grafana/dashboards/test-dashboard.json
|
||||||
|
# This is not a realistic test, but for this we only care about extraConfigmapMounts not being empty and pointing to an existing ConfigMap
|
||||||
|
subPath: grafana.ini
|
||||||
|
readOnly: true
|
107
opencloud/charts/grafana/ci/with-image-renderer-values.yaml
Normal file
107
opencloud/charts/grafana/ci/with-image-renderer-values.yaml
Normal file
@ -0,0 +1,107 @@
|
|||||||
|
podLabels:
|
||||||
|
customLableA: Aaaaa
|
||||||
|
imageRenderer:
|
||||||
|
enabled: true
|
||||||
|
env:
|
||||||
|
RENDERING_ARGS: --disable-gpu,--window-size=1280x758
|
||||||
|
RENDERING_MODE: clustered
|
||||||
|
podLabels:
|
||||||
|
customLableB: Bbbbb
|
||||||
|
networkPolicy:
|
||||||
|
limitIngress: true
|
||||||
|
limitEgress: true
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 1000m
|
||||||
|
memory: 1000Mi
|
||||||
|
requests:
|
||||||
|
cpu: 500m
|
||||||
|
memory: 50Mi
|
||||||
|
extraVolumes:
|
||||||
|
- name: empty-renderer-volume
|
||||||
|
emtpyDir: {}
|
||||||
|
extraVolumeMounts:
|
||||||
|
- mountPath: /tmp/renderer
|
||||||
|
name: empty-renderer-volume
|
||||||
|
extraConfigmapMounts:
|
||||||
|
- name: renderer-config
|
||||||
|
mountPath: /usr/src/app/config.json
|
||||||
|
subPath: renderer-config.json
|
||||||
|
configMap: image-renderer-config
|
||||||
|
extraSecretMounts:
|
||||||
|
- name: renderer-certificate
|
||||||
|
mountPath: /usr/src/app/certs/
|
||||||
|
secretName: image-renderer-certificate
|
||||||
|
readOnly: true
|
||||||
|
|
||||||
|
extraObjects:
|
||||||
|
- apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: image-renderer-config
|
||||||
|
data:
|
||||||
|
renderer-config.json: |
|
||||||
|
{
|
||||||
|
"service": {
|
||||||
|
"host": null,
|
||||||
|
"port": 8081,
|
||||||
|
"protocol": "http",
|
||||||
|
"certFile": "",
|
||||||
|
"certKey": "",
|
||||||
|
|
||||||
|
"metrics": {
|
||||||
|
"enabled": true,
|
||||||
|
"collectDefaultMetrics": true,
|
||||||
|
"requestDurationBuckets": [1, 5, 7, 9, 11, 13, 15, 20, 30]
|
||||||
|
},
|
||||||
|
|
||||||
|
"logging": {
|
||||||
|
"level": "info",
|
||||||
|
"console": {
|
||||||
|
"json": true,
|
||||||
|
"colorize": false
|
||||||
|
}
|
||||||
|
},
|
||||||
|
|
||||||
|
"security": {
|
||||||
|
"authToken": "-"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"rendering": {
|
||||||
|
"chromeBin": null,
|
||||||
|
"args": ["--no-sandbox", "--disable-gpu"],
|
||||||
|
"ignoresHttpsErrors": false,
|
||||||
|
|
||||||
|
"timezone": null,
|
||||||
|
"acceptLanguage": null,
|
||||||
|
"width": 1000,
|
||||||
|
"height": 500,
|
||||||
|
"deviceScaleFactor": 1,
|
||||||
|
"maxWidth": 3080,
|
||||||
|
"maxHeight": 3000,
|
||||||
|
"maxDeviceScaleFactor": 4,
|
||||||
|
"pageZoomLevel": 1,
|
||||||
|
"headed": false,
|
||||||
|
|
||||||
|
"mode": "default",
|
||||||
|
"emulateNetworkConditions": false,
|
||||||
|
"clustering": {
|
||||||
|
"monitor": false,
|
||||||
|
"mode": "browser",
|
||||||
|
"maxConcurrency": 5,
|
||||||
|
"timeout": 30
|
||||||
|
},
|
||||||
|
|
||||||
|
"verboseLogging": false,
|
||||||
|
"dumpio": false,
|
||||||
|
"timingMetrics": false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: image-renderer-certificate
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
# Decodes to 'PLACEHOLDER CERTIFICATE'
|
||||||
|
not-a-real-certificate: UExBQ0VIT0xERVIgQ0VSVElGSUNBVEU=
|
32
opencloud/charts/grafana/ci/with-nondefault-values.yaml
Normal file
32
opencloud/charts/grafana/ci/with-nondefault-values.yaml
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
global:
|
||||||
|
environment: prod
|
||||||
|
ingress:
|
||||||
|
enabled: true
|
||||||
|
hosts:
|
||||||
|
- monitoring-{{ .Values.global.environment }}.example.com
|
||||||
|
|
||||||
|
route:
|
||||||
|
main:
|
||||||
|
enabled: true
|
||||||
|
labels:
|
||||||
|
app: monitoring-prometheus
|
||||||
|
hostnames:
|
||||||
|
- "*.example.com"
|
||||||
|
- "{{ .Values.global.environment }}.example.com"
|
||||||
|
filters:
|
||||||
|
- type: RequestHeaderModifier
|
||||||
|
requestHeaderModifier:
|
||||||
|
set:
|
||||||
|
- name: my-header-name
|
||||||
|
value: my-new-header-value
|
||||||
|
additionalRules:
|
||||||
|
- filters:
|
||||||
|
- type: RequestHeaderModifier
|
||||||
|
requestHeaderModifier:
|
||||||
|
set:
|
||||||
|
- name: my-header-name
|
||||||
|
value: my-new-header-value
|
||||||
|
matches:
|
||||||
|
- path:
|
||||||
|
type: PathPrefix
|
||||||
|
value: /foo/
|
3
opencloud/charts/grafana/ci/with-persistence.yaml
Normal file
3
opencloud/charts/grafana/ci/with-persistence.yaml
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
persistence:
|
||||||
|
type: pvc
|
||||||
|
enabled: true
|
@ -0,0 +1,38 @@
|
|||||||
|
extraObjects:
|
||||||
|
- apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: '{{ include "grafana.fullname" . }}-test'
|
||||||
|
data:
|
||||||
|
var1: "value1"
|
||||||
|
- apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: '{{ include "grafana.fullname" . }}-test'
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
var2: "dmFsdWUy"
|
||||||
|
|
||||||
|
sidecar:
|
||||||
|
dashboards:
|
||||||
|
enabled: true
|
||||||
|
envValueFrom:
|
||||||
|
VAR1:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: '{{ include "grafana.fullname" . }}-test'
|
||||||
|
key: var1
|
||||||
|
VAR2:
|
||||||
|
secretKeyRef:
|
||||||
|
name: '{{ include "grafana.fullname" . }}-test'
|
||||||
|
key: var2
|
||||||
|
datasources:
|
||||||
|
enabled: true
|
||||||
|
envValueFrom:
|
||||||
|
VAR1:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: '{{ include "grafana.fullname" . }}-test'
|
||||||
|
key: var1
|
||||||
|
VAR2:
|
||||||
|
secretKeyRef:
|
||||||
|
name: '{{ include "grafana.fullname" . }}-test'
|
||||||
|
key: var2
|
@ -0,0 +1 @@
|
|||||||
|
{}
|
55
opencloud/charts/grafana/templates/NOTES.txt
Normal file
55
opencloud/charts/grafana/templates/NOTES.txt
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
1. Get your '{{ .Values.adminUser }}' user password by running:
|
||||||
|
|
||||||
|
kubectl get secret --namespace {{ include "grafana.namespace" . }} {{ .Values.admin.existingSecret | default (include "grafana.fullname" .) }} -o jsonpath="{.data.{{ .Values.admin.passwordKey | default "admin-password" }}}" | base64 --decode ; echo
|
||||||
|
|
||||||
|
|
||||||
|
2. The Grafana server can be accessed via port {{ .Values.service.port }} on the following DNS name from within your cluster:
|
||||||
|
|
||||||
|
{{ include "grafana.fullname" . }}.{{ include "grafana.namespace" . }}.svc.cluster.local
|
||||||
|
{{ if .Values.ingress.enabled }}
|
||||||
|
If you bind grafana to 80, please update values in values.yaml and reinstall:
|
||||||
|
```
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 0
|
||||||
|
runAsGroup: 0
|
||||||
|
fsGroup: 0
|
||||||
|
|
||||||
|
command:
|
||||||
|
- "setcap"
|
||||||
|
- "'cap_net_bind_service=+ep'"
|
||||||
|
- "/usr/sbin/grafana-server &&"
|
||||||
|
- "sh"
|
||||||
|
- "/run.sh"
|
||||||
|
```
|
||||||
|
Details refer to https://grafana.com/docs/installation/configuration/#http-port.
|
||||||
|
Or grafana would always crash.
|
||||||
|
|
||||||
|
From outside the cluster, the server URL(s) are:
|
||||||
|
{{- range .Values.ingress.hosts }}
|
||||||
|
http://{{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- else }}
|
||||||
|
Get the Grafana URL to visit by running these commands in the same shell:
|
||||||
|
{{- if contains "NodePort" .Values.service.type }}
|
||||||
|
export NODE_PORT=$(kubectl get --namespace {{ include "grafana.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "grafana.fullname" . }})
|
||||||
|
export NODE_IP=$(kubectl get nodes --namespace {{ include "grafana.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}")
|
||||||
|
echo http://$NODE_IP:$NODE_PORT
|
||||||
|
{{- else if contains "LoadBalancer" .Values.service.type }}
|
||||||
|
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
|
||||||
|
You can watch the status of by running 'kubectl get svc --namespace {{ include "grafana.namespace" . }} -w {{ include "grafana.fullname" . }}'
|
||||||
|
export SERVICE_IP=$(kubectl get svc --namespace {{ include "grafana.namespace" . }} {{ include "grafana.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
|
||||||
|
http://$SERVICE_IP:{{ .Values.service.port -}}
|
||||||
|
{{- else if contains "ClusterIP" .Values.service.type }}
|
||||||
|
export POD_NAME=$(kubectl get pods --namespace {{ include "grafana.namespace" . }} -l "app.kubernetes.io/name={{ include "grafana.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
|
||||||
|
kubectl --namespace {{ include "grafana.namespace" . }} port-forward $POD_NAME 3000
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
3. Login with the password from step 1 and the username: {{ .Values.adminUser }}
|
||||||
|
|
||||||
|
{{- if and (not .Values.persistence.enabled) (not .Values.persistence.disableWarning) }}
|
||||||
|
#################################################################################
|
||||||
|
###### WARNING: Persistence is disabled!!! You will lose your data when #####
|
||||||
|
###### the Grafana pod is terminated. #####
|
||||||
|
#################################################################################
|
||||||
|
{{- end }}
|
176
opencloud/charts/grafana/templates/_config.tpl
Normal file
176
opencloud/charts/grafana/templates/_config.tpl
Normal file
@ -0,0 +1,176 @@
|
|||||||
|
{{/*
|
||||||
|
Generate config map data
|
||||||
|
*/}}
|
||||||
|
{{- define "grafana.configData" -}}
|
||||||
|
{{ include "grafana.assertNoLeakedSecrets" . }}
|
||||||
|
{{- $files := .Files }}
|
||||||
|
{{- $root := . -}}
|
||||||
|
{{- with .Values.plugins }}
|
||||||
|
plugins: {{ join "," . }}
|
||||||
|
{{- end }}
|
||||||
|
grafana.ini: |
|
||||||
|
{{- range $elem, $elemVal := index .Values "grafana.ini" }}
|
||||||
|
{{- if not (kindIs "map" $elemVal) }}
|
||||||
|
{{- if kindIs "invalid" $elemVal }}
|
||||||
|
{{ $elem }} =
|
||||||
|
{{- else if kindIs "slice" $elemVal }}
|
||||||
|
{{ $elem }} = {{ toJson $elemVal }}
|
||||||
|
{{- else if kindIs "string" $elemVal }}
|
||||||
|
{{ $elem }} = {{ tpl $elemVal $ }}
|
||||||
|
{{- else }}
|
||||||
|
{{ $elem }} = {{ $elemVal }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- range $key, $value := index .Values "grafana.ini" }}
|
||||||
|
{{- if kindIs "map" $value }}
|
||||||
|
[{{ $key }}]
|
||||||
|
{{- range $elem, $elemVal := $value }}
|
||||||
|
{{- if kindIs "invalid" $elemVal }}
|
||||||
|
{{ $elem }} =
|
||||||
|
{{- else if kindIs "slice" $elemVal }}
|
||||||
|
{{ $elem }} = {{ toJson $elemVal }}
|
||||||
|
{{- else if kindIs "string" $elemVal }}
|
||||||
|
{{ $elem }} = {{ tpl $elemVal $ }}
|
||||||
|
{{- else }}
|
||||||
|
{{ $elem }} = {{ $elemVal }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- range $key, $value := .Values.datasources }}
|
||||||
|
{{- if not (hasKey $value "secret") }}
|
||||||
|
{{ $key }}: |
|
||||||
|
{{- tpl (toYaml $value | nindent 2) $root }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- range $key, $value := .Values.notifiers }}
|
||||||
|
{{- if not (hasKey $value "secret") }}
|
||||||
|
{{ $key }}: |
|
||||||
|
{{- toYaml $value | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- range $key, $value := .Values.alerting }}
|
||||||
|
{{- if (hasKey $value "file") }}
|
||||||
|
{{ $key }}:
|
||||||
|
{{- toYaml ( $files.Get $value.file ) | nindent 2 }}
|
||||||
|
{{- else if (or (hasKey $value "secret") (hasKey $value "secretFile"))}}
|
||||||
|
{{/* will be stored inside secret generated by "configSecret.yaml"*/}}
|
||||||
|
{{- else }}
|
||||||
|
{{ $key }}: |
|
||||||
|
{{- tpl (toYaml $value | nindent 2) $root }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- range $key, $value := .Values.dashboardProviders }}
|
||||||
|
{{ $key }}: |
|
||||||
|
{{- toYaml $value | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- if .Values.dashboards }}
|
||||||
|
download_dashboards.sh: |
|
||||||
|
#!/usr/bin/env sh
|
||||||
|
set -euf
|
||||||
|
{{- if .Values.dashboardProviders }}
|
||||||
|
{{- range $key, $value := .Values.dashboardProviders }}
|
||||||
|
{{- range $value.providers }}
|
||||||
|
mkdir -p {{ .options.path }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{ $dashboardProviders := .Values.dashboardProviders }}
|
||||||
|
{{- range $provider, $dashboards := .Values.dashboards }}
|
||||||
|
{{- range $key, $value := $dashboards }}
|
||||||
|
{{- if (or (hasKey $value "gnetId") (hasKey $value "url")) }}
|
||||||
|
curl -skf \
|
||||||
|
--connect-timeout 60 \
|
||||||
|
--max-time 60 \
|
||||||
|
{{- if not $value.b64content }}
|
||||||
|
{{- if not $value.acceptHeader }}
|
||||||
|
-H "Accept: application/json" \
|
||||||
|
{{- else }}
|
||||||
|
-H "Accept: {{ $value.acceptHeader }}" \
|
||||||
|
{{- end }}
|
||||||
|
{{- if $value.token }}
|
||||||
|
-H "Authorization: token {{ $value.token }}" \
|
||||||
|
{{- end }}
|
||||||
|
{{- if $value.bearerToken }}
|
||||||
|
-H "Authorization: Bearer {{ $value.bearerToken }}" \
|
||||||
|
{{- end }}
|
||||||
|
{{- if $value.basic }}
|
||||||
|
-H "Authorization: Basic {{ $value.basic }}" \
|
||||||
|
{{- end }}
|
||||||
|
{{- if $value.gitlabToken }}
|
||||||
|
-H "PRIVATE-TOKEN: {{ $value.gitlabToken }}" \
|
||||||
|
{{- end }}
|
||||||
|
-H "Content-Type: application/json;charset=UTF-8" \
|
||||||
|
{{- end }}
|
||||||
|
{{- $dpPath := "" -}}
|
||||||
|
{{- range $kd := (index $dashboardProviders "dashboardproviders.yaml").providers }}
|
||||||
|
{{- if eq $kd.name $provider }}
|
||||||
|
{{- $dpPath = $kd.options.path }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $value.url }}
|
||||||
|
"{{ $value.url }}" \
|
||||||
|
{{- else }}
|
||||||
|
"https://grafana.com/api/dashboards/{{ $value.gnetId }}/revisions/{{- if $value.revision -}}{{ $value.revision }}{{- else -}}1{{- end -}}/download" \
|
||||||
|
{{- end }}
|
||||||
|
{{- if $value.datasource }}
|
||||||
|
{{- if kindIs "string" $value.datasource }}
|
||||||
|
| sed '/-- .* --/! s/"datasource":.*,/"datasource": "{{ $value.datasource }}",/g' \
|
||||||
|
{{- end }}
|
||||||
|
{{- if kindIs "slice" $value.datasource }}
|
||||||
|
{{- range $value.datasource }}
|
||||||
|
| sed '/-- .* --/! s/${{"{"}}{{ .name }}}/{{ .value }}/g' \
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $value.b64content }}
|
||||||
|
| base64 -d \
|
||||||
|
{{- end }}
|
||||||
|
> "{{- if $dpPath -}}{{ $dpPath }}{{- else -}}/var/lib/grafana/dashboards/{{ $provider }}{{- end -}}/{{ $key }}.json"
|
||||||
|
{{ end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Generate dashboard json config map data
|
||||||
|
*/}}
|
||||||
|
{{- define "grafana.configDashboardProviderData" -}}
|
||||||
|
provider.yaml: |-
|
||||||
|
apiVersion: 1
|
||||||
|
providers:
|
||||||
|
- name: '{{ .Values.sidecar.dashboards.provider.name }}'
|
||||||
|
orgId: {{ .Values.sidecar.dashboards.provider.orgid }}
|
||||||
|
{{- if not .Values.sidecar.dashboards.provider.foldersFromFilesStructure }}
|
||||||
|
folder: '{{ .Values.sidecar.dashboards.provider.folder }}'
|
||||||
|
folderUid: '{{ .Values.sidecar.dashboards.provider.folderUid }}'
|
||||||
|
{{- end }}
|
||||||
|
type: {{ .Values.sidecar.dashboards.provider.type }}
|
||||||
|
disableDeletion: {{ .Values.sidecar.dashboards.provider.disableDelete }}
|
||||||
|
allowUiUpdates: {{ .Values.sidecar.dashboards.provider.allowUiUpdates }}
|
||||||
|
updateIntervalSeconds: {{ .Values.sidecar.dashboards.provider.updateIntervalSeconds | default 30 }}
|
||||||
|
options:
|
||||||
|
foldersFromFilesStructure: {{ .Values.sidecar.dashboards.provider.foldersFromFilesStructure }}
|
||||||
|
path: {{ .Values.sidecar.dashboards.folder }}{{- with .Values.sidecar.dashboards.defaultFolderName }}/{{ . }}{{- end }}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- define "grafana.secretsData" -}}
|
||||||
|
{{- if and (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) }}
|
||||||
|
admin-user: {{ .Values.adminUser | b64enc | quote }}
|
||||||
|
{{- if .Values.adminPassword }}
|
||||||
|
admin-password: {{ .Values.adminPassword | b64enc | quote }}
|
||||||
|
{{- else }}
|
||||||
|
admin-password: {{ include "grafana.password" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if not .Values.ldap.existingSecret }}
|
||||||
|
ldap-toml: {{ tpl .Values.ldap.config $ | b64enc | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end -}}
|
274
opencloud/charts/grafana/templates/_helpers.tpl
Normal file
274
opencloud/charts/grafana/templates/_helpers.tpl
Normal file
@ -0,0 +1,274 @@
|
|||||||
|
{{/* vim: set filetype=mustache: */}}
|
||||||
|
{{/*
|
||||||
|
Expand the name of the chart.
|
||||||
|
*/}}
|
||||||
|
{{- define "grafana.name" -}}
|
||||||
|
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create a default fully qualified app name.
|
||||||
|
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||||
|
If release name contains chart name it will be used as a full name.
|
||||||
|
*/}}
|
||||||
|
{{- define "grafana.fullname" -}}
|
||||||
|
{{- if .Values.fullnameOverride }}
|
||||||
|
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
|
||||||
|
{{- else }}
|
||||||
|
{{- $name := default .Chart.Name .Values.nameOverride }}
|
||||||
|
{{- if contains $name .Release.Name }}
|
||||||
|
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
|
||||||
|
{{- else }}
|
||||||
|
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create chart name and version as used by the chart label.
|
||||||
|
*/}}
|
||||||
|
{{- define "grafana.chart" -}}
|
||||||
|
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create the name of the service account
|
||||||
|
*/}}
|
||||||
|
{{- define "grafana.serviceAccountName" -}}
|
||||||
|
{{- if .Values.serviceAccount.create }}
|
||||||
|
{{- default (include "grafana.fullname" .) .Values.serviceAccount.name }}
|
||||||
|
{{- else }}
|
||||||
|
{{- default "default" .Values.serviceAccount.name }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "grafana.serviceAccountNameTest" -}}
|
||||||
|
{{- if .Values.serviceAccount.create }}
|
||||||
|
{{- default (print (include "grafana.fullname" .) "-test") .Values.serviceAccount.nameTest }}
|
||||||
|
{{- else }}
|
||||||
|
{{- default "default" .Values.serviceAccount.nameTest }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Allow the release namespace to be overridden for multi-namespace deployments in combined charts
|
||||||
|
*/}}
|
||||||
|
{{- define "grafana.namespace" -}}
|
||||||
|
{{- if .Values.namespaceOverride }}
|
||||||
|
{{- .Values.namespaceOverride }}
|
||||||
|
{{- else }}
|
||||||
|
{{- .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Common labels
|
||||||
|
*/}}
|
||||||
|
{{- define "grafana.labels" -}}
|
||||||
|
helm.sh/chart: {{ include "grafana.chart" . }}
|
||||||
|
{{ include "grafana.selectorLabels" . }}
|
||||||
|
{{- if or .Chart.AppVersion .Values.image.tag }}
|
||||||
|
app.kubernetes.io/version: {{ mustRegexReplaceAllLiteral "@sha.*" .Values.image.tag "" | default .Chart.AppVersion | trunc 63 | trimSuffix "-" | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.extraLabels }}
|
||||||
|
{{ toYaml . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Selector labels
|
||||||
|
*/}}
|
||||||
|
{{- define "grafana.selectorLabels" -}}
|
||||||
|
app.kubernetes.io/name: {{ include "grafana.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Common labels
|
||||||
|
*/}}
|
||||||
|
{{- define "grafana.imageRenderer.labels" -}}
|
||||||
|
helm.sh/chart: {{ include "grafana.chart" . }}
|
||||||
|
{{ include "grafana.imageRenderer.selectorLabels" . }}
|
||||||
|
{{- if or .Chart.AppVersion .Values.image.tag }}
|
||||||
|
app.kubernetes.io/version: {{ mustRegexReplaceAllLiteral "@sha.*" .Values.image.tag "" | default .Chart.AppVersion | trunc 63 | trimSuffix "-" | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Selector labels ImageRenderer
|
||||||
|
*/}}
|
||||||
|
{{- define "grafana.imageRenderer.selectorLabels" -}}
|
||||||
|
app.kubernetes.io/name: {{ include "grafana.name" . }}-image-renderer
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Looks if there's an existing secret and reuse its password. If not it generates
|
||||||
|
new password and use it.
|
||||||
|
*/}}
|
||||||
|
{{- define "grafana.password" -}}
|
||||||
|
{{- $secret := (lookup "v1" "Secret" (include "grafana.namespace" .) (include "grafana.fullname" .) ) }}
|
||||||
|
{{- if $secret }}
|
||||||
|
{{- index $secret "data" "admin-password" }}
|
||||||
|
{{- else }}
|
||||||
|
{{- (randAlphaNum 40) | b64enc | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return the appropriate apiVersion for rbac.
|
||||||
|
*/}}
|
||||||
|
{{- define "grafana.rbac.apiVersion" -}}
|
||||||
|
{{- if $.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }}
|
||||||
|
{{- print "rbac.authorization.k8s.io/v1" }}
|
||||||
|
{{- else }}
|
||||||
|
{{- print "rbac.authorization.k8s.io/v1beta1" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return the appropriate apiVersion for ingress.
|
||||||
|
*/}}
|
||||||
|
{{- define "grafana.ingress.apiVersion" -}}
|
||||||
|
{{- if and ($.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19-0" .Capabilities.KubeVersion.Version) }}
|
||||||
|
{{- print "networking.k8s.io/v1" }}
|
||||||
|
{{- else if $.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}
|
||||||
|
{{- print "networking.k8s.io/v1beta1" }}
|
||||||
|
{{- else }}
|
||||||
|
{{- print "extensions/v1beta1" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return the appropriate apiVersion for Horizontal Pod Autoscaler.
|
||||||
|
*/}}
|
||||||
|
{{- define "grafana.hpa.apiVersion" -}}
|
||||||
|
{{- if .Capabilities.APIVersions.Has "autoscaling/v2" }}
|
||||||
|
{{- print "autoscaling/v2" }}
|
||||||
|
{{- else }}
|
||||||
|
{{- print "autoscaling/v2beta2" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return the appropriate apiVersion for podDisruptionBudget.
|
||||||
|
*/}}
|
||||||
|
{{- define "grafana.podDisruptionBudget.apiVersion" -}}
|
||||||
|
{{- if $.Values.podDisruptionBudget.apiVersion }}
|
||||||
|
{{- print $.Values.podDisruptionBudget.apiVersion }}
|
||||||
|
{{- else if $.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }}
|
||||||
|
{{- print "policy/v1" }}
|
||||||
|
{{- else }}
|
||||||
|
{{- print "policy/v1beta1" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return if ingress is stable.
|
||||||
|
*/}}
|
||||||
|
{{- define "grafana.ingress.isStable" -}}
|
||||||
|
{{- eq (include "grafana.ingress.apiVersion" .) "networking.k8s.io/v1" }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return if ingress supports ingressClassName.
|
||||||
|
*/}}
|
||||||
|
{{- define "grafana.ingress.supportsIngressClassName" -}}
|
||||||
|
{{- or (eq (include "grafana.ingress.isStable" .) "true") (and (eq (include "grafana.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return if ingress supports pathType.
|
||||||
|
*/}}
|
||||||
|
{{- define "grafana.ingress.supportsPathType" -}}
|
||||||
|
{{- or (eq (include "grafana.ingress.isStable" .) "true") (and (eq (include "grafana.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Formats imagePullSecrets. Input is (dict "root" . "imagePullSecrets" .{specific imagePullSecrets})
|
||||||
|
*/}}
|
||||||
|
{{- define "grafana.imagePullSecrets" -}}
|
||||||
|
{{- $root := .root }}
|
||||||
|
{{- range (concat .root.Values.global.imagePullSecrets .imagePullSecrets) }}
|
||||||
|
{{- if eq (typeOf .) "map[string]interface {}" }}
|
||||||
|
- {{ toYaml (dict "name" (tpl .name $root)) | trim }}
|
||||||
|
{{- else }}
|
||||||
|
- name: {{ tpl . $root }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Checks whether or not the configSecret secret has to be created
|
||||||
|
*/}}
|
||||||
|
{{- define "grafana.shouldCreateConfigSecret" -}}
|
||||||
|
{{- $secretFound := false -}}
|
||||||
|
{{- range $key, $value := .Values.datasources }}
|
||||||
|
{{- if hasKey $value "secret" }}
|
||||||
|
{{- $secretFound = true}}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- range $key, $value := .Values.notifiers }}
|
||||||
|
{{- if hasKey $value "secret" }}
|
||||||
|
{{- $secretFound = true}}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- range $key, $value := .Values.alerting }}
|
||||||
|
{{- if (or (hasKey $value "secret") (hasKey $value "secretFile")) }}
|
||||||
|
{{- $secretFound = true}}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- $secretFound}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Checks whether the user is attempting to store secrets in plaintext
|
||||||
|
in the grafana.ini configmap
|
||||||
|
*/}}
|
||||||
|
{{/* grafana.assertNoLeakedSecrets checks for sensitive keys in values */}}
|
||||||
|
{{- define "grafana.assertNoLeakedSecrets" -}}
|
||||||
|
{{- $sensitiveKeysYaml := `
|
||||||
|
sensitiveKeys:
|
||||||
|
- path: ["database", "password"]
|
||||||
|
- path: ["smtp", "password"]
|
||||||
|
- path: ["security", "secret_key"]
|
||||||
|
- path: ["security", "admin_password"]
|
||||||
|
- path: ["auth.basic", "password"]
|
||||||
|
- path: ["auth.ldap", "bind_password"]
|
||||||
|
- path: ["auth.google", "client_secret"]
|
||||||
|
- path: ["auth.github", "client_secret"]
|
||||||
|
- path: ["auth.gitlab", "client_secret"]
|
||||||
|
- path: ["auth.generic_oauth", "client_secret"]
|
||||||
|
- path: ["auth.okta", "client_secret"]
|
||||||
|
- path: ["auth.azuread", "client_secret"]
|
||||||
|
- path: ["auth.grafana_com", "client_secret"]
|
||||||
|
- path: ["auth.grafananet", "client_secret"]
|
||||||
|
- path: ["azure", "user_identity_client_secret"]
|
||||||
|
- path: ["unified_alerting", "ha_redis_password"]
|
||||||
|
- path: ["metrics", "basic_auth_password"]
|
||||||
|
- path: ["external_image_storage.s3", "secret_key"]
|
||||||
|
- path: ["external_image_storage.webdav", "password"]
|
||||||
|
- path: ["external_image_storage.azure_blob", "account_key"]
|
||||||
|
` | fromYaml -}}
|
||||||
|
{{- if $.Values.assertNoLeakedSecrets -}}
|
||||||
|
{{- $grafanaIni := index .Values "grafana.ini" -}}
|
||||||
|
{{- range $_, $secret := $sensitiveKeysYaml.sensitiveKeys -}}
|
||||||
|
{{- $currentMap := $grafanaIni -}}
|
||||||
|
{{- $shouldContinue := true -}}
|
||||||
|
{{- range $index, $elem := $secret.path -}}
|
||||||
|
{{- if and $shouldContinue (hasKey $currentMap $elem) -}}
|
||||||
|
{{- if eq (len $secret.path) (add1 $index) -}}
|
||||||
|
{{- if not (regexMatch "\\$(?:__(?:env|file|vault))?{[^}]+}" (index $currentMap $elem)) -}}
|
||||||
|
{{- fail (printf "Sensitive key '%s' should not be defined explicitly in values. Use variable expansion instead. You can disable this client-side validation by changing the value of assertNoLeakedSecrets." (join "." $secret.path)) -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- $currentMap = index $currentMap $elem -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- $shouldContinue = false -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
1389
opencloud/charts/grafana/templates/_pod.tpl
Normal file
1389
opencloud/charts/grafana/templates/_pod.tpl
Normal file
File diff suppressed because it is too large
Load Diff
25
opencloud/charts/grafana/templates/clusterrole.yaml
Normal file
25
opencloud/charts/grafana/templates/clusterrole.yaml
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
{{- if and .Values.rbac.create (or (not .Values.rbac.namespaced) .Values.rbac.extraClusterRoleRules) (not .Values.rbac.useExistingClusterRole) }}
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
name: {{ include "grafana.fullname" . }}-clusterrole
|
||||||
|
{{- if or .Values.sidecar.dashboards.enabled .Values.rbac.extraClusterRoleRules .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled .Values.sidecar.alerts.enabled }}
|
||||||
|
rules:
|
||||||
|
{{- if or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled .Values.sidecar.alerts.enabled }}
|
||||||
|
- apiGroups: [""] # "" indicates the core API group
|
||||||
|
resources: ["configmaps", "secrets"]
|
||||||
|
verbs: ["get", "watch", "list"]
|
||||||
|
{{- end}}
|
||||||
|
{{- with .Values.rbac.extraClusterRoleRules }}
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end}}
|
||||||
|
{{- else }}
|
||||||
|
rules: []
|
||||||
|
{{- end}}
|
||||||
|
{{- end}}
|
24
opencloud/charts/grafana/templates/clusterrolebinding.yaml
Normal file
24
opencloud/charts/grafana/templates/clusterrolebinding.yaml
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
{{- if and .Values.rbac.create (or (not .Values.rbac.namespaced) .Values.rbac.extraClusterRoleRules) }}
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}-clusterrolebinding
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ include "grafana.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
roleRef:
|
||||||
|
kind: ClusterRole
|
||||||
|
{{- if .Values.rbac.useExistingClusterRole }}
|
||||||
|
name: {{ .Values.rbac.useExistingClusterRole }}
|
||||||
|
{{- else }}
|
||||||
|
name: {{ include "grafana.fullname" . }}-clusterrole
|
||||||
|
{{- end }}
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
{{- end }}
|
43
opencloud/charts/grafana/templates/configSecret.yaml
Normal file
43
opencloud/charts/grafana/templates/configSecret.yaml
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
{{- $createConfigSecret := eq (include "grafana.shouldCreateConfigSecret" .) "true" -}}
|
||||||
|
{{- if and .Values.createConfigmap $createConfigSecret }}
|
||||||
|
{{- $files := .Files }}
|
||||||
|
{{- $root := . -}}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: "{{ include "grafana.fullname" . }}-config-secret"
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
data:
|
||||||
|
{{- range $key, $value := .Values.alerting }}
|
||||||
|
{{- if (hasKey $value "secretFile") }}
|
||||||
|
{{- $key | nindent 2 }}:
|
||||||
|
{{- toYaml ( $files.Get $value.secretFile ) | b64enc | nindent 4}}
|
||||||
|
{{/* as of https://helm.sh/docs/chart_template_guide/accessing_files/ this will only work if you fork this chart and add files to it*/}}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
stringData:
|
||||||
|
{{- range $key, $value := .Values.datasources }}
|
||||||
|
{{- if (hasKey $value "secret") }}
|
||||||
|
{{- $key | nindent 2 }}: |
|
||||||
|
{{- tpl (toYaml $value.secret | nindent 4) $root }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- range $key, $value := .Values.notifiers }}
|
||||||
|
{{- if (hasKey $value "secret") }}
|
||||||
|
{{- $key | nindent 2 }}: |
|
||||||
|
{{- tpl (toYaml $value.secret | nindent 4) $root }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- range $key, $value := .Values.alerting }}
|
||||||
|
{{ if (hasKey $value "secret") }}
|
||||||
|
{{- $key | nindent 2 }}: |
|
||||||
|
{{- tpl (toYaml $value.secret | nindent 4) $root }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,15 @@
|
|||||||
|
{{- if and .Values.sidecar.dashboards.enabled .Values.sidecar.dashboards.SCProvider }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
name: {{ include "grafana.fullname" . }}-config-dashboards
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
data:
|
||||||
|
{{- include "grafana.configDashboardProviderData" . | nindent 2 }}
|
||||||
|
{{- end }}
|
20
opencloud/charts/grafana/templates/configmap.yaml
Normal file
20
opencloud/charts/grafana/templates/configmap.yaml
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
{{- if .Values.createConfigmap }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
{{- if or .Values.configMapAnnotations .Values.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- with .Values.annotations }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.configMapAnnotations }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
data:
|
||||||
|
{{- include "grafana.configData" . | nindent 2 }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,35 @@
|
|||||||
|
{{- if .Values.dashboards }}
|
||||||
|
{{ $files := .Files }}
|
||||||
|
{{- range $provider, $dashboards := .Values.dashboards }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" $ }}-dashboards-{{ $provider }}
|
||||||
|
namespace: {{ include "grafana.namespace" $ }}
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" $ | nindent 4 }}
|
||||||
|
dashboard-provider: {{ $provider }}
|
||||||
|
{{- if $dashboards }}
|
||||||
|
data:
|
||||||
|
{{- $dashboardFound := false }}
|
||||||
|
{{- range $key, $value := $dashboards }}
|
||||||
|
{{- if (or (hasKey $value "json") (hasKey $value "file")) }}
|
||||||
|
{{- $dashboardFound = true }}
|
||||||
|
{{- print $key | nindent 2 }}.json:
|
||||||
|
{{- if hasKey $value "json" }}
|
||||||
|
|-
|
||||||
|
{{- $value.json | nindent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if hasKey $value "file" }}
|
||||||
|
{{- toYaml ( $files.Get $value.file ) | nindent 4}}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if not $dashboardFound }}
|
||||||
|
{}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
---
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- end }}
|
53
opencloud/charts/grafana/templates/deployment.yaml
Normal file
53
opencloud/charts/grafana/templates/deployment.yaml
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
{{- if (and (not .Values.useStatefulSet) (or (not .Values.persistence.enabled) (eq .Values.persistence.type "pvc"))) }}
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- if (not .Values.autoscaling.enabled) }}
|
||||||
|
replicas: {{ .Values.replicas }}
|
||||||
|
{{- end }}
|
||||||
|
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{- include "grafana.selectorLabels" . | nindent 6 }}
|
||||||
|
{{- with .Values.deploymentStrategy }}
|
||||||
|
strategy:
|
||||||
|
{{- toYaml . | trim | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 8 }}
|
||||||
|
{{- with .Values.podLabels }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
annotations:
|
||||||
|
checksum/config: {{ include "grafana.configData" . | sha256sum }}
|
||||||
|
{{- if .Values.dashboards }}
|
||||||
|
checksum/dashboards-json-config: {{ include (print $.Template.BasePath "/dashboards-json-configmap.yaml") . | sha256sum }}
|
||||||
|
{{- end }}
|
||||||
|
checksum/sc-dashboard-provider-config: {{ include "grafana.configDashboardProviderData" . | sha256sum }}
|
||||||
|
{{- if and (or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret))) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }}
|
||||||
|
checksum/secret: {{ include "grafana.secretsData" . | sha256sum }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.envRenderSecret }}
|
||||||
|
checksum/secret-env: {{ tpl (toYaml .Values.envRenderSecret) . | sha256sum }}
|
||||||
|
{{- end }}
|
||||||
|
kubectl.kubernetes.io/default-container: {{ .Chart.Name }}
|
||||||
|
{{- with .Values.podAnnotations }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- include "grafana.pod" . | nindent 6 }}
|
||||||
|
{{- end }}
|
4
opencloud/charts/grafana/templates/extra-manifests.yaml
Normal file
4
opencloud/charts/grafana/templates/extra-manifests.yaml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
{{ range .Values.extraObjects }}
|
||||||
|
---
|
||||||
|
{{ tpl (toYaml .) $ }}
|
||||||
|
{{ end }}
|
22
opencloud/charts/grafana/templates/headless-service.yaml
Normal file
22
opencloud/charts/grafana/templates/headless-service.yaml
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
{{- $sts := list "sts" "StatefulSet" "statefulset" -}}
|
||||||
|
{{- if or .Values.headlessService (and .Values.persistence.enabled (not .Values.persistence.existingClaim) (has .Values.persistence.type $sts)) }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}-headless
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
clusterIP: None
|
||||||
|
selector:
|
||||||
|
{{- include "grafana.selectorLabels" . | nindent 4 }}
|
||||||
|
type: ClusterIP
|
||||||
|
ports:
|
||||||
|
- name: {{ .Values.gossipPortName }}-tcp
|
||||||
|
port: 9094
|
||||||
|
{{- end }}
|
51
opencloud/charts/grafana/templates/hpa.yaml
Normal file
51
opencloud/charts/grafana/templates/hpa.yaml
Normal file
@ -0,0 +1,51 @@
|
|||||||
|
{{- $sts := list "sts" "StatefulSet" "statefulset" -}}
|
||||||
|
{{- if .Values.autoscaling.enabled }}
|
||||||
|
apiVersion: {{ include "grafana.hpa.apiVersion" . }}
|
||||||
|
kind: HorizontalPodAutoscaler
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: {{ include "grafana.name" . }}
|
||||||
|
helm.sh/chart: {{ include "grafana.chart" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
spec:
|
||||||
|
scaleTargetRef:
|
||||||
|
apiVersion: apps/v1
|
||||||
|
{{- if has .Values.persistence.type $sts }}
|
||||||
|
kind: StatefulSet
|
||||||
|
{{- else }}
|
||||||
|
kind: Deployment
|
||||||
|
{{- end }}
|
||||||
|
name: {{ include "grafana.fullname" . }}
|
||||||
|
minReplicas: {{ .Values.autoscaling.minReplicas }}
|
||||||
|
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
|
||||||
|
metrics:
|
||||||
|
{{- if .Values.autoscaling.targetMemory }}
|
||||||
|
- type: Resource
|
||||||
|
resource:
|
||||||
|
name: memory
|
||||||
|
{{- if eq (include "grafana.hpa.apiVersion" .) "autoscaling/v2beta1" }}
|
||||||
|
targetAverageUtilization: {{ .Values.autoscaling.targetMemory }}
|
||||||
|
{{- else }}
|
||||||
|
target:
|
||||||
|
type: Utilization
|
||||||
|
averageUtilization: {{ .Values.autoscaling.targetMemory }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.autoscaling.targetCPU }}
|
||||||
|
- type: Resource
|
||||||
|
resource:
|
||||||
|
name: cpu
|
||||||
|
{{- if eq (include "grafana.hpa.apiVersion" .) "autoscaling/v2beta1" }}
|
||||||
|
targetAverageUtilization: {{ .Values.autoscaling.targetCPU }}
|
||||||
|
{{- else }}
|
||||||
|
target:
|
||||||
|
type: Utilization
|
||||||
|
averageUtilization: {{ .Values.autoscaling.targetCPU }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.autoscaling.behavior }}
|
||||||
|
behavior: {{ toYaml .Values.autoscaling.behavior | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,199 @@
|
|||||||
|
{{ if .Values.imageRenderer.enabled }}
|
||||||
|
{{- $root := . -}}
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}-image-renderer
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.imageRenderer.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.imageRenderer.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.imageRenderer.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- if and (not .Values.imageRenderer.autoscaling.enabled) (.Values.imageRenderer.replicas) }}
|
||||||
|
replicas: {{ .Values.imageRenderer.replicas }}
|
||||||
|
{{- end }}
|
||||||
|
revisionHistoryLimit: {{ .Values.imageRenderer.revisionHistoryLimit }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{- include "grafana.imageRenderer.selectorLabels" . | nindent 6 }}
|
||||||
|
|
||||||
|
{{- with .Values.imageRenderer.deploymentStrategy }}
|
||||||
|
strategy:
|
||||||
|
{{- toYaml . | trim | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.imageRenderer.selectorLabels" . | nindent 8 }}
|
||||||
|
{{- with .Values.imageRenderer.podLabels }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
annotations:
|
||||||
|
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
|
||||||
|
{{- with .Values.imageRenderer.podAnnotations }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- with .Values.imageRenderer.schedulerName }}
|
||||||
|
schedulerName: "{{ . }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.imageRenderer.serviceAccountName }}
|
||||||
|
serviceAccountName: "{{ . }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.imageRenderer.securityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.imageRenderer.hostAliases }}
|
||||||
|
hostAliases:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.imageRenderer.priorityClassName }}
|
||||||
|
priorityClassName: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.imageRenderer.image.pullSecrets }}
|
||||||
|
imagePullSecrets:
|
||||||
|
{{- range . }}
|
||||||
|
- name: {{ tpl . $root }}
|
||||||
|
{{- end}}
|
||||||
|
{{- end }}
|
||||||
|
containers:
|
||||||
|
- name: {{ .Chart.Name }}-image-renderer
|
||||||
|
{{- $registry := .Values.global.imageRegistry | default .Values.imageRenderer.image.registry -}}
|
||||||
|
{{- if .Values.imageRenderer.image.sha }}
|
||||||
|
image: "{{ $registry }}/{{ .Values.imageRenderer.image.repository }}:{{ .Values.imageRenderer.image.tag }}@sha256:{{ .Values.imageRenderer.image.sha }}"
|
||||||
|
{{- else }}
|
||||||
|
image: "{{ $registry }}/{{ .Values.imageRenderer.image.repository }}:{{ .Values.imageRenderer.image.tag }}"
|
||||||
|
{{- end }}
|
||||||
|
imagePullPolicy: {{ .Values.imageRenderer.image.pullPolicy }}
|
||||||
|
{{- if .Values.imageRenderer.command }}
|
||||||
|
command:
|
||||||
|
{{- range .Values.imageRenderer.command }}
|
||||||
|
- {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end}}
|
||||||
|
ports:
|
||||||
|
- name: {{ .Values.imageRenderer.service.portName }}
|
||||||
|
containerPort: {{ .Values.imageRenderer.service.targetPort }}
|
||||||
|
protocol: TCP
|
||||||
|
livenessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /
|
||||||
|
port: {{ .Values.imageRenderer.service.portName }}
|
||||||
|
env:
|
||||||
|
- name: HTTP_PORT
|
||||||
|
value: {{ .Values.imageRenderer.service.targetPort | quote }}
|
||||||
|
{{- if .Values.imageRenderer.serviceMonitor.enabled }}
|
||||||
|
- name: ENABLE_METRICS
|
||||||
|
value: "true"
|
||||||
|
{{- end }}
|
||||||
|
{{- range $key, $value := .Values.imageRenderer.envValueFrom }}
|
||||||
|
- name: {{ $key | quote }}
|
||||||
|
valueFrom:
|
||||||
|
{{- tpl (toYaml $value) $ | nindent 16 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- range $key, $value := .Values.imageRenderer.env }}
|
||||||
|
- name: {{ $key | quote }}
|
||||||
|
value: {{ $value | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.imageRenderer.containerSecurityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /tmp
|
||||||
|
name: image-renderer-tmpfs
|
||||||
|
{{- range .Values.imageRenderer.extraConfigmapMounts }}
|
||||||
|
- name: {{ tpl .name $root }}
|
||||||
|
mountPath: {{ tpl .mountPath $root }}
|
||||||
|
subPath: {{ tpl (.subPath | default "") $root }}
|
||||||
|
readOnly: {{ .readOnly }}
|
||||||
|
{{- end }}
|
||||||
|
{{- range .Values.imageRenderer.extraSecretMounts }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
mountPath: {{ .mountPath }}
|
||||||
|
readOnly: {{ .readOnly }}
|
||||||
|
subPath: {{ .subPath | default "" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- range .Values.imageRenderer.extraVolumeMounts }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
mountPath: {{ .mountPath }}
|
||||||
|
subPath: {{ .subPath | default "" }}
|
||||||
|
readOnly: {{ .readOnly }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.imageRenderer.resources }}
|
||||||
|
resources:
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.imageRenderer.nodeSelector }}
|
||||||
|
nodeSelector:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.imageRenderer.affinity }}
|
||||||
|
affinity:
|
||||||
|
{{- tpl (toYaml .) $root | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.imageRenderer.tolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
volumes:
|
||||||
|
- name: image-renderer-tmpfs
|
||||||
|
emptyDir: {}
|
||||||
|
{{- range .Values.imageRenderer.extraConfigmapMounts }}
|
||||||
|
- name: {{ tpl .name $root }}
|
||||||
|
configMap:
|
||||||
|
name: {{ tpl .configMap $root }}
|
||||||
|
{{- with .items }}
|
||||||
|
items:
|
||||||
|
{{- toYaml . | nindent 14 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- range .Values.imageRenderer.extraSecretMounts }}
|
||||||
|
{{- if .secretName }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
secret:
|
||||||
|
secretName: {{ .secretName }}
|
||||||
|
defaultMode: {{ .defaultMode }}
|
||||||
|
{{- with .items }}
|
||||||
|
items:
|
||||||
|
{{- toYaml . | nindent 14 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- else if .projected }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
projected:
|
||||||
|
{{- toYaml .projected | nindent 12 }}
|
||||||
|
{{- else if .csi }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
csi:
|
||||||
|
{{- toYaml .csi | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- range .Values.imageRenderer.extraVolumes }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
{{- if .existingClaim }}
|
||||||
|
persistentVolumeClaim:
|
||||||
|
claimName: {{ .existingClaim }}
|
||||||
|
{{- else if .hostPath }}
|
||||||
|
hostPath:
|
||||||
|
{{ toYaml .hostPath | nindent 12 }}
|
||||||
|
{{- else if .csi }}
|
||||||
|
csi:
|
||||||
|
{{- toYaml .csi | nindent 12 }}
|
||||||
|
{{- else if .configMap }}
|
||||||
|
configMap:
|
||||||
|
{{- toYaml .configMap | nindent 12 }}
|
||||||
|
{{- else if .emptyDir }}
|
||||||
|
emptyDir:
|
||||||
|
{{- toYaml .emptyDir | nindent 12 }}
|
||||||
|
{{- else }}
|
||||||
|
emptyDir: {}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
46
opencloud/charts/grafana/templates/image-renderer-hpa.yaml
Normal file
46
opencloud/charts/grafana/templates/image-renderer-hpa.yaml
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
{{- if and .Values.imageRenderer.enabled .Values.imageRenderer.autoscaling.enabled }}
|
||||||
|
apiVersion: {{ include "grafana.hpa.apiVersion" . }}
|
||||||
|
kind: HorizontalPodAutoscaler
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}-image-renderer
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: {{ include "grafana.name" . }}-image-renderer
|
||||||
|
helm.sh/chart: {{ include "grafana.chart" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
spec:
|
||||||
|
scaleTargetRef:
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
name: {{ include "grafana.fullname" . }}-image-renderer
|
||||||
|
minReplicas: {{ .Values.imageRenderer.autoscaling.minReplicas }}
|
||||||
|
maxReplicas: {{ .Values.imageRenderer.autoscaling.maxReplicas }}
|
||||||
|
metrics:
|
||||||
|
{{- if .Values.imageRenderer.autoscaling.targetMemory }}
|
||||||
|
- type: Resource
|
||||||
|
resource:
|
||||||
|
name: memory
|
||||||
|
{{- if eq (include "grafana.hpa.apiVersion" .) "autoscaling/v2beta1" }}
|
||||||
|
targetAverageUtilization: {{ .Values.imageRenderer.autoscaling.targetMemory }}
|
||||||
|
{{- else }}
|
||||||
|
target:
|
||||||
|
type: Utilization
|
||||||
|
averageUtilization: {{ .Values.imageRenderer.autoscaling.targetMemory }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.imageRenderer.autoscaling.targetCPU }}
|
||||||
|
- type: Resource
|
||||||
|
resource:
|
||||||
|
name: cpu
|
||||||
|
{{- if eq (include "grafana.hpa.apiVersion" .) "autoscaling/v2beta1" }}
|
||||||
|
targetAverageUtilization: {{ .Values.imageRenderer.autoscaling.targetCPU }}
|
||||||
|
{{- else }}
|
||||||
|
target:
|
||||||
|
type: Utilization
|
||||||
|
averageUtilization: {{ .Values.imageRenderer.autoscaling.targetCPU }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.imageRenderer.autoscaling.behavior }}
|
||||||
|
behavior: {{ toYaml .Values.imageRenderer.autoscaling.behavior | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,79 @@
|
|||||||
|
{{- if and .Values.imageRenderer.enabled .Values.imageRenderer.networkPolicy.limitIngress }}
|
||||||
|
---
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: NetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}-image-renderer-ingress
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
annotations:
|
||||||
|
comment: Limit image-renderer ingress traffic from grafana
|
||||||
|
spec:
|
||||||
|
podSelector:
|
||||||
|
matchLabels:
|
||||||
|
{{- include "grafana.imageRenderer.selectorLabels" . | nindent 6 }}
|
||||||
|
{{- with .Values.imageRenderer.podLabels }}
|
||||||
|
{{- toYaml . | nindent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
policyTypes:
|
||||||
|
- Ingress
|
||||||
|
ingress:
|
||||||
|
- ports:
|
||||||
|
- port: {{ .Values.imageRenderer.service.targetPort }}
|
||||||
|
protocol: TCP
|
||||||
|
from:
|
||||||
|
- namespaceSelector:
|
||||||
|
matchLabels:
|
||||||
|
kubernetes.io/metadata.name: {{ include "grafana.namespace" . }}
|
||||||
|
podSelector:
|
||||||
|
matchLabels:
|
||||||
|
{{- include "grafana.selectorLabels" . | nindent 14 }}
|
||||||
|
{{- with .Values.podLabels }}
|
||||||
|
{{- toYaml . | nindent 14 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.imageRenderer.networkPolicy.extraIngressSelectors -}}
|
||||||
|
{{ toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- if and .Values.imageRenderer.enabled .Values.imageRenderer.networkPolicy.limitEgress }}
|
||||||
|
---
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: NetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}-image-renderer-egress
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
annotations:
|
||||||
|
comment: Limit image-renderer egress traffic to grafana
|
||||||
|
spec:
|
||||||
|
podSelector:
|
||||||
|
matchLabels:
|
||||||
|
{{- include "grafana.imageRenderer.selectorLabels" . | nindent 6 }}
|
||||||
|
{{- with .Values.imageRenderer.podLabels }}
|
||||||
|
{{- toYaml . | nindent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
policyTypes:
|
||||||
|
- Egress
|
||||||
|
egress:
|
||||||
|
# allow dns resolution
|
||||||
|
- ports:
|
||||||
|
- port: 53
|
||||||
|
protocol: UDP
|
||||||
|
- port: 53
|
||||||
|
protocol: TCP
|
||||||
|
# talk only to grafana
|
||||||
|
- ports:
|
||||||
|
- port: {{ .Values.service.targetPort }}
|
||||||
|
protocol: TCP
|
||||||
|
to:
|
||||||
|
- namespaceSelector:
|
||||||
|
matchLabels:
|
||||||
|
kubernetes.io/metadata.name: {{ include "grafana.namespace" . }}
|
||||||
|
podSelector:
|
||||||
|
matchLabels:
|
||||||
|
{{- include "grafana.selectorLabels" . | nindent 14 }}
|
||||||
|
{{- with .Values.podLabels }}
|
||||||
|
{{- toYaml . | nindent 14 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,31 @@
|
|||||||
|
{{- if and .Values.imageRenderer.enabled .Values.imageRenderer.service.enabled }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}-image-renderer
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.imageRenderer.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.imageRenderer.service.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.imageRenderer.service.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
type: ClusterIP
|
||||||
|
{{- with .Values.imageRenderer.service.clusterIP }}
|
||||||
|
clusterIP: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
- name: {{ .Values.imageRenderer.service.portName }}
|
||||||
|
port: {{ .Values.imageRenderer.service.port }}
|
||||||
|
protocol: TCP
|
||||||
|
targetPort: {{ .Values.imageRenderer.service.targetPort }}
|
||||||
|
{{- with .Values.imageRenderer.appProtocol }}
|
||||||
|
appProtocol: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
selector:
|
||||||
|
{{- include "grafana.imageRenderer.selectorLabels" . | nindent 4 }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,48 @@
|
|||||||
|
{{- if .Values.imageRenderer.serviceMonitor.enabled }}
|
||||||
|
---
|
||||||
|
apiVersion: monitoring.coreos.com/v1
|
||||||
|
kind: ServiceMonitor
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}-image-renderer
|
||||||
|
{{- if .Values.imageRenderer.serviceMonitor.namespace }}
|
||||||
|
namespace: {{ tpl .Values.imageRenderer.serviceMonitor.namespace . }}
|
||||||
|
{{- else }}
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.imageRenderer.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.imageRenderer.serviceMonitor.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
endpoints:
|
||||||
|
- port: {{ .Values.imageRenderer.service.portName }}
|
||||||
|
{{- with .Values.imageRenderer.serviceMonitor.interval }}
|
||||||
|
interval: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.imageRenderer.serviceMonitor.scrapeTimeout }}
|
||||||
|
scrapeTimeout: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
honorLabels: true
|
||||||
|
path: {{ .Values.imageRenderer.serviceMonitor.path }}
|
||||||
|
scheme: {{ .Values.imageRenderer.serviceMonitor.scheme }}
|
||||||
|
{{- with .Values.imageRenderer.serviceMonitor.tlsConfig }}
|
||||||
|
tlsConfig:
|
||||||
|
{{- toYaml . | nindent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.imageRenderer.serviceMonitor.relabelings }}
|
||||||
|
relabelings:
|
||||||
|
{{- toYaml . | nindent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
jobLabel: "{{ .Release.Name }}-image-renderer"
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{- include "grafana.imageRenderer.selectorLabels" . | nindent 6 }}
|
||||||
|
namespaceSelector:
|
||||||
|
matchNames:
|
||||||
|
- {{ include "grafana.namespace" . }}
|
||||||
|
{{- with .Values.imageRenderer.serviceMonitor.targetLabels }}
|
||||||
|
targetLabels:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
78
opencloud/charts/grafana/templates/ingress.yaml
Normal file
78
opencloud/charts/grafana/templates/ingress.yaml
Normal file
@ -0,0 +1,78 @@
|
|||||||
|
{{- if .Values.ingress.enabled -}}
|
||||||
|
{{- $ingressApiIsStable := eq (include "grafana.ingress.isStable" .) "true" -}}
|
||||||
|
{{- $ingressSupportsIngressClassName := eq (include "grafana.ingress.supportsIngressClassName" .) "true" -}}
|
||||||
|
{{- $ingressSupportsPathType := eq (include "grafana.ingress.supportsPathType" .) "true" -}}
|
||||||
|
{{- $fullName := include "grafana.fullname" . -}}
|
||||||
|
{{- $servicePort := .Values.service.port -}}
|
||||||
|
{{- $ingressPath := .Values.ingress.path -}}
|
||||||
|
{{- $ingressPathType := .Values.ingress.pathType -}}
|
||||||
|
{{- $extraPaths := .Values.ingress.extraPaths -}}
|
||||||
|
apiVersion: {{ include "grafana.ingress.apiVersion" . }}
|
||||||
|
kind: Ingress
|
||||||
|
metadata:
|
||||||
|
name: {{ $fullName }}
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.ingress.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.ingress.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- range $key, $value := . }}
|
||||||
|
{{ $key }}: {{ tpl $value $ | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- if and $ingressSupportsIngressClassName .Values.ingress.ingressClassName }}
|
||||||
|
ingressClassName: {{ .Values.ingress.ingressClassName }}
|
||||||
|
{{- end -}}
|
||||||
|
{{- with .Values.ingress.tls }}
|
||||||
|
tls:
|
||||||
|
{{- tpl (toYaml .) $ | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
rules:
|
||||||
|
{{- if .Values.ingress.hosts }}
|
||||||
|
{{- range .Values.ingress.hosts }}
|
||||||
|
- host: {{ tpl . $ | quote }}
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
{{- with $extraPaths }}
|
||||||
|
{{- toYaml . | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
- path: {{ $ingressPath }}
|
||||||
|
{{- if $ingressSupportsPathType }}
|
||||||
|
pathType: {{ $ingressPathType }}
|
||||||
|
{{- end }}
|
||||||
|
backend:
|
||||||
|
{{- if $ingressApiIsStable }}
|
||||||
|
service:
|
||||||
|
name: {{ $fullName }}
|
||||||
|
port:
|
||||||
|
number: {{ $servicePort }}
|
||||||
|
{{- else }}
|
||||||
|
serviceName: {{ $fullName }}
|
||||||
|
servicePort: {{ $servicePort }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- else }}
|
||||||
|
- http:
|
||||||
|
paths:
|
||||||
|
- backend:
|
||||||
|
{{- if $ingressApiIsStable }}
|
||||||
|
service:
|
||||||
|
name: {{ $fullName }}
|
||||||
|
port:
|
||||||
|
number: {{ $servicePort }}
|
||||||
|
{{- else }}
|
||||||
|
serviceName: {{ $fullName }}
|
||||||
|
servicePort: {{ $servicePort }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with $ingressPath }}
|
||||||
|
path: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $ingressSupportsPathType }}
|
||||||
|
pathType: {{ $ingressPathType }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end }}
|
61
opencloud/charts/grafana/templates/networkpolicy.yaml
Normal file
61
opencloud/charts/grafana/templates/networkpolicy.yaml
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
{{- if .Values.networkPolicy.enabled }}
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: NetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
policyTypes:
|
||||||
|
{{- if .Values.networkPolicy.ingress }}
|
||||||
|
- Ingress
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.networkPolicy.egress.enabled }}
|
||||||
|
- Egress
|
||||||
|
{{- end }}
|
||||||
|
podSelector:
|
||||||
|
matchLabels:
|
||||||
|
{{- include "grafana.selectorLabels" . | nindent 6 }}
|
||||||
|
|
||||||
|
{{- if .Values.networkPolicy.egress.enabled }}
|
||||||
|
egress:
|
||||||
|
{{- if not .Values.networkPolicy.egress.blockDNSResolution }}
|
||||||
|
- ports:
|
||||||
|
- port: 53
|
||||||
|
protocol: UDP
|
||||||
|
{{- end }}
|
||||||
|
- ports:
|
||||||
|
{{ .Values.networkPolicy.egress.ports | toJson }}
|
||||||
|
{{- with .Values.networkPolicy.egress.to }}
|
||||||
|
to:
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.networkPolicy.ingress }}
|
||||||
|
ingress:
|
||||||
|
- ports:
|
||||||
|
- port: {{ .Values.service.targetPort }}
|
||||||
|
{{- if not .Values.networkPolicy.allowExternal }}
|
||||||
|
from:
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
{{ include "grafana.fullname" . }}-client: "true"
|
||||||
|
{{- with .Values.networkPolicy.explicitNamespacesSelector }}
|
||||||
|
- namespaceSelector:
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
{{- include "grafana.labels" . | nindent 14 }}
|
||||||
|
role: read
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
22
opencloud/charts/grafana/templates/poddisruptionbudget.yaml
Normal file
22
opencloud/charts/grafana/templates/poddisruptionbudget.yaml
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
{{- if .Values.podDisruptionBudget }}
|
||||||
|
apiVersion: {{ include "grafana.podDisruptionBudget.apiVersion" . }}
|
||||||
|
kind: PodDisruptionBudget
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- with .Values.podDisruptionBudget.minAvailable }}
|
||||||
|
minAvailable: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.podDisruptionBudget.maxUnavailable }}
|
||||||
|
maxUnavailable: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{- include "grafana.selectorLabels" . | nindent 6 }}
|
||||||
|
{{- end }}
|
49
opencloud/charts/grafana/templates/podsecuritypolicy.yaml
Normal file
49
opencloud/charts/grafana/templates/podsecuritypolicy.yaml
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
{{- if and .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodSecurityPolicy
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
annotations:
|
||||||
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
|
||||||
|
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||||
|
{{- if .Values.rbac.pspUseAppArmor }}
|
||||||
|
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
|
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
privileged: false
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
requiredDropCapabilities:
|
||||||
|
# Default set from Docker, with DAC_OVERRIDE and CHOWN
|
||||||
|
- ALL
|
||||||
|
volumes:
|
||||||
|
- 'configMap'
|
||||||
|
- 'emptyDir'
|
||||||
|
- 'projected'
|
||||||
|
- 'csi'
|
||||||
|
- 'secret'
|
||||||
|
- 'downwardAPI'
|
||||||
|
- 'persistentVolumeClaim'
|
||||||
|
hostNetwork: false
|
||||||
|
hostIPC: false
|
||||||
|
hostPID: false
|
||||||
|
runAsUser:
|
||||||
|
rule: 'RunAsAny'
|
||||||
|
seLinux:
|
||||||
|
rule: 'RunAsAny'
|
||||||
|
supplementalGroups:
|
||||||
|
rule: 'MustRunAs'
|
||||||
|
ranges:
|
||||||
|
# Forbid adding the root group.
|
||||||
|
- min: 1
|
||||||
|
max: 65535
|
||||||
|
fsGroup:
|
||||||
|
rule: 'MustRunAs'
|
||||||
|
ranges:
|
||||||
|
# Forbid adding the root group.
|
||||||
|
- min: 1
|
||||||
|
max: 65535
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
{{- end }}
|
39
opencloud/charts/grafana/templates/pvc.yaml
Normal file
39
opencloud/charts/grafana/templates/pvc.yaml
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
{{- if and (not .Values.useStatefulSet) .Values.persistence.enabled (not .Values.persistence.existingClaim) (eq .Values.persistence.type "pvc")}}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: PersistentVolumeClaim
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.persistence.extraPvcLabels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.persistence.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.persistence.finalizers }}
|
||||||
|
finalizers:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
accessModes:
|
||||||
|
{{- range .Values.persistence.accessModes }}
|
||||||
|
- {{ . | quote }}
|
||||||
|
{{- end }}
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: {{ .Values.persistence.size | quote }}
|
||||||
|
{{- if and (.Values.persistence.lookupVolumeName) (lookup "v1" "PersistentVolumeClaim" (include "grafana.namespace" .) (include "grafana.fullname" .)) }}
|
||||||
|
volumeName: {{ (lookup "v1" "PersistentVolumeClaim" (include "grafana.namespace" .) (include "grafana.fullname" .)).spec.volumeName }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.persistence.storageClassName }}
|
||||||
|
storageClassName: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.persistence.selectorLabels }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{- toYaml . | nindent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
32
opencloud/charts/grafana/templates/role.yaml
Normal file
32
opencloud/charts/grafana/templates/role.yaml
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
{{- if and .Values.rbac.create (not .Values.rbac.useExistingRole) -}}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if or .Values.rbac.pspEnabled (and .Values.rbac.namespaced (or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled .Values.rbac.extraRoleRules)) }}
|
||||||
|
rules:
|
||||||
|
{{- if and .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
|
||||||
|
- apiGroups: ['extensions']
|
||||||
|
resources: ['podsecuritypolicies']
|
||||||
|
verbs: ['use']
|
||||||
|
resourceNames: [{{ include "grafana.fullname" . }}]
|
||||||
|
{{- end }}
|
||||||
|
{{- if and .Values.rbac.namespaced (or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled) }}
|
||||||
|
- apiGroups: [""] # "" indicates the core API group
|
||||||
|
resources: ["configmaps", "secrets"]
|
||||||
|
verbs: ["get", "watch", "list"]
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.rbac.extraRoleRules }}
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end}}
|
||||||
|
{{- else }}
|
||||||
|
rules: []
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
25
opencloud/charts/grafana/templates/rolebinding.yaml
Normal file
25
opencloud/charts/grafana/templates/rolebinding.yaml
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
{{- if .Values.rbac.create }}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
{{- if .Values.rbac.useExistingRole }}
|
||||||
|
name: {{ .Values.rbac.useExistingRole }}
|
||||||
|
{{- else }}
|
||||||
|
name: {{ include "grafana.fullname" . }}
|
||||||
|
{{- end }}
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ include "grafana.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
{{- end }}
|
44
opencloud/charts/grafana/templates/route.yaml
Normal file
44
opencloud/charts/grafana/templates/route.yaml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
{{- range $name, $route := .Values.route }}
|
||||||
|
{{- if $route.enabled -}}
|
||||||
|
---
|
||||||
|
apiVersion: {{ $route.apiVersion | default "gateway.networking.k8s.io/v1" }}
|
||||||
|
kind: {{ $route.kind | default "HTTPRoute" }}
|
||||||
|
metadata:
|
||||||
|
{{- with $route.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
name: {{ template "grafana.fullname" $ }}{{ if ne $name "main" }}-{{ $name }}{{ end }}
|
||||||
|
namespace: {{ template "grafana.namespace" $ }}
|
||||||
|
labels:
|
||||||
|
app: {{ template "grafana.name" $ }}-prometheus
|
||||||
|
{{- include "grafana.labels" $ | nindent 4 }}
|
||||||
|
{{- with $route.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- with $route.parentRefs }}
|
||||||
|
parentRefs:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with $route.hostnames }}
|
||||||
|
hostnames:
|
||||||
|
{{- tpl (toYaml .) $ | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
rules:
|
||||||
|
{{- if $route.additionalRules }}
|
||||||
|
{{- tpl (toYaml $route.additionalRules) $ | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
- backendRefs:
|
||||||
|
- name: {{ include "grafana.fullname" $ }}
|
||||||
|
port: {{ $.Values.service.port }}
|
||||||
|
{{- with $route.filters }}
|
||||||
|
filters:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with $route.matches }}
|
||||||
|
matches:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
14
opencloud/charts/grafana/templates/secret-env.yaml
Normal file
14
opencloud/charts/grafana/templates/secret-env.yaml
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
{{- if .Values.envRenderSecret }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}-env
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
{{- range $key, $val := .Values.envRenderSecret }}
|
||||||
|
{{ $key }}: {{ tpl ($val | toString) $ | b64enc | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
16
opencloud/charts/grafana/templates/secret.yaml
Normal file
16
opencloud/charts/grafana/templates/secret.yaml
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
{{- if or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret)) }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
{{- include "grafana.secretsData" . | nindent 2 }}
|
||||||
|
{{- end }}
|
67
opencloud/charts/grafana/templates/service.yaml
Normal file
67
opencloud/charts/grafana/templates/service.yaml
Normal file
@ -0,0 +1,67 @@
|
|||||||
|
{{- if .Values.service.enabled }}
|
||||||
|
{{- $root := . }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.service.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.service.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- tpl (toYaml . | nindent 4) $root }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- if (or (eq .Values.service.type "ClusterIP") (empty .Values.service.type)) }}
|
||||||
|
type: ClusterIP
|
||||||
|
{{- with .Values.service.clusterIP }}
|
||||||
|
clusterIP: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- else if eq .Values.service.type "LoadBalancer" }}
|
||||||
|
type: LoadBalancer
|
||||||
|
{{- with .Values.service.loadBalancerIP }}
|
||||||
|
loadBalancerIP: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.service.loadBalancerClass }}
|
||||||
|
loadBalancerClass: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.service.loadBalancerSourceRanges }}
|
||||||
|
loadBalancerSourceRanges:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- else }}
|
||||||
|
type: {{ .Values.service.type }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.service.ipFamilyPolicy }}
|
||||||
|
ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.service.ipFamilies }}
|
||||||
|
ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.service.externalIPs }}
|
||||||
|
externalIPs:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.service.externalTrafficPolicy }}
|
||||||
|
externalTrafficPolicy: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
- name: {{ .Values.service.portName }}
|
||||||
|
port: {{ .Values.service.port }}
|
||||||
|
protocol: TCP
|
||||||
|
targetPort: {{ .Values.service.targetPort }}
|
||||||
|
{{- with .Values.service.appProtocol }}
|
||||||
|
appProtocol: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }}
|
||||||
|
nodePort: {{ .Values.service.nodePort }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.extraExposePorts }}
|
||||||
|
{{- tpl (toYaml . | nindent 4) $root }}
|
||||||
|
{{- end }}
|
||||||
|
selector:
|
||||||
|
{{- include "grafana.selectorLabels" . | nindent 4 }}
|
||||||
|
{{- end }}
|
17
opencloud/charts/grafana/templates/serviceaccount.yaml
Normal file
17
opencloud/charts/grafana/templates/serviceaccount.yaml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
{{- if .Values.serviceAccount.create }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
automountServiceAccountToken: {{ .Values.serviceAccount.autoMount | default .Values.serviceAccount.automountServiceAccountToken }}
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.serviceAccount.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.serviceAccount.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- tpl (toYaml . | nindent 4) $ }}
|
||||||
|
{{- end }}
|
||||||
|
name: {{ include "grafana.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
{{- end }}
|
52
opencloud/charts/grafana/templates/servicemonitor.yaml
Normal file
52
opencloud/charts/grafana/templates/servicemonitor.yaml
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
{{- if .Values.serviceMonitor.enabled }}
|
||||||
|
---
|
||||||
|
apiVersion: monitoring.coreos.com/v1
|
||||||
|
kind: ServiceMonitor
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}
|
||||||
|
{{- if .Values.serviceMonitor.namespace }}
|
||||||
|
namespace: {{ tpl .Values.serviceMonitor.namespace . }}
|
||||||
|
{{- else }}
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.serviceMonitor.labels }}
|
||||||
|
{{- tpl (toYaml . | nindent 4) $ }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
endpoints:
|
||||||
|
- port: {{ .Values.service.portName }}
|
||||||
|
{{- with .Values.serviceMonitor.interval }}
|
||||||
|
interval: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.serviceMonitor.scrapeTimeout }}
|
||||||
|
scrapeTimeout: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
honorLabels: true
|
||||||
|
path: {{ .Values.serviceMonitor.path }}
|
||||||
|
scheme: {{ .Values.serviceMonitor.scheme }}
|
||||||
|
{{- with .Values.serviceMonitor.tlsConfig }}
|
||||||
|
tlsConfig:
|
||||||
|
{{- toYaml . | nindent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.serviceMonitor.relabelings }}
|
||||||
|
relabelings:
|
||||||
|
{{- toYaml . | nindent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.serviceMonitor.metricRelabelings }}
|
||||||
|
metricRelabelings:
|
||||||
|
{{- toYaml . | nindent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
jobLabel: "{{ .Release.Name }}"
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{- include "grafana.selectorLabels" . | nindent 6 }}
|
||||||
|
namespaceSelector:
|
||||||
|
matchNames:
|
||||||
|
- {{ include "grafana.namespace" . }}
|
||||||
|
{{- with .Values.serviceMonitor.targetLabels }}
|
||||||
|
targetLabels:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
58
opencloud/charts/grafana/templates/statefulset.yaml
Normal file
58
opencloud/charts/grafana/templates/statefulset.yaml
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
{{- $sts := list "sts" "StatefulSet" "statefulset" -}}
|
||||||
|
{{- if (or (.Values.useStatefulSet) (and .Values.persistence.enabled (not .Values.persistence.existingClaim) (has .Values.persistence.type $sts)))}}
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: StatefulSet
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
replicas: {{ .Values.replicas }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{- include "grafana.selectorLabels" . | nindent 6 }}
|
||||||
|
serviceName: {{ include "grafana.fullname" . }}-headless
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 8 }}
|
||||||
|
{{- with .Values.podLabels }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
annotations:
|
||||||
|
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
|
||||||
|
checksum/dashboards-json-config: {{ include (print $.Template.BasePath "/dashboards-json-configmap.yaml") . | sha256sum }}
|
||||||
|
checksum/sc-dashboard-provider-config: {{ include (print $.Template.BasePath "/configmap-dashboard-provider.yaml") . | sha256sum }}
|
||||||
|
{{- if and (or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret))) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }}
|
||||||
|
checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
|
||||||
|
{{- end }}
|
||||||
|
kubectl.kubernetes.io/default-container: {{ .Chart.Name }}
|
||||||
|
{{- with .Values.podAnnotations }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- include "grafana.pod" . | nindent 6 }}
|
||||||
|
{{- if .Values.persistence.enabled}}
|
||||||
|
volumeClaimTemplates:
|
||||||
|
- apiVersion: v1
|
||||||
|
kind: PersistentVolumeClaim
|
||||||
|
metadata:
|
||||||
|
name: storage
|
||||||
|
spec:
|
||||||
|
accessModes: {{ .Values.persistence.accessModes }}
|
||||||
|
storageClassName: {{ .Values.persistence.storageClassName }}
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: {{ .Values.persistence.size }}
|
||||||
|
{{- with .Values.persistence.selectorLabels }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{- toYaml . | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
20
opencloud/charts/grafana/templates/tests/test-configmap.yaml
Normal file
20
opencloud/charts/grafana/templates/tests/test-configmap.yaml
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
{{- if .Values.testFramework.enabled }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}-test
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": {{ .Values.testFramework.hookType | default "test" }}
|
||||||
|
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
data:
|
||||||
|
run.sh: |-
|
||||||
|
@test "Test Health" {
|
||||||
|
url="http://{{ include "grafana.fullname" . }}/api/health"
|
||||||
|
|
||||||
|
code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
|
||||||
|
[ "$code" == "200" ]
|
||||||
|
}
|
||||||
|
{{- end }}
|
@ -0,0 +1,32 @@
|
|||||||
|
{{- if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.testFramework.enabled .Values.rbac.pspEnabled }}
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodSecurityPolicy
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}-test
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": {{ .Values.testFramework.hookType | default "test" }}
|
||||||
|
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
spec:
|
||||||
|
allowPrivilegeEscalation: true
|
||||||
|
privileged: false
|
||||||
|
hostNetwork: false
|
||||||
|
hostIPC: false
|
||||||
|
hostPID: false
|
||||||
|
fsGroup:
|
||||||
|
rule: RunAsAny
|
||||||
|
seLinux:
|
||||||
|
rule: RunAsAny
|
||||||
|
supplementalGroups:
|
||||||
|
rule: RunAsAny
|
||||||
|
runAsUser:
|
||||||
|
rule: RunAsAny
|
||||||
|
volumes:
|
||||||
|
- configMap
|
||||||
|
- downwardAPI
|
||||||
|
- emptyDir
|
||||||
|
- projected
|
||||||
|
- csi
|
||||||
|
- secret
|
||||||
|
{{- end }}
|
17
opencloud/charts/grafana/templates/tests/test-role.yaml
Normal file
17
opencloud/charts/grafana/templates/tests/test-role.yaml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
{{- if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.testFramework.enabled .Values.rbac.pspEnabled }}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}-test
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": {{ .Values.testFramework.hookType | default "test" }}
|
||||||
|
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ['policy']
|
||||||
|
resources: ['podsecuritypolicies']
|
||||||
|
verbs: ['use']
|
||||||
|
resourceNames: [{{ include "grafana.fullname" . }}-test]
|
||||||
|
{{- end }}
|
@ -0,0 +1,20 @@
|
|||||||
|
{{- if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.testFramework.enabled .Values.rbac.pspEnabled }}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}-test
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": {{ .Values.testFramework.hookType | default "test" }}
|
||||||
|
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: {{ include "grafana.fullname" . }}-test
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ include "grafana.serviceAccountNameTest" . }}
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,12 @@
|
|||||||
|
{{- if and .Values.testFramework.enabled .Values.serviceAccount.create }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
name: {{ include "grafana.serviceAccountNameTest" . }}
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": {{ .Values.testFramework.hookType | default "test" }}
|
||||||
|
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
|
||||||
|
{{- end }}
|
53
opencloud/charts/grafana/templates/tests/test.yaml
Normal file
53
opencloud/charts/grafana/templates/tests/test.yaml
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
{{- if .Values.testFramework.enabled }}
|
||||||
|
{{- $root := . }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Pod
|
||||||
|
metadata:
|
||||||
|
name: {{ include "grafana.fullname" . }}-test
|
||||||
|
labels:
|
||||||
|
{{- include "grafana.labels" . | nindent 4 }}
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": {{ .Values.testFramework.hookType | default "test" }}
|
||||||
|
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
|
||||||
|
namespace: {{ include "grafana.namespace" . }}
|
||||||
|
spec:
|
||||||
|
serviceAccountName: {{ include "grafana.serviceAccountNameTest" . }}
|
||||||
|
{{- with .Values.testFramework.securityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if or .Values.image.pullSecrets .Values.global.imagePullSecrets }}
|
||||||
|
imagePullSecrets:
|
||||||
|
{{- include "grafana.imagePullSecrets" (dict "root" $root "imagePullSecrets" .Values.image.pullSecrets) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.nodeSelector }}
|
||||||
|
nodeSelector:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.affinity }}
|
||||||
|
affinity:
|
||||||
|
{{- tpl (toYaml .) $root | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.tolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
containers:
|
||||||
|
- name: {{ .Release.Name }}-test
|
||||||
|
image: "{{ .Values.global.imageRegistry | default .Values.testFramework.image.registry }}/{{ .Values.testFramework.image.repository }}:{{ .Values.testFramework.image.tag }}"
|
||||||
|
imagePullPolicy: "{{ .Values.testFramework.imagePullPolicy}}"
|
||||||
|
command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /tests
|
||||||
|
name: tests
|
||||||
|
readOnly: true
|
||||||
|
{{- with .Values.testFramework.resources }}
|
||||||
|
resources:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
volumes:
|
||||||
|
- name: tests
|
||||||
|
configMap:
|
||||||
|
name: {{ include "grafana.fullname" . }}-test
|
||||||
|
restartPolicy: Never
|
||||||
|
{{- end }}
|
1545
opencloud/charts/grafana/values.yaml
Normal file
1545
opencloud/charts/grafana/values.yaml
Normal file
File diff suppressed because it is too large
Load Diff
23
opencloud/charts/hydra/.helmignore
Normal file
23
opencloud/charts/hydra/.helmignore
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
# Patterns to ignore when building packages.
|
||||||
|
# This supports shell glob matching, relative path matching, and
|
||||||
|
# negation (prefixed with !). Only one pattern per line.
|
||||||
|
.DS_Store
|
||||||
|
# Common VCS dirs
|
||||||
|
.git/
|
||||||
|
.gitignore
|
||||||
|
.bzr/
|
||||||
|
.bzrignore
|
||||||
|
.hg/
|
||||||
|
.hgignore
|
||||||
|
.svn/
|
||||||
|
# Common backup files
|
||||||
|
*.swp
|
||||||
|
*.bak
|
||||||
|
*.tmp
|
||||||
|
*~
|
||||||
|
# Various IDEs
|
||||||
|
.project
|
||||||
|
.idea/
|
||||||
|
*.tmproj
|
||||||
|
.vscode/
|
||||||
|
*.txt
|
9
opencloud/charts/hydra/Chart.lock
Normal file
9
opencloud/charts/hydra/Chart.lock
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
dependencies:
|
||||||
|
- name: ory-commons
|
||||||
|
repository: file://../ory-commons
|
||||||
|
version: 0.1.0
|
||||||
|
- name: hydra-maester
|
||||||
|
repository: file://../hydra-maester
|
||||||
|
version: 0.50.2
|
||||||
|
digest: sha256:f39e4a74150060c63515886f4905dce57e1a90419e5a5c530684f1a363686cda
|
||||||
|
generated: "2024-11-28T10:30:15.53366383Z"
|
33
opencloud/charts/hydra/Chart.yaml
Normal file
33
opencloud/charts/hydra/Chart.yaml
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
apiVersion: v2
|
||||||
|
appVersion: v2.2.0
|
||||||
|
dependencies:
|
||||||
|
- alias: ory
|
||||||
|
name: ory-commons
|
||||||
|
repository: file://../ory-commons
|
||||||
|
version: 0.1.0
|
||||||
|
- alias: hydra-maester
|
||||||
|
condition: maester.enabled
|
||||||
|
name: hydra-maester
|
||||||
|
repository: file://../hydra-maester
|
||||||
|
version: 0.50.2
|
||||||
|
description: A Helm chart for deploying ORY Hydra in Kubernetes
|
||||||
|
home: https://www.ory.sh/
|
||||||
|
icon: https://raw.githubusercontent.com/ory/docs/master/docs/static/img/logo-hydra.svg
|
||||||
|
keywords:
|
||||||
|
- oauth2
|
||||||
|
- openid-connect
|
||||||
|
- openid
|
||||||
|
- oidc
|
||||||
|
- op
|
||||||
|
- api-security
|
||||||
|
- security
|
||||||
|
maintainers:
|
||||||
|
- email: hi@ory.sh
|
||||||
|
name: ORY Team
|
||||||
|
url: https://www.ory.sh/
|
||||||
|
name: hydra
|
||||||
|
sources:
|
||||||
|
- https://github.com/ory/hydra
|
||||||
|
- https://github.com/ory/k8s
|
||||||
|
type: application
|
||||||
|
version: 0.50.2
|
206
opencloud/charts/hydra/README.md
Normal file
206
opencloud/charts/hydra/README.md
Normal file
@ -0,0 +1,206 @@
|
|||||||
|
# hydra
|
||||||
|
|
||||||
|
![Version: 0.50.1](https://img.shields.io/badge/Version-0.50.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.2.0](https://img.shields.io/badge/AppVersion-v2.2.0-informational?style=flat-square)
|
||||||
|
|
||||||
|
A Helm chart for deploying ORY Hydra in Kubernetes
|
||||||
|
|
||||||
|
**Homepage:** <https://www.ory.sh/>
|
||||||
|
|
||||||
|
## Maintainers
|
||||||
|
|
||||||
|
| Name | Email | Url |
|
||||||
|
| ---- | ------ | --- |
|
||||||
|
| ORY Team | <hi@ory.sh> | <https://www.ory.sh/> |
|
||||||
|
|
||||||
|
## Source Code
|
||||||
|
|
||||||
|
* <https://github.com/ory/hydra>
|
||||||
|
* <https://github.com/ory/k8s>
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
| Repository | Name | Version |
|
||||||
|
|------------|------|---------|
|
||||||
|
| file://../hydra-maester | hydra-maester(hydra-maester) | 0.50.1 |
|
||||||
|
| file://../ory-commons | ory(ory-commons) | 0.1.0 |
|
||||||
|
|
||||||
|
## Values
|
||||||
|
|
||||||
|
| Key | Type | Default | Description |
|
||||||
|
|-----|------|---------|-------------|
|
||||||
|
| affinity | object | `{}` | |
|
||||||
|
| configmap.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods |
|
||||||
|
| cronjob.janitor.affinity | object | `{}` | Configure node affinity |
|
||||||
|
| cronjob.janitor.annotations | object | `{}` | Set custom cron job level annotations |
|
||||||
|
| cronjob.janitor.automountServiceAccountToken | bool | `true` | Set automounting of the SA token |
|
||||||
|
| cronjob.janitor.customArgs | list | `[]` | Configure the arguments of the entrypoint, overriding the default value |
|
||||||
|
| cronjob.janitor.customCommand | list | `[]` | Configure a custom entrypoint, overriding the default value |
|
||||||
|
| cronjob.janitor.extraContainers | string | `""` | If you want to add extra sidecar containers. |
|
||||||
|
| cronjob.janitor.extraEnv | list | `[]` | Array of extra envs to be passed to the cronjob. This takes precedence over deployment variables. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR |
|
||||||
|
| cronjob.janitor.extraInitContainers | string | `""` | If you want to add extra init containers. These are processed before the migration init container. |
|
||||||
|
| cronjob.janitor.extraVolumeMounts | list | `[]` | |
|
||||||
|
| cronjob.janitor.extraVolumes | list | `[]` | If you want to mount external volume |
|
||||||
|
| cronjob.janitor.labels | object | `{}` | Set custom cron job level labels |
|
||||||
|
| cronjob.janitor.nodeSelector | object | `{}` | Configure node labels for pod assignment |
|
||||||
|
| cronjob.janitor.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
|
||||||
|
| cronjob.janitor.podMetadata.annotations | object | `{}` | Extra pod level annotations |
|
||||||
|
| cronjob.janitor.podMetadata.labels | object | `{}` | Extra pod level labels |
|
||||||
|
| cronjob.janitor.podSecurityContext | object | `{}` | |
|
||||||
|
| cronjob.janitor.resources | object | `{"limits":{},"requests":{}}` | We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: cpu: 100m memory: 128Mi requests: cpu: 100m memory: 128Mi |
|
||||||
|
| cronjob.janitor.schedule | string | `"0 */1 * * *"` | Configure how often the cron job is ran |
|
||||||
|
| cronjob.janitor.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":100}` | Configure the containers' SecurityContext for the janitor cronjob |
|
||||||
|
| cronjob.janitor.serviceAccount | object | `{"annotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"},"create":true,"name":""}` | Specify the serviceAccountName value. In some situations it is needed to provides specific permissions to Hydra deployments Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. |
|
||||||
|
| cronjob.janitor.serviceAccount.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"}` | Annotations to add to the service account |
|
||||||
|
| cronjob.janitor.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
|
||||||
|
| cronjob.janitor.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
|
||||||
|
| cronjob.janitor.tolerations | list | `[]` | Configure node tolerations |
|
||||||
|
| deployment.annotations | object | `{}` | Set custom deployment level annotations |
|
||||||
|
| deployment.automigration | object | `{"extraEnv":[]}` | Parameters for the automigration initContainer |
|
||||||
|
| deployment.automigration.extraEnv | list | `[]` | Array of extra envs to be passed to the initContainer. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR |
|
||||||
|
| deployment.automountServiceAccountToken | bool | `false` | |
|
||||||
|
| deployment.autoscaling | object | `{"behavior":{},"enabled":false,"maxReplicas":3,"minReplicas":1,"targetCPU":{},"targetMemory":{}}` | Configure HPA |
|
||||||
|
| deployment.autoscaling.behavior | object | `{}` | Set custom behavior https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior |
|
||||||
|
| deployment.customLivenessProbe | object | `{}` | Configure a custom livenessProbe. This overwrites the default object |
|
||||||
|
| deployment.customReadinessProbe | object | `{}` | Configure a custom readinessProbe. This overwrites the default object |
|
||||||
|
| deployment.customStartupProbe | object | `{}` | Configure a custom startupProbe. This overwrites the default object |
|
||||||
|
| deployment.dnsConfig | object | `{}` | Configure pod dnsConfig. |
|
||||||
|
| deployment.extraContainers | string | `""` | If you want to add extra sidecar containers. |
|
||||||
|
| deployment.extraEnv | list | `[]` | Array of extra envs to be passed to the deployment. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR |
|
||||||
|
| deployment.extraInitContainers | string | `""` | If you want to add extra init containers. These are processed before the migration init container. |
|
||||||
|
| deployment.extraVolumeMounts | list | `[]` | |
|
||||||
|
| deployment.extraVolumes | list | `[]` | If you want to mount external volume |
|
||||||
|
| deployment.initContainerSecurityContext | object | `{}` | |
|
||||||
|
| deployment.labels | object | `{}` | Set custom deployment level labels |
|
||||||
|
| deployment.lifecycle | object | `{}` | |
|
||||||
|
| deployment.nodeSelector | object | `{}` | Node labels for pod assignment. |
|
||||||
|
| deployment.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
|
||||||
|
| deployment.podMetadata.annotations | object | `{}` | Extra pod level annotations |
|
||||||
|
| deployment.podMetadata.labels | object | `{}` | Extra pod level labels |
|
||||||
|
| deployment.podSecurityContext.fsGroup | int | `65534` | |
|
||||||
|
| deployment.podSecurityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` | |
|
||||||
|
| deployment.podSecurityContext.runAsGroup | int | `65534` | |
|
||||||
|
| deployment.podSecurityContext.runAsNonRoot | bool | `true` | |
|
||||||
|
| deployment.podSecurityContext.runAsUser | int | `65534` | |
|
||||||
|
| deployment.podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
|
||||||
|
| deployment.readinessProbe | object | `{"failureThreshold":5,"initialDelaySeconds":5,"periodSeconds":10}` | Default probe timers |
|
||||||
|
| deployment.resources | object | `{}` | We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: cpu: 100m memory: 128Mi requests: cpu: 100m memory: 128Mi |
|
||||||
|
| deployment.revisionHistoryLimit | int | `5` | Number of revisions kept in history |
|
||||||
|
| deployment.securityContext.allowPrivilegeEscalation | bool | `false` | |
|
||||||
|
| deployment.securityContext.capabilities.drop[0] | string | `"ALL"` | |
|
||||||
|
| deployment.securityContext.privileged | bool | `false` | |
|
||||||
|
| deployment.securityContext.readOnlyRootFilesystem | bool | `true` | |
|
||||||
|
| deployment.securityContext.runAsGroup | int | `65534` | |
|
||||||
|
| deployment.securityContext.runAsNonRoot | bool | `true` | |
|
||||||
|
| deployment.securityContext.runAsUser | int | `65534` | |
|
||||||
|
| deployment.securityContext.seLinuxOptions.level | string | `"s0:c123,c456"` | |
|
||||||
|
| deployment.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
|
||||||
|
| deployment.serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | Specify the serviceAccountName value. In some situations it is needed to provides specific permissions to Hydra deployments Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. |
|
||||||
|
| deployment.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
|
||||||
|
| deployment.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
|
||||||
|
| deployment.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
|
||||||
|
| deployment.startupProbe | object | `{"failureThreshold":5,"initialDelaySeconds":0,"periodSeconds":1,"successThreshold":1,"timeoutSeconds":1}` | Default probe timers |
|
||||||
|
| deployment.strategy.rollingUpdate.maxSurge | string | `"25%"` | |
|
||||||
|
| deployment.strategy.rollingUpdate.maxUnavailable | string | `"25%"` | |
|
||||||
|
| deployment.strategy.type | string | `"RollingUpdate"` | |
|
||||||
|
| deployment.terminationGracePeriodSeconds | int | `60` | |
|
||||||
|
| deployment.tolerations | list | `[]` | Configure node tolerations. |
|
||||||
|
| deployment.topologySpreadConstraints | list | `[]` | Configure pod topologySpreadConstraints. |
|
||||||
|
| fullnameOverride | string | `""` | Full chart name override |
|
||||||
|
| hydra-maester.adminService.name | string | `""` | The service name value may need to be set if you use `fullnameOverride` for the parent chart |
|
||||||
|
| hydra.automigration.customArgs | list | `[]` | Ability to override arguments of the entrypoint. Can be used in-depended of customCommand eg: - sleep 5; - kratos |
|
||||||
|
| hydra.automigration.customCommand | list | `[]` | Ability to override the entrypoint of the automigration container (e.g. to source dynamic secrets or export environment dynamic variables) |
|
||||||
|
| hydra.automigration.enabled | bool | `false` | |
|
||||||
|
| hydra.automigration.resources | object | `{}` | resource requests and limits for the automigration initcontainer |
|
||||||
|
| hydra.automigration.type | string | `"job"` | Configure the way to execute database migration. Possible values: job, initContainer When set to job, the migration will be executed as a job on release or upgrade. When set to initContainer, the migration will be executed when kratos pod is created Defaults to job |
|
||||||
|
| hydra.command | list | `["hydra"]` | Ability to override the entrypoint of hydra container (e.g. to source dynamic secrets or export environment dynamic variables) |
|
||||||
|
| hydra.config | object | `{"secrets":{},"serve":{"admin":{"port":4445},"public":{"port":4444},"tls":{"allow_termination_from":["10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"]}},"urls":{"self":{}}}` | The ORY Hydra configuration. For a full list of available settings, check: https://www.ory.sh/docs/hydra/reference/configuration |
|
||||||
|
| hydra.config.secrets | object | `{}` | The secrets have to be provided as a string slice, example: system: - "OG5XbmxXa3dYeGplQXpQanYxeEFuRUFa" - "foo bar 123 456 lorem" - "foo bar 123 456 lorem 1" - "foo bar 123 456 lorem 2" - "foo bar 123 456 lorem 3" |
|
||||||
|
| hydra.config.urls | object | `{"self":{}}` | Configure the urls used by hydra itself, such as the issuer. Note: some values are required for hydra to start, please refer to https://www.ory.sh/docs/hydra/self-hosted/kubernetes-helm-chart self: issuer: "https://public.hydra.localhost:4444/" |
|
||||||
|
| hydra.customArgs | list | `[]` | Ability to override arguments of the entrypoint. Can be used in-depended of customCommand |
|
||||||
|
| hydra.dev | bool | `false` | Enable dev mode, not secure in production environments |
|
||||||
|
| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
|
||||||
|
| image.repository | string | `"oryd/hydra"` | ORY Hydra image |
|
||||||
|
| image.tag | string | `"v2.2.0"` | ORY Hydra version |
|
||||||
|
| imagePullSecrets | list | `[]` | Image pull secrets |
|
||||||
|
| ingress.admin.annotations | object | `{}` | |
|
||||||
|
| ingress.admin.className | string | `""` | |
|
||||||
|
| ingress.admin.enabled | bool | `false` | En-/Disable the api ingress. |
|
||||||
|
| ingress.admin.hosts[0].host | string | `"admin.hydra.localhost"` | |
|
||||||
|
| ingress.admin.hosts[0].paths[0].path | string | `"/"` | |
|
||||||
|
| ingress.admin.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | |
|
||||||
|
| ingress.public | object | `{"annotations":{},"className":"","enabled":false,"hosts":[{"host":"public.hydra.localhost","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}]}` | Configure ingress for the proxy port. |
|
||||||
|
| ingress.public.enabled | bool | `false` | En-/Disable the proxy ingress. |
|
||||||
|
| janitor.batchSize | int | `100` | Configure how many records are deleted with each iteration |
|
||||||
|
| janitor.cleanupGrants | bool | `false` | Configure if the trust relationships must be cleaned up |
|
||||||
|
| janitor.cleanupRequests | bool | `false` | Configure if the consent and authentication requests must be cleaned up |
|
||||||
|
| janitor.cleanupTokens | bool | `false` | Configure if the access and refresh tokens must be cleaned up |
|
||||||
|
| janitor.enabled | bool | `false` | Enable cleanup of stale database rows by periodically running the janitor command |
|
||||||
|
| janitor.limit | int | `10000` | Configure how many records are retrieved from database for deletion |
|
||||||
|
| job.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"1"}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. |
|
||||||
|
| job.automountServiceAccountToken | bool | `true` | Set automounting of the SA token |
|
||||||
|
| job.extraContainers | string | `""` | If you want to add extra sidecar containers. |
|
||||||
|
| job.extraEnv | list | `[]` | Array of extra envs to be passed to the job. This takes precedence over deployment variables. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR |
|
||||||
|
| job.extraInitContainers | string | `""` | If you want to add extra init containers. extraInitContainers: | - name: ... image: ... |
|
||||||
|
| job.labels | object | `{}` | Set custom deployment level labels |
|
||||||
|
| job.lifecycle | string | `""` | If you want to add lifecycle hooks. |
|
||||||
|
| job.nodeSelector | object | `{}` | Node labels for pod assignment. |
|
||||||
|
| job.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
|
||||||
|
| job.podMetadata.annotations | object | `{}` | Extra pod level annotations |
|
||||||
|
| job.podMetadata.labels | object | `{}` | Extra pod level labels |
|
||||||
|
| job.resources | object | `{}` | resource requests and limits for the automigration job |
|
||||||
|
| job.serviceAccount | object | `{"annotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"},"create":true,"name":""}` | Specify the serviceAccountName value. In some situations it is needed to provides specific permissions to Hydra deployments Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. |
|
||||||
|
| job.serviceAccount.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"}` | Annotations to add to the service account |
|
||||||
|
| job.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
|
||||||
|
| job.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
|
||||||
|
| job.shareProcessNamespace | bool | `false` | Set sharing process namespace |
|
||||||
|
| job.spec.backoffLimit | int | `10` | Set job back off limit |
|
||||||
|
| job.tolerations | list | `[]` | Configure node tolerations. |
|
||||||
|
| maester.enabled | bool | `true` | |
|
||||||
|
| nameOverride | string | `""` | |
|
||||||
|
| pdb.enabled | bool | `false` | |
|
||||||
|
| pdb.spec.maxUnavailable | string | `""` | |
|
||||||
|
| pdb.spec.minAvailable | string | `""` | |
|
||||||
|
| priorityClassName | string | `""` | Pod priority https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ |
|
||||||
|
| replicaCount | int | `1` | Number of ORY Hydra members |
|
||||||
|
| secret.enabled | bool | `true` | switch to false to prevent creating the secret |
|
||||||
|
| secret.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods |
|
||||||
|
| secret.nameOverride | string | `""` | Provide custom name of existing secret, or custom name of secret to be created |
|
||||||
|
| secret.secretAnnotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0","helm.sh/resource-policy":"keep"}` | Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified. |
|
||||||
|
| service.admin | object | `{"annotations":{},"enabled":true,"labels":{},"loadBalancerIP":"","metricsPath":"/admin/metrics/prometheus","name":"http","port":4445,"type":"ClusterIP"}` | Configures the Kubernetes service for the api port. |
|
||||||
|
| service.admin.annotations | object | `{}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. |
|
||||||
|
| service.admin.enabled | bool | `true` | En-/disable the service |
|
||||||
|
| service.admin.loadBalancerIP | string | `""` | The load balancer IP |
|
||||||
|
| service.admin.metricsPath | string | `"/admin/metrics/prometheus"` | Path to the metrics endpoint |
|
||||||
|
| service.admin.name | string | `"http"` | The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio) |
|
||||||
|
| service.admin.port | int | `4445` | The service port |
|
||||||
|
| service.admin.type | string | `"ClusterIP"` | The service type |
|
||||||
|
| service.public | object | `{"annotations":{},"enabled":true,"labels":{},"loadBalancerIP":"","name":"http","port":4444,"type":"ClusterIP"}` | Configures the Kubernetes service for the proxy port. |
|
||||||
|
| service.public.annotations | object | `{}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. |
|
||||||
|
| service.public.enabled | bool | `true` | En-/disable the service |
|
||||||
|
| service.public.loadBalancerIP | string | `""` | The load balancer IP |
|
||||||
|
| service.public.name | string | `"http"` | The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio) |
|
||||||
|
| service.public.port | int | `4444` | The service port |
|
||||||
|
| service.public.type | string | `"ClusterIP"` | The service type |
|
||||||
|
| serviceMonitor.enabled | bool | `false` | switch to true to enable creating the ServiceMonitor |
|
||||||
|
| serviceMonitor.labels | object | `{}` | Provide additionnal labels to the ServiceMonitor ressource metadata |
|
||||||
|
| serviceMonitor.scheme | string | `"http"` | HTTP scheme to use for scraping. |
|
||||||
|
| serviceMonitor.scrapeInterval | string | `"60s"` | Interval at which metrics should be scraped |
|
||||||
|
| serviceMonitor.scrapeTimeout | string | `"30s"` | Timeout after which the scrape is ended |
|
||||||
|
| serviceMonitor.tlsConfig | object | `{}` | TLS configuration to use when scraping the endpoint |
|
||||||
|
| test.busybox | object | `{"repository":"busybox","tag":1}` | use a busybox image from another repository |
|
||||||
|
| test.labels | object | `{}` | Provide additional labels to the test pod |
|
||||||
|
| watcher.automountServiceAccountToken | bool | `true` | |
|
||||||
|
| watcher.enabled | bool | `false` | |
|
||||||
|
| watcher.image | string | `"oryd/k8s-toolbox:v0.0.7"` | |
|
||||||
|
| watcher.mountFile | string | `""` | Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo |
|
||||||
|
| watcher.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
|
||||||
|
| watcher.podMetadata.annotations | object | `{}` | Extra pod level annotations |
|
||||||
|
| watcher.podMetadata.labels | object | `{}` | Extra pod level labels |
|
||||||
|
| watcher.podSecurityContext | object | `{}` | pod securityContext for watcher deployment |
|
||||||
|
| watcher.resources | object | `{}` | |
|
||||||
|
| watcher.revisionHistoryLimit | int | `5` | Number of revisions kept in history |
|
||||||
|
| watcher.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":100,"seccompProfile":{"type":"RuntimeDefault"}}` | container securityContext for watcher deployment |
|
||||||
|
| watcher.watchLabelKey | string | `"ory.sh/watcher"` | Label key used for managing applications |
|
||||||
|
|
||||||
|
----------------------------------------------
|
||||||
|
Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)
|
21
opencloud/charts/hydra/charts/hydra-maester/.helmignore
Normal file
21
opencloud/charts/hydra/charts/hydra-maester/.helmignore
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
# Patterns to ignore when building packages.
|
||||||
|
# This supports shell glob matching, relative path matching, and
|
||||||
|
# negation (prefixed with !). Only one pattern per line.
|
||||||
|
.DS_Store
|
||||||
|
# Common VCS dirs
|
||||||
|
.git/
|
||||||
|
.gitignore
|
||||||
|
.bzr/
|
||||||
|
.bzrignore
|
||||||
|
.hg/
|
||||||
|
.hgignore
|
||||||
|
.svn/
|
||||||
|
# Common backup files
|
||||||
|
*.swp
|
||||||
|
*.bak
|
||||||
|
*.tmp
|
||||||
|
*~
|
||||||
|
# Various IDEs
|
||||||
|
.project
|
||||||
|
.idea/
|
||||||
|
*.tmproj
|
7
opencloud/charts/hydra/charts/hydra-maester/Chart.yaml
Normal file
7
opencloud/charts/hydra/charts/hydra-maester/Chart.yaml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
apiVersion: v2
|
||||||
|
appVersion: v0.0.34
|
||||||
|
description: A Helm chart for Kubernetes
|
||||||
|
icon: https://raw.githubusercontent.com/ory/docs/master/docs/static/img/logo-hydra.svg
|
||||||
|
name: hydra-maester
|
||||||
|
type: application
|
||||||
|
version: 0.50.2
|
66
opencloud/charts/hydra/charts/hydra-maester/README.md
Normal file
66
opencloud/charts/hydra/charts/hydra-maester/README.md
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
# hydra-maester
|
||||||
|
|
||||||
|
![Version: 0.50.1](https://img.shields.io/badge/Version-0.50.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.34](https://img.shields.io/badge/AppVersion-v0.0.34-informational?style=flat-square)
|
||||||
|
|
||||||
|
A Helm chart for Kubernetes
|
||||||
|
|
||||||
|
## Values
|
||||||
|
|
||||||
|
| Key | Type | Default | Description |
|
||||||
|
|-----|------|---------|-------------|
|
||||||
|
| adminService.endpoint | string | `"/admin/clients"` | Set the clients endpoint, should be `/clients` for Hydra 1.x and `/admin/clients` for Hydra 2.x |
|
||||||
|
| adminService.insecureSkipVerify | bool | `false` | Skip http client insecure verification |
|
||||||
|
| adminService.name | string | `nil` | Service name |
|
||||||
|
| adminService.port | int | `4445` | Service port |
|
||||||
|
| adminService.scheme | string | `"http"` | Scheme used by Hydra client endpoint. May be "http" or "https" |
|
||||||
|
| adminService.tlsTrustStorePath | string | `""` | TLS ca-cert path for hydra client |
|
||||||
|
| affinity | object | `{}` | Configure node affinity |
|
||||||
|
| deployment.args | object | `{"syncPeriod":""}` | Arguments to be passed to the program |
|
||||||
|
| deployment.args.syncPeriod | string | `""` | The minimum frequency at which watched resources are reconciled |
|
||||||
|
| deployment.automountServiceAccountToken | bool | `true` | This applications connects to the k8s API and requires the permissions |
|
||||||
|
| deployment.dnsConfig | object | `{}` | Configure pod dnsConfig. |
|
||||||
|
| deployment.extraAnnotations | object | `{}` | Deployment level extra annotations |
|
||||||
|
| deployment.extraLabels | object | `{}` | Deployment level extra labels |
|
||||||
|
| deployment.extraVolumeMounts | list | `[]` | |
|
||||||
|
| deployment.extraVolumes | list | `[]` | If you want to mount external volume |
|
||||||
|
| deployment.nodeSelector | object | `{}` | Node labels for pod assignment. |
|
||||||
|
| deployment.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
|
||||||
|
| deployment.podMetadata.annotations | object | `{}` | Extra pod level annotations |
|
||||||
|
| deployment.podMetadata.labels | object | `{}` | Extra pod level labels |
|
||||||
|
| deployment.podSecurityContext.fsGroup | int | `65534` | |
|
||||||
|
| deployment.podSecurityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` | |
|
||||||
|
| deployment.podSecurityContext.runAsGroup | int | `65534` | |
|
||||||
|
| deployment.podSecurityContext.runAsNonRoot | bool | `true` | |
|
||||||
|
| deployment.podSecurityContext.runAsUser | int | `65534` | |
|
||||||
|
| deployment.podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
|
||||||
|
| deployment.resources | object | `{}` | |
|
||||||
|
| deployment.securityContext.allowPrivilegeEscalation | bool | `false` | |
|
||||||
|
| deployment.securityContext.capabilities.drop[0] | string | `"ALL"` | |
|
||||||
|
| deployment.securityContext.privileged | bool | `false` | |
|
||||||
|
| deployment.securityContext.readOnlyRootFilesystem | bool | `true` | |
|
||||||
|
| deployment.securityContext.runAsGroup | int | `65534` | |
|
||||||
|
| deployment.securityContext.runAsNonRoot | bool | `true` | |
|
||||||
|
| deployment.securityContext.runAsUser | int | `65534` | |
|
||||||
|
| deployment.securityContext.seLinuxOptions.level | string | `"s0:c123,c456"` | |
|
||||||
|
| deployment.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
|
||||||
|
| deployment.serviceAccount | object | `{"annotations":{}}` | Configure service account |
|
||||||
|
| deployment.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
|
||||||
|
| deployment.terminationGracePeriodSeconds | int | `60` | |
|
||||||
|
| deployment.tolerations | list | `[]` | Configure node tolerations. |
|
||||||
|
| deployment.topologySpreadConstraints | list | `[]` | Configure pod topologySpreadConstraints. |
|
||||||
|
| enabledNamespaces | list | `[]` | The Controller have CREATE and READ access to all Secrets in the namespaces listed below. |
|
||||||
|
| forwardedProto | string | `nil` | |
|
||||||
|
| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
|
||||||
|
| image.repository | string | `"oryd/hydra-maester"` | Ory Hydra-maester image |
|
||||||
|
| image.tag | string | `"v0.0.35-amd64"` | Ory Hydra-maester version |
|
||||||
|
| imagePullSecrets | list | `[]` | Image pull secrets |
|
||||||
|
| pdb.enabled | bool | `false` | |
|
||||||
|
| pdb.spec.maxUnavailable | string | `""` | |
|
||||||
|
| pdb.spec.minAvailable | string | `""` | |
|
||||||
|
| priorityClassName | string | `""` | Pod priority # https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ |
|
||||||
|
| replicaCount | int | `1` | Number of replicas in deployment |
|
||||||
|
| revisionHistoryLimit | int | `5` | Number of revisions kept in history |
|
||||||
|
| singleNamespaceMode | bool | `false` | Single namespace mode. If enabled the controller will watch for resources only from namespace it is deployed in, ignoring others |
|
||||||
|
|
||||||
|
----------------------------------------------
|
||||||
|
Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)
|
@ -0,0 +1,357 @@
|
|||||||
|
---
|
||||||
|
apiVersion: apiextensions.k8s.io/v1
|
||||||
|
kind: CustomResourceDefinition
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
controller-gen.kubebuilder.io/version: v0.11.3
|
||||||
|
creationTimestamp: null
|
||||||
|
name: oauth2clients.hydra.ory.sh
|
||||||
|
spec:
|
||||||
|
group: hydra.ory.sh
|
||||||
|
names:
|
||||||
|
kind: OAuth2Client
|
||||||
|
listKind: OAuth2ClientList
|
||||||
|
plural: oauth2clients
|
||||||
|
singular: oauth2client
|
||||||
|
scope: Namespaced
|
||||||
|
versions:
|
||||||
|
- name: v1alpha1
|
||||||
|
schema:
|
||||||
|
openAPIV3Schema:
|
||||||
|
description: OAuth2Client is the Schema for the oauth2clients API
|
||||||
|
properties:
|
||||||
|
apiVersion:
|
||||||
|
description:
|
||||||
|
"APIVersion defines the versioned schema of this representation
|
||||||
|
of an object. Servers should convert recognized schemas to the
|
||||||
|
latest internal value, and may reject unrecognized values. More
|
||||||
|
info:
|
||||||
|
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
|
||||||
|
type: string
|
||||||
|
kind:
|
||||||
|
description:
|
||||||
|
"Kind is a string value representing the REST resource this
|
||||||
|
object represents. Servers may infer this from the endpoint the
|
||||||
|
client submits requests to. Cannot be updated. In CamelCase.
|
||||||
|
More info:
|
||||||
|
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
|
||||||
|
type: string
|
||||||
|
metadata:
|
||||||
|
type: object
|
||||||
|
spec:
|
||||||
|
description:
|
||||||
|
OAuth2ClientSpec defines the desired state of OAuth2Client
|
||||||
|
properties:
|
||||||
|
allowedCorsOrigins:
|
||||||
|
description:
|
||||||
|
AllowedCorsOrigins is an array of allowed CORS origins
|
||||||
|
items:
|
||||||
|
description:
|
||||||
|
RedirectURI represents a redirect URI for the client
|
||||||
|
pattern: \w+:/?/?[^\s]+
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
audience:
|
||||||
|
description:
|
||||||
|
Audience is a whitelist defining the audiences this client
|
||||||
|
is allowed to request tokens for
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
backChannelLogoutSessionRequired:
|
||||||
|
default: false
|
||||||
|
description:
|
||||||
|
BackChannelLogoutSessionRequired Boolean value specifying
|
||||||
|
whether the RP requires that a sid (session ID) Claim be
|
||||||
|
included in the Logout Token to identify the RP session with
|
||||||
|
the OP when the backchannel_logout_uri is used. If omitted,
|
||||||
|
the default value is false.
|
||||||
|
type: boolean
|
||||||
|
backChannelLogoutURI:
|
||||||
|
description:
|
||||||
|
BackChannelLogoutURI RP URL that will cause the RP to log
|
||||||
|
itself out when sent a Logout Token by the OP
|
||||||
|
pattern: (^$|^https?://.*)
|
||||||
|
type: string
|
||||||
|
clientName:
|
||||||
|
description:
|
||||||
|
ClientName is the human-readable string name of the client
|
||||||
|
to be presented to the end-user during authorization.
|
||||||
|
type: string
|
||||||
|
frontChannelLogoutSessionRequired:
|
||||||
|
default: false
|
||||||
|
description:
|
||||||
|
FrontChannelLogoutSessionRequired Boolean value specifying
|
||||||
|
whether the RP requires that iss (issuer) and sid (session
|
||||||
|
ID) query parameters be included to identify the RP session
|
||||||
|
with the OP when the frontchannel_logout_uri is used
|
||||||
|
type: boolean
|
||||||
|
frontChannelLogoutURI:
|
||||||
|
description:
|
||||||
|
FrontChannelLogoutURI RP URL that will cause the RP to log
|
||||||
|
itself out when rendered in an iframe by the OP. An iss
|
||||||
|
(issuer) query parameter and a sid (session ID) query
|
||||||
|
parameter MAY be included by the OP to enable the RP to
|
||||||
|
validate the request and to determine which of the
|
||||||
|
potentially multiple sessions is to be logged out; if either
|
||||||
|
is included, both MUST be
|
||||||
|
pattern: (^$|^https?://.*)
|
||||||
|
type: string
|
||||||
|
grantTypes:
|
||||||
|
description:
|
||||||
|
GrantTypes is an array of grant types the client is allowed
|
||||||
|
to use.
|
||||||
|
items:
|
||||||
|
description: GrantType represents an OAuth 2.0 grant type
|
||||||
|
enum:
|
||||||
|
- client_credentials
|
||||||
|
- authorization_code
|
||||||
|
- implicit
|
||||||
|
- refresh_token
|
||||||
|
type: string
|
||||||
|
maxItems: 4
|
||||||
|
minItems: 1
|
||||||
|
type: array
|
||||||
|
hydraAdmin:
|
||||||
|
description:
|
||||||
|
HydraAdmin is the optional configuration to use for managing
|
||||||
|
this client
|
||||||
|
properties:
|
||||||
|
endpoint:
|
||||||
|
description:
|
||||||
|
Endpoint is the endpoint for the hydra instance on which
|
||||||
|
to set up the client. This value will override the value
|
||||||
|
provided to `--endpoint` (defaults to `"/clients"` in
|
||||||
|
the application)
|
||||||
|
pattern: (^$|^/.*)
|
||||||
|
type: string
|
||||||
|
forwardedProto:
|
||||||
|
description:
|
||||||
|
ForwardedProto overrides the `--forwarded-proto` flag.
|
||||||
|
The value "off" will force this to be off even if
|
||||||
|
`--forwarded-proto` is specified
|
||||||
|
pattern: (^$|https?|off)
|
||||||
|
type: string
|
||||||
|
port:
|
||||||
|
description:
|
||||||
|
Port is the port for the hydra instance on which to set
|
||||||
|
up the client. This value will override the value
|
||||||
|
provided to `--hydra-port`
|
||||||
|
maximum: 65535
|
||||||
|
type: integer
|
||||||
|
url:
|
||||||
|
description:
|
||||||
|
URL is the URL for the hydra instance on which to set up
|
||||||
|
the client. This value will override the value provided
|
||||||
|
to `--hydra-url`
|
||||||
|
maxLength: 64
|
||||||
|
pattern: (^$|^https?://.*)
|
||||||
|
type: string
|
||||||
|
type: object
|
||||||
|
jwksUri:
|
||||||
|
description:
|
||||||
|
JwksUri Define the URL where the JSON Web Key Set should be
|
||||||
|
fetched from when performing the private_key_jwt client
|
||||||
|
authentication method.
|
||||||
|
pattern: (^$|^https?://.*)
|
||||||
|
type: string
|
||||||
|
metadata:
|
||||||
|
description: Metadata is arbitrary data
|
||||||
|
nullable: true
|
||||||
|
type: object
|
||||||
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
|
postLogoutRedirectUris:
|
||||||
|
description:
|
||||||
|
PostLogoutRedirectURIs is an array of the post logout
|
||||||
|
redirect URIs allowed for the application
|
||||||
|
items:
|
||||||
|
description:
|
||||||
|
RedirectURI represents a redirect URI for the client
|
||||||
|
pattern: \w+:/?/?[^\s]+
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
redirectUris:
|
||||||
|
description:
|
||||||
|
RedirectURIs is an array of the redirect URIs allowed for
|
||||||
|
the application
|
||||||
|
items:
|
||||||
|
description:
|
||||||
|
RedirectURI represents a redirect URI for the client
|
||||||
|
pattern: \w+:/?/?[^\s]+
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
responseTypes:
|
||||||
|
description:
|
||||||
|
ResponseTypes is an array of the OAuth 2.0 response type
|
||||||
|
strings that the client can use at the authorization
|
||||||
|
endpoint.
|
||||||
|
items:
|
||||||
|
description:
|
||||||
|
ResponseType represents an OAuth 2.0 response type strings
|
||||||
|
enum:
|
||||||
|
- id_token
|
||||||
|
- code
|
||||||
|
- token
|
||||||
|
- code token
|
||||||
|
- code id_token
|
||||||
|
- id_token token
|
||||||
|
- code id_token token
|
||||||
|
type: string
|
||||||
|
maxItems: 3
|
||||||
|
minItems: 1
|
||||||
|
type: array
|
||||||
|
scope:
|
||||||
|
description:
|
||||||
|
Scope is a string containing a space-separated list of scope
|
||||||
|
values (as described in Section 3.3 of OAuth 2.0 [RFC6749])
|
||||||
|
that the client can use when requesting access tokens.
|
||||||
|
pattern: ([a-zA-Z0-9\.\*]+\s?)+
|
||||||
|
type: string
|
||||||
|
secretName:
|
||||||
|
description:
|
||||||
|
SecretName points to the K8s secret that contains this
|
||||||
|
client's ID and password
|
||||||
|
maxLength: 253
|
||||||
|
minLength: 1
|
||||||
|
pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'
|
||||||
|
type: string
|
||||||
|
skipConsent:
|
||||||
|
default: false
|
||||||
|
description:
|
||||||
|
SkipConsent skips the consent screen for this client.
|
||||||
|
type: boolean
|
||||||
|
tokenEndpointAuthMethod:
|
||||||
|
allOf:
|
||||||
|
- enum:
|
||||||
|
- client_secret_basic
|
||||||
|
- client_secret_post
|
||||||
|
- private_key_jwt
|
||||||
|
- none
|
||||||
|
- enum:
|
||||||
|
- client_secret_basic
|
||||||
|
- client_secret_post
|
||||||
|
- private_key_jwt
|
||||||
|
- none
|
||||||
|
description:
|
||||||
|
Indication which authentication method shoud be used for the
|
||||||
|
token endpoint
|
||||||
|
type: string
|
||||||
|
tokenLifespans:
|
||||||
|
description: Configuration about token lifespans.
|
||||||
|
properties:
|
||||||
|
authorization_code_grant_access_token_lifespan:
|
||||||
|
description:
|
||||||
|
The lifespan of the access token issued during
|
||||||
|
authorization_code grant type.
|
||||||
|
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||||
|
type: string
|
||||||
|
authorization_code_grant_id_token_lifespan:
|
||||||
|
description:
|
||||||
|
The lifespan of the id token issued during
|
||||||
|
authorization_code grant type.
|
||||||
|
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||||
|
type: string
|
||||||
|
authorization_code_grant_refresh_token_lifespan:
|
||||||
|
description:
|
||||||
|
The lifespan of the refresh token issued during
|
||||||
|
authorization_code grant type.
|
||||||
|
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||||
|
type: string
|
||||||
|
client_credentials_grant_access_token_lifespan:
|
||||||
|
description:
|
||||||
|
The lifespan of the access token issued during
|
||||||
|
client_credentials grant type.
|
||||||
|
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||||
|
type: string
|
||||||
|
implicit_grant_access_token_lifespan:
|
||||||
|
description:
|
||||||
|
The lifespan of the access token issued during implicit
|
||||||
|
grant type.
|
||||||
|
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||||
|
type: string
|
||||||
|
implicit_grant_id_token_lifespan:
|
||||||
|
description:
|
||||||
|
The lifespan of the id token issued during implicit
|
||||||
|
grant type.
|
||||||
|
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||||
|
type: string
|
||||||
|
jwt_bearer_grant_access_token_lifespan:
|
||||||
|
description:
|
||||||
|
The lifespan of the access token issued during
|
||||||
|
jwt_bearer grant type.
|
||||||
|
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||||
|
type: string
|
||||||
|
refresh_token_grant_access_token_lifespan:
|
||||||
|
description:
|
||||||
|
The lifespan of the access token issued during
|
||||||
|
refresh_token grant type.
|
||||||
|
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||||
|
type: string
|
||||||
|
refresh_token_grant_id_token_lifespan:
|
||||||
|
description:
|
||||||
|
The lifespan of the id token issued during refresh_token
|
||||||
|
grant type.
|
||||||
|
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||||
|
type: string
|
||||||
|
refresh_token_grant_refresh_token_lifespan:
|
||||||
|
description:
|
||||||
|
The lifespan of the refresh token issued during
|
||||||
|
refresh_token grant type.
|
||||||
|
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||||
|
type: string
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- grantTypes
|
||||||
|
- scope
|
||||||
|
- secretName
|
||||||
|
type: object
|
||||||
|
status:
|
||||||
|
description:
|
||||||
|
OAuth2ClientStatus defines the observed state of OAuth2Client
|
||||||
|
properties:
|
||||||
|
conditions:
|
||||||
|
items:
|
||||||
|
description:
|
||||||
|
OAuth2ClientCondition contains condition information for
|
||||||
|
an OAuth2Client
|
||||||
|
properties:
|
||||||
|
status:
|
||||||
|
enum:
|
||||||
|
- "True"
|
||||||
|
- "False"
|
||||||
|
- Unknown
|
||||||
|
type: string
|
||||||
|
type:
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- status
|
||||||
|
- type
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
observedGeneration:
|
||||||
|
description:
|
||||||
|
ObservedGeneration represents the most recent generation
|
||||||
|
observed by the daemon set controller.
|
||||||
|
format: int64
|
||||||
|
type: integer
|
||||||
|
reconciliationError:
|
||||||
|
description:
|
||||||
|
ReconciliationError represents an error that occurred during
|
||||||
|
the reconciliation process
|
||||||
|
properties:
|
||||||
|
description:
|
||||||
|
description:
|
||||||
|
Description is the description of the reconciliation
|
||||||
|
error
|
||||||
|
type: string
|
||||||
|
statusCode:
|
||||||
|
description:
|
||||||
|
Code is the status code of the reconciliation error
|
||||||
|
type: string
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
served: true
|
||||||
|
storage: true
|
||||||
|
subresources:
|
||||||
|
status: {}
|
@ -0,0 +1,59 @@
|
|||||||
|
{{/* vim: set filetype=mustache: */}}
|
||||||
|
{{/*
|
||||||
|
Expand the name of the chart.
|
||||||
|
*/}}
|
||||||
|
{{- define "hydra-maester.name" -}}
|
||||||
|
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create a default fully qualified app name.
|
||||||
|
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||||
|
If release name contains chart name it will be used as a full name.
|
||||||
|
*/}}
|
||||||
|
{{- define "hydra-maester.fullname" -}}
|
||||||
|
{{- if .Values.fullnameOverride -}}
|
||||||
|
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||||
|
{{- if contains $name .Release.Name -}}
|
||||||
|
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create chart name and version as used by the chart label.
|
||||||
|
*/}}
|
||||||
|
{{- define "hydra-maester.chart" -}}
|
||||||
|
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Common labels
|
||||||
|
*/}}
|
||||||
|
{{- define "hydra-maester.labels" -}}
|
||||||
|
app.kubernetes.io/name: {{ include "hydra-maester.name" . }}
|
||||||
|
helm.sh/chart: {{ include "hydra-maester.chart" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
{{- if .Chart.AppVersion }}
|
||||||
|
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||||
|
{{- end }}
|
||||||
|
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Get Hydra admin service name
|
||||||
|
*/}}
|
||||||
|
{{- define "hydra-maester.adminService" -}}
|
||||||
|
{{- if .Values.hydraFullnameOverride -}}
|
||||||
|
{{- printf "%s-admin" .Values.hydraFullnameOverride -}}
|
||||||
|
{{- else if contains "hydra" .Release.Name -}}
|
||||||
|
{{- printf "%s-admin" .Release.Name -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- printf "%s-%s-admin" .Release.Name "hydra" -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
@ -0,0 +1,119 @@
|
|||||||
|
{{- if and (ne .Values.adminService.scheme "http") (ne .Values.adminService.scheme "https") -}}
|
||||||
|
{{ fail "invalid scheme: must be http or https" }}
|
||||||
|
{{- end -}}
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: {{ include "hydra-maester.fullname" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "hydra-maester.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.deployment.extraLabels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
replicas: {{ .Values.replicaCount }}
|
||||||
|
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
control-plane: controller-manager
|
||||||
|
app.kubernetes.io/name: {{ include "hydra-maester.fullname" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
control-plane: controller-manager
|
||||||
|
app.kubernetes.io/name: {{ include "hydra-maester.fullname" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
{{- with .Values.deployment.extraLabels }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.deployment.podMetadata.labels }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
annotations:
|
||||||
|
{{- with .Values.deployment.extraAnnotations }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.deployment.podMetadata.annotations }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- with .Values.imagePullSecrets }}
|
||||||
|
imagePullSecrets:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
volumes:
|
||||||
|
{{- if .Values.deployment.extraVolumes }}
|
||||||
|
{{- toYaml .Values.deployment.extraVolumes | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
|
||||||
|
containers:
|
||||||
|
- name: {{ .Chart.Name }}
|
||||||
|
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
|
||||||
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||||
|
command:
|
||||||
|
- /manager
|
||||||
|
args:
|
||||||
|
- --metrics-addr=127.0.0.1:8080
|
||||||
|
- --hydra-url={{ required "scheme is required" .Values.adminService.scheme }}://{{ .Values.adminService.name | default ( include "hydra-maester.adminService" . ) }}
|
||||||
|
- --hydra-port={{ required "port must be set and non-empty" .Values.adminService.port }}
|
||||||
|
{{- with .Values.adminService.endpoint }}
|
||||||
|
- --endpoint={{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.forwardedProto }}
|
||||||
|
- --forwarded-proto={{ .Values.forwardedProto }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.singleNamespaceMode }}
|
||||||
|
- --namespace={{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.deployment.args.syncPeriod }}
|
||||||
|
- --sync-period={{ .Values.deployment.args.syncPeriod }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.adminService.insecureSkipVerify }}
|
||||||
|
- --insecure-skip-verify={{ .Values.adminService.insecureSkipVerify }}
|
||||||
|
{{- end}}
|
||||||
|
{{- if .Values.adminService.tlsTrustStorePath }}
|
||||||
|
- --tls-trust-store={{ .Values.adminService.tlsTrustStorePath }}
|
||||||
|
{{- end }}
|
||||||
|
volumeMounts:
|
||||||
|
{{- if .Values.deployment.extraVolumeMounts }}
|
||||||
|
{{- toYaml .Values.deployment.extraVolumeMounts | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
resources:
|
||||||
|
{{- toYaml .Values.deployment.resources | nindent 12 }}
|
||||||
|
terminationMessagePath: /dev/termination-log
|
||||||
|
terminationMessagePolicy: File
|
||||||
|
{{- if .Values.deployment.securityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml .Values.deployment.securityContext | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
serviceAccountName: {{ include "hydra-maester.fullname" . }}-account
|
||||||
|
automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }}
|
||||||
|
{{- if .Values.priorityClassName }}
|
||||||
|
priorityClassName: {{ .Values.priorityClassName }}
|
||||||
|
{{- end }}
|
||||||
|
nodeSelector:
|
||||||
|
{{- with .Values.deployment.nodeSelector }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.affinity }}
|
||||||
|
affinity:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.deployment.tolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.deployment.topologySpreadConstraints }}
|
||||||
|
topologySpreadConstraints:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.deployment.dnsConfig }}
|
||||||
|
dnsConfig:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.deployment.podSecurityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,19 @@
|
|||||||
|
{{- if .Values.pdb.enabled -}}
|
||||||
|
---
|
||||||
|
apiVersion: policy/v1
|
||||||
|
kind: PodDisruptionBudget
|
||||||
|
metadata:
|
||||||
|
name: {{ include "hydra-maester.fullname" . }}
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
control-plane: controller-manager
|
||||||
|
app.kubernetes.io/name: {{ include "hydra-maester.fullname" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
{{- with .Values.pdb.spec.maxUnavailable }}
|
||||||
|
maxUnavailable: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.pdb.spec.minAvailable }}
|
||||||
|
minAvailable: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end -}}
|
@ -0,0 +1,95 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: {{ include "hydra-maester.fullname" . }}-account
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{- include "hydra-maester.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.deployment.serviceAccount.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if not .Values.singleNamespaceMode }}
|
||||||
|
---
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: {{ include "hydra-maester.fullname" . }}-role
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["hydra.ory.sh"]
|
||||||
|
resources: ["oauth2clients", "oauth2clients/status"]
|
||||||
|
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["list", "watch", "create"]
|
||||||
|
---
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: {{ include "hydra-maester.fullname" . }}-role-binding
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ include "hydra-maester.fullname" . }}-account # Service account assigned to the controller pod.
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: {{ include "hydra-maester.fullname" . }}-role
|
||||||
|
{{- end }}
|
||||||
|
---
|
||||||
|
kind: Role
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: {{ include "hydra-maester.fullname" . }}-role
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["get", "list", "watch", "create"]
|
||||||
|
- apiGroups: ["hydra.ory.sh"]
|
||||||
|
resources: ["oauth2clients", "oauth2clients/status"]
|
||||||
|
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
||||||
|
---
|
||||||
|
kind: RoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: {{ include "hydra-maester.fullname" . }}-role-binding
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ include "hydra-maester.fullname" . }}-account # Service account assigned to the controller pod.
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: {{ include "hydra-maester.fullname" . }}-role
|
||||||
|
|
||||||
|
{{- $name := include "hydra-maester.fullname" . -}}
|
||||||
|
{{- $namespace := .Release.Namespace -}}
|
||||||
|
{{- range .Values.enabledNamespaces }}
|
||||||
|
---
|
||||||
|
kind: Role
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: {{ $name }}-role
|
||||||
|
namespace: {{ . }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["get", "list", "watch", "create", "update"]
|
||||||
|
---
|
||||||
|
kind: RoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: {{ $name }}-role-binding
|
||||||
|
namespace: {{ . }}
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ $name }}-account # Service account assigned to the controller pod.
|
||||||
|
namespace: {{ $namespace }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: {{ $name }}-role
|
||||||
|
{{- end }}
|
156
opencloud/charts/hydra/charts/hydra-maester/values.yaml
Normal file
156
opencloud/charts/hydra/charts/hydra-maester/values.yaml
Normal file
@ -0,0 +1,156 @@
|
|||||||
|
# -- Number of replicas in deployment
|
||||||
|
replicaCount: 1
|
||||||
|
# -- Number of revisions kept in history
|
||||||
|
revisionHistoryLimit: 5
|
||||||
|
# -- The Controller have CREATE and READ access to all Secrets in the namespaces listed below.
|
||||||
|
enabledNamespaces: []
|
||||||
|
|
||||||
|
# -- Single namespace mode. If enabled the controller will watch for resources only from namespace it is deployed in, ignoring others
|
||||||
|
singleNamespaceMode: false
|
||||||
|
|
||||||
|
image:
|
||||||
|
# -- Ory Hydra-maester image
|
||||||
|
repository: oryd/hydra-maester
|
||||||
|
# -- Ory Hydra-maester version
|
||||||
|
tag: v0.0.35-amd64
|
||||||
|
# -- Image pull policy
|
||||||
|
pullPolicy: IfNotPresent
|
||||||
|
|
||||||
|
# -- Image pull secrets
|
||||||
|
imagePullSecrets: []
|
||||||
|
|
||||||
|
# -- Pod priority
|
||||||
|
## https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
|
||||||
|
priorityClassName: ""
|
||||||
|
|
||||||
|
## -- Connection data to admin service of Hydra
|
||||||
|
adminService:
|
||||||
|
# -- Service name
|
||||||
|
name:
|
||||||
|
# -- Service port
|
||||||
|
port: 4445
|
||||||
|
# -- Set the clients endpoint, should be `/clients` for Hydra 1.x and
|
||||||
|
# `/admin/clients` for Hydra 2.x
|
||||||
|
endpoint: /admin/clients
|
||||||
|
# -- Scheme used by Hydra client endpoint. May be "http" or "https"
|
||||||
|
scheme: http
|
||||||
|
# -- TLS ca-cert path for hydra client
|
||||||
|
tlsTrustStorePath: ""
|
||||||
|
# -- Skip http client insecure verification
|
||||||
|
insecureSkipVerify: false
|
||||||
|
|
||||||
|
forwardedProto:
|
||||||
|
|
||||||
|
## -- Deployment specific config
|
||||||
|
deployment:
|
||||||
|
resources:
|
||||||
|
{}
|
||||||
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
||||||
|
# choice for the user. This also increases chances charts run on environments with little
|
||||||
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
||||||
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
||||||
|
# limits:
|
||||||
|
# cpu: 100m
|
||||||
|
# memory: 30Mi
|
||||||
|
# requests:
|
||||||
|
# cpu: 100m
|
||||||
|
# memory: 20Mi
|
||||||
|
|
||||||
|
# -- If you want to mount external volume
|
||||||
|
extraVolumes: []
|
||||||
|
# - name: my-volume
|
||||||
|
# secret:
|
||||||
|
# secretName: my-secret
|
||||||
|
extraVolumeMounts: []
|
||||||
|
# - name: my-volume
|
||||||
|
# mountPath: /etc/secrets/my-secret
|
||||||
|
# readOnly: true
|
||||||
|
|
||||||
|
## -- pod securityContext
|
||||||
|
podSecurityContext:
|
||||||
|
fsGroupChangePolicy: "OnRootMismatch"
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 65534
|
||||||
|
fsGroup: 65534
|
||||||
|
runAsGroup: 65534
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
|
|
||||||
|
## -- container securityContext
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 65534
|
||||||
|
runAsGroup: 65534
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
privileged: false
|
||||||
|
seLinuxOptions:
|
||||||
|
level: "s0:c123,c456"
|
||||||
|
|
||||||
|
# -- Node labels for pod assignment.
|
||||||
|
nodeSelector: {}
|
||||||
|
# If you do want to specify node labels, uncomment the following
|
||||||
|
# lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
|
||||||
|
# foo: bar
|
||||||
|
|
||||||
|
# -- Configure node tolerations.
|
||||||
|
tolerations: []
|
||||||
|
# -- Deployment level extra annotations
|
||||||
|
extraAnnotations: {}
|
||||||
|
# -- Deployment level extra labels
|
||||||
|
extraLabels: {}
|
||||||
|
|
||||||
|
# -- Configure pod topologySpreadConstraints.
|
||||||
|
topologySpreadConstraints: []
|
||||||
|
# - maxSkew: 1
|
||||||
|
# topologyKey: topology.kubernetes.io/zone
|
||||||
|
# whenUnsatisfiable: DoNotSchedule
|
||||||
|
# labelSelector:
|
||||||
|
# matchLabels:
|
||||||
|
# app.kubernetes.io/name: hydra
|
||||||
|
# app.kubernetes.io/instance: hydra
|
||||||
|
|
||||||
|
# -- Configure pod dnsConfig.
|
||||||
|
dnsConfig: {}
|
||||||
|
# options:
|
||||||
|
# - name: "ndots"
|
||||||
|
# value: "1"
|
||||||
|
|
||||||
|
# -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
|
||||||
|
podMetadata:
|
||||||
|
# -- Extra pod level labels
|
||||||
|
labels: {}
|
||||||
|
# -- Extra pod level annotations
|
||||||
|
annotations: {}
|
||||||
|
|
||||||
|
# https://github.com/kubernetes/kubernetes/issues/57601
|
||||||
|
# -- This applications connects to the k8s API and requires the permissions
|
||||||
|
automountServiceAccountToken: true
|
||||||
|
|
||||||
|
terminationGracePeriodSeconds: 60
|
||||||
|
|
||||||
|
# -- Arguments to be passed to the program
|
||||||
|
args:
|
||||||
|
# -- The minimum frequency at which watched resources are reconciled
|
||||||
|
syncPeriod: ""
|
||||||
|
# syncPeriod: 10h
|
||||||
|
|
||||||
|
# -- Configure service account
|
||||||
|
serviceAccount:
|
||||||
|
# -- Annotations to add to the service account
|
||||||
|
annotations: {}
|
||||||
|
|
||||||
|
# -- Configure node affinity
|
||||||
|
affinity: {}
|
||||||
|
|
||||||
|
## -- PodDistributionBudget configuration
|
||||||
|
pdb:
|
||||||
|
enabled: false
|
||||||
|
spec:
|
||||||
|
minAvailable: ""
|
||||||
|
maxUnavailable: ""
|
23
opencloud/charts/hydra/charts/ory-commons/.helmignore
Normal file
23
opencloud/charts/hydra/charts/ory-commons/.helmignore
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
# Patterns to ignore when building packages.
|
||||||
|
# This supports shell glob matching, relative path matching, and
|
||||||
|
# negation (prefixed with !). Only one pattern per line.
|
||||||
|
.DS_Store
|
||||||
|
# Common VCS dirs
|
||||||
|
.git/
|
||||||
|
.gitignore
|
||||||
|
.bzr/
|
||||||
|
.bzrignore
|
||||||
|
.hg/
|
||||||
|
.hgignore
|
||||||
|
.svn/
|
||||||
|
# Common backup files
|
||||||
|
*.swp
|
||||||
|
*.bak
|
||||||
|
*.tmp
|
||||||
|
*.orig
|
||||||
|
*~
|
||||||
|
# Various IDEs
|
||||||
|
.project
|
||||||
|
.idea/
|
||||||
|
*.tmproj
|
||||||
|
.vscode/
|
6
opencloud/charts/hydra/charts/ory-commons/Chart.yaml
Normal file
6
opencloud/charts/hydra/charts/ory-commons/Chart.yaml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
apiVersion: v2
|
||||||
|
appVersion: 0.0.0
|
||||||
|
description: 'Collection of helper function for the Ory Helm environment '
|
||||||
|
name: ory-commons
|
||||||
|
type: library
|
||||||
|
version: 0.1.0
|
@ -0,0 +1,12 @@
|
|||||||
|
{{/*
|
||||||
|
Check if list contains object
|
||||||
|
*/}}
|
||||||
|
{{- define "ory.extraEnvContainsEnvName" -}}
|
||||||
|
{{- $extraEnvs := index . 0 -}}
|
||||||
|
{{- $envName := index . 1 -}}
|
||||||
|
{{- range $k, $v := $extraEnvs -}}
|
||||||
|
{{- if eq $v.name $envName -}}
|
||||||
|
found
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
17
opencloud/charts/hydra/files/watch.sh
Normal file
17
opencloud/charts/hydra/files/watch.sh
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
set -Eeuo pipefail
|
||||||
|
set -x
|
||||||
|
|
||||||
|
function rollOut() {
|
||||||
|
DEPLOY=$(kubectl get deploy -n "${NAMESPACE}" -l "${1}" -o name)
|
||||||
|
kubectl set env -n $NAMESPACE ${DEPLOY} sync=$(date "+%Y%m%d-%H%M%S")
|
||||||
|
kubectl rollout status -n $NAMESPACE ${DEPLOY}
|
||||||
|
}
|
||||||
|
|
||||||
|
while true; do
|
||||||
|
# After change in the CM the symlink is recreated, so we need to restart the monitor
|
||||||
|
inotifywait --event DELETE_SELF "${WATCH_FILE}" |
|
||||||
|
while read path _ file; do
|
||||||
|
echo "---> $path$file modified"
|
||||||
|
rollOut "${LABEL_SELECTOR}"
|
||||||
|
done
|
||||||
|
done
|
229
opencloud/charts/hydra/templates/_helpers.tpl
Normal file
229
opencloud/charts/hydra/templates/_helpers.tpl
Normal file
@ -0,0 +1,229 @@
|
|||||||
|
{{/* vim: set filetype=mustache: */}}
|
||||||
|
{{/*
|
||||||
|
Expand the name of the chart.
|
||||||
|
*/}}
|
||||||
|
{{- define "hydra.name" -}}
|
||||||
|
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create a default fully qualified app name.
|
||||||
|
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||||
|
If release name contains chart name it will be used as a full name.
|
||||||
|
*/}}
|
||||||
|
{{- define "hydra.fullname" -}}
|
||||||
|
{{- if .Values.fullnameOverride -}}
|
||||||
|
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||||
|
{{- if contains $name .Release.Name -}}
|
||||||
|
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create chart name and version as used by the chart label.
|
||||||
|
*/}}
|
||||||
|
{{- define "hydra.chart" -}}
|
||||||
|
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Ensure there is always a way to track down source of the deployment.
|
||||||
|
It is unlikely AppVersion will be missing, but we will fallback on the
|
||||||
|
chart's version in that case.
|
||||||
|
*/}}
|
||||||
|
{{- define "hydra.version" -}}
|
||||||
|
{{- if .Chart.AppVersion }}
|
||||||
|
{{- .Chart.AppVersion -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- printf "v%s" .Chart.Version -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Common labels
|
||||||
|
*/}}
|
||||||
|
{{- define "hydra.labels" -}}
|
||||||
|
"app.kubernetes.io/name": {{ include "hydra.name" . | quote }}
|
||||||
|
"app.kubernetes.io/instance": {{ .Release.Name | quote }}
|
||||||
|
"app.kubernetes.io/version": {{ include "hydra.version" . | quote }}
|
||||||
|
"app.kubernetes.io/managed-by": {{ .Release.Service | quote }}
|
||||||
|
"helm.sh/chart": {{ include "hydra.chart" . | quote }}
|
||||||
|
{{- if $.Values.watcher.enabled }}
|
||||||
|
{{ printf "\"%s\": \"%s\"" $.Values.watcher.watchLabelKey (include "hydra.name" .) }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Generate the dsn value
|
||||||
|
*/}}
|
||||||
|
{{- define "hydra.dsn" -}}
|
||||||
|
{{- if .Values.demo -}}
|
||||||
|
memory
|
||||||
|
{{- else if and .Values.secret.nameOverride (not .Values.secret.enabled) -}}
|
||||||
|
dsn-loaded-from-env
|
||||||
|
{{- else if not (empty (.Values.hydra.config.dsn)) -}}
|
||||||
|
{{- .Values.hydra.config.dsn }}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Generate the name of the secret resource containing secrets
|
||||||
|
*/}}
|
||||||
|
{{- define "hydra.secretname" -}}
|
||||||
|
{{- if .Values.secret.nameOverride -}}
|
||||||
|
{{- .Values.secret.nameOverride | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{ include "hydra.fullname" . }}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Generate the secrets.system value
|
||||||
|
*/}}
|
||||||
|
{{- define "hydra.secrets.system" -}}
|
||||||
|
{{- if (.Values.hydra.config.secrets).system -}}
|
||||||
|
{{- if kindIs "slice" .Values.hydra.config.secrets.system -}}
|
||||||
|
{{- if gt (len .Values.hydra.config.secrets.system) 1 -}}
|
||||||
|
"{{- join "\",\"" .Values.hydra.config.secrets.system -}}"
|
||||||
|
{{- else -}}
|
||||||
|
{{- join "" .Values.hydra.config.secrets.system -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- fail "Expected hydra.config.secrets.system to be a list of strings" -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- else if .Values.demo -}}
|
||||||
|
a-very-insecure-secret-for-checking-out-the-demo
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Generate the secrets.cookie value
|
||||||
|
*/}}
|
||||||
|
{{- define "hydra.secrets.cookie" -}}
|
||||||
|
{{- if (.Values.hydra.config.secrets).cookie -}}
|
||||||
|
{{- if kindIs "slice" .Values.hydra.config.secrets.cookie -}}
|
||||||
|
{{- if gt (len .Values.hydra.config.secrets.cookie) 1 -}}
|
||||||
|
"{{- join "\",\"" .Values.hydra.config.secrets.cookie -}}"
|
||||||
|
{{- else -}}
|
||||||
|
{{- join "" .Values.hydra.config.secrets.cookie -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- fail "Expected hydra.config.secrets.cookie to be a list of strings" -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- include "hydra.secrets.system" . }}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Generate the configmap data, redacting secrets
|
||||||
|
*/}}
|
||||||
|
{{- define "hydra.configmap" -}}
|
||||||
|
{{- $config := omit .Values.hydra.config "dsn" "secrets" -}}
|
||||||
|
{{- tpl (toYaml $config) . -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Generate the urls.issuer value
|
||||||
|
*/}}
|
||||||
|
{{- define "hydra.config.urls.issuer" -}}
|
||||||
|
{{- if .Values.hydra.config.urls.self.issuer -}}
|
||||||
|
{{- .Values.hydra.config.urls.self.issuer }}
|
||||||
|
{{- else if .Values.ingress.public.enabled -}}
|
||||||
|
{{- $host := index .Values.ingress.public.hosts 0 -}}
|
||||||
|
http{{ if $.Values.ingress.public.tls }}s{{ end }}://{{ $host.host }}
|
||||||
|
{{- else if contains "ClusterIP" .Values.service.public.type -}}
|
||||||
|
http://127.0.0.1:{{ .Values.service.public.port }}/
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Check overrides consistency
|
||||||
|
*/}}
|
||||||
|
{{- define "hydra.check.override.consistency" -}}
|
||||||
|
{{- if and .Values.maester.enabled .Values.fullnameOverride -}}
|
||||||
|
{{- if not .Values.maester.hydraFullnameOverride -}}
|
||||||
|
{{ fail "hydra fullname has been overridden, but the new value has not been provided to maester. Set maester.hydraFullnameOverride" }}
|
||||||
|
{{- else if not (eq .Values.maester.hydraFullnameOverride .Values.fullnameOverride) -}}
|
||||||
|
{{ fail (tpl "hydra fullname has been overridden, but a different value was provided to maester. {{ .Values.maester.hydraFullnameOverride }} different of {{ .Values.fullnameOverride }}" . ) }}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- define "hydra.utils.joinListWithComma" -}}
|
||||||
|
{{- $local := dict "first" true -}}
|
||||||
|
{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create the name of the service account to use
|
||||||
|
*/}}
|
||||||
|
{{- define "hydra.serviceAccountName" -}}
|
||||||
|
{{- if .Values.deployment.serviceAccount.create }}
|
||||||
|
{{- default (include "hydra.fullname" .) .Values.deployment.serviceAccount.name }}
|
||||||
|
{{- else }}
|
||||||
|
{{- default "default" .Values.deployment.serviceAccount.name }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create the name of the service account for the Job to use
|
||||||
|
*/}}
|
||||||
|
{{- define "hydra.job.serviceAccountName" -}}
|
||||||
|
{{- if .Values.job.serviceAccount.create }}
|
||||||
|
{{- printf "%s-job" (default (include "hydra.fullname" .) .Values.job.serviceAccount.name) }}
|
||||||
|
{{- else }}
|
||||||
|
{{- include "hydra.serviceAccountName" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create the name of the service account for the Job to use
|
||||||
|
*/}}
|
||||||
|
{{- define "hydra.cronjob.janitor.serviceAccountName" -}}
|
||||||
|
{{- if .Values.cronjob.janitor.serviceAccount.create }}
|
||||||
|
{{- printf "%s-cronjob-janitor" (default (include "hydra.fullname" .) .Values.cronjob.janitor.serviceAccount.name) }}
|
||||||
|
{{- else }}
|
||||||
|
{{- include "hydra.serviceAccountName" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Checksum annotations generated from configmaps and secrets
|
||||||
|
*/}}
|
||||||
|
{{- define "hydra.annotations.checksum" -}}
|
||||||
|
{{- if .Values.configmap.hashSumEnabled }}
|
||||||
|
checksum/hydra-config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if and .Values.secret.enabled .Values.secret.hashSumEnabled }}
|
||||||
|
checksum/hydra-secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Check the migration type value and fail if unexpected
|
||||||
|
*/}}
|
||||||
|
{{- define "hydra.automigration.typeVerification" -}}
|
||||||
|
{{- if and .Values.hydra.automigration.enabled .Values.hydra.automigration.type }}
|
||||||
|
{{- if and (ne .Values.hydra.automigration.type "initContainer") (ne .Values.hydra.automigration.type "job") }}
|
||||||
|
{{- fail "hydra.automigration.type must be either 'initContainer' or 'job'" -}}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Common labels for the janitor cron job
|
||||||
|
*/}}
|
||||||
|
{{- define "hydra.janitor.labels" -}}
|
||||||
|
"app.kubernetes.io/name": {{ printf "%s-janitor" (include "hydra.name" .) | quote }}
|
||||||
|
"app.kubernetes.io/instance": {{ .Release.Name | quote }}
|
||||||
|
"app.kubernetes.io/version": {{ include "hydra.version" . | quote }}
|
||||||
|
"app.kubernetes.io/managed-by": {{ .Release.Service | quote }}
|
||||||
|
"app.kubernetes.io/component": janitor
|
||||||
|
"helm.sh/chart": {{ include "hydra.chart" . | quote }}
|
||||||
|
{{- end -}}
|
18
opencloud/charts/hydra/templates/configmap-automigrate.yaml
Normal file
18
opencloud/charts/hydra/templates/configmap-automigrate.yaml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
{{- if and ( .Values.hydra.automigration.enabled ) ( eq .Values.hydra.automigration.type "job" ) }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: {{ include "hydra.fullname" . }}-migrate
|
||||||
|
{{- if .Release.Namespace }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
{{- include "hydra.labels" . | nindent 4 }}
|
||||||
|
annotations:
|
||||||
|
helm.sh/hook-weight: "0"
|
||||||
|
helm.sh/hook: "pre-install, pre-upgrade"
|
||||||
|
helm.sh/hook-delete-policy: "before-hook-creation"
|
||||||
|
data:
|
||||||
|
"hydra.yaml": |
|
||||||
|
{{- include "hydra.configmap" . | nindent 4 }}
|
||||||
|
{{- end }}
|
12
opencloud/charts/hydra/templates/configmap.yaml
Normal file
12
opencloud/charts/hydra/templates/configmap.yaml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: {{ include "hydra.fullname" . }}
|
||||||
|
{{- if .Release.Namespace }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
{{- include "hydra.labels" . | nindent 4 }}
|
||||||
|
data:
|
||||||
|
"hydra.yaml": |
|
||||||
|
{{- include "hydra.configmap" . | nindent 4 }}
|
77
opencloud/charts/hydra/templates/deployment-watcher.yaml
Normal file
77
opencloud/charts/hydra/templates/deployment-watcher.yaml
Normal file
@ -0,0 +1,77 @@
|
|||||||
|
{{- if .Values.watcher.enabled }}
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: {{ include "hydra.fullname" . }}-watcher
|
||||||
|
{{- if .Release.Namespace }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: {{ include "hydra.name" . }}-watcher
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
{{- with .Values.deployment.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
annotations:
|
||||||
|
{{- with .Values.deployment.annotations }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
revisionHistoryLimit: {{ .Values.watcher.revisionHistoryLimit }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: {{ include "hydra.name" . }}-watcher
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: {{ include "hydra.name" . }}-watcher
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
{{- with .Values.deployment.labels }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.watcher.podMetadata.labels }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
annotations:
|
||||||
|
{{- with .Values.watcher.podMetadata.annotations }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
automountServiceAccountToken: {{ .Values.watcher.automountServiceAccountToken }}
|
||||||
|
serviceAccountName: {{ include "hydra.serviceAccountName" . }}-watcher
|
||||||
|
terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
|
||||||
|
containers:
|
||||||
|
- name: watcher
|
||||||
|
{{- with .Values.watcher.securityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
image: {{ .Values.watcher.image }}
|
||||||
|
command:
|
||||||
|
- /bin/bash
|
||||||
|
- -c
|
||||||
|
- |
|
||||||
|
{{- .Files.Get "files/watch.sh" | printf "%s" | nindent 14 }}
|
||||||
|
env:
|
||||||
|
- name: NAMESPACE
|
||||||
|
value: {{ .Release.Namespace | quote }}
|
||||||
|
- name: WATCH_FILE
|
||||||
|
value: {{ .Values.watcher.mountFile | quote }}
|
||||||
|
- name: LABEL_SELECTOR
|
||||||
|
value: '{{ $.Values.watcher.watchLabelKey }}={{ include "hydra.name" . }}'
|
||||||
|
resources:
|
||||||
|
{{- toYaml .Values.watcher.resources | nindent 12 }}
|
||||||
|
volumeMounts:
|
||||||
|
{{- with .Values.deployment.extraVolumeMounts }}
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.watcher.podSecurityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
volumes:
|
||||||
|
{{- if .Values.deployment.extraVolumes }}
|
||||||
|
{{- toYaml .Values.deployment.extraVolumes | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
236
opencloud/charts/hydra/templates/deployment.yaml
Normal file
236
opencloud/charts/hydra/templates/deployment.yaml
Normal file
@ -0,0 +1,236 @@
|
|||||||
|
{{- include "hydra.automigration.typeVerification" . -}}
|
||||||
|
{{- $migrationExtraEnv := ternary .Values.deployment.automigration.extraEnv .Values.deployment.extraEnv (not (empty .Values.deployment.automigration.extraEnv )) -}}
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: {{ include "hydra.fullname" . }}
|
||||||
|
{{- if .Release.Namespace }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
{{- include "hydra.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.deployment.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
annotations:
|
||||||
|
{{- with .Values.deployment.annotations }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- if not .Values.deployment.autoscaling.enabled }}
|
||||||
|
replicas: {{ .Values.replicaCount }}
|
||||||
|
{{- end }}
|
||||||
|
revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }}
|
||||||
|
strategy:
|
||||||
|
{{- toYaml .Values.deployment.strategy | nindent 4 }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: {{ include "hydra.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{- include "hydra.labels" . | nindent 8 }}
|
||||||
|
{{- with .Values.deployment.labels }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with $.Values.deployment.podMetadata.labels }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
annotations:
|
||||||
|
{{- include "hydra.annotations.checksum" . | nindent 8 -}}
|
||||||
|
{{- with .Values.deployment.annotations }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with $.Values.deployment.podMetadata.annotations }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- with .Values.imagePullSecrets }}
|
||||||
|
imagePullSecrets:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
volumes:
|
||||||
|
- name: {{ include "hydra.name" . }}-config-volume
|
||||||
|
configMap:
|
||||||
|
name: {{ include "hydra.fullname" . }}
|
||||||
|
{{- if .Values.deployment.extraVolumes }}
|
||||||
|
{{- toYaml .Values.deployment.extraVolumes | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
serviceAccountName: {{ include "hydra.serviceAccountName" . }}
|
||||||
|
automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }}
|
||||||
|
terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
|
||||||
|
containers:
|
||||||
|
- name: {{ .Chart.Name }}
|
||||||
|
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
|
||||||
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||||
|
command: {{- toYaml .Values.hydra.command | nindent 12 }}
|
||||||
|
{{- if .Values.hydra.customArgs }}
|
||||||
|
args: {{- toYaml .Values.hydra.customArgs | nindent 12 }}
|
||||||
|
{{- else }}
|
||||||
|
args:
|
||||||
|
- serve
|
||||||
|
- all
|
||||||
|
{{- if .Values.hydra.dev }}
|
||||||
|
- "--dev"
|
||||||
|
{{- end }}
|
||||||
|
- --config
|
||||||
|
- /etc/config/hydra.yaml
|
||||||
|
{{- end }}
|
||||||
|
volumeMounts:
|
||||||
|
- name: {{ include "hydra.name" . }}-config-volume
|
||||||
|
mountPath: /etc/config
|
||||||
|
readOnly: true
|
||||||
|
{{- if .Values.deployment.extraVolumeMounts }}
|
||||||
|
{{- toYaml .Values.deployment.extraVolumeMounts | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
- name: http-public
|
||||||
|
containerPort: {{ .Values.hydra.config.serve.public.port }}
|
||||||
|
protocol: TCP
|
||||||
|
- name: http-admin
|
||||||
|
containerPort: {{ .Values.hydra.config.serve.admin.port }}
|
||||||
|
protocol: TCP
|
||||||
|
{{- if .Values.deployment.customLivenessProbe }}
|
||||||
|
livenessProbe:
|
||||||
|
{{- toYaml .Values.deployment.customLivenessProbe | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
readinessProbe:
|
||||||
|
{{- if .Values.deployment.customReadinessProbe }}
|
||||||
|
{{- toYaml .Values.deployment.customReadinessProbe | nindent 12 }}
|
||||||
|
{{- else }}
|
||||||
|
httpGet:
|
||||||
|
path: /health/alive
|
||||||
|
port: {{ .Values.hydra.config.serve.admin.port }}
|
||||||
|
httpHeaders:
|
||||||
|
- name: Host
|
||||||
|
value: '127.0.0.1'
|
||||||
|
{{- toYaml .Values.deployment.readinessProbe | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
startupProbe:
|
||||||
|
{{- if .Values.deployment.customStartupProbe }}
|
||||||
|
{{- toYaml .Values.deployment.customStartupProbe | nindent 12 }}
|
||||||
|
{{- else }}
|
||||||
|
httpGet:
|
||||||
|
path: /health/ready
|
||||||
|
port: {{ .Values.hydra.config.serve.admin.port }}
|
||||||
|
httpHeaders:
|
||||||
|
- name: Host
|
||||||
|
value: '127.0.0.1'
|
||||||
|
{{- toYaml .Values.deployment.startupProbe | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
env:
|
||||||
|
{{- $issuer := include "hydra.config.urls.issuer" . -}}
|
||||||
|
{{- if $issuer }}
|
||||||
|
- name: URLS_SELF_ISSUER
|
||||||
|
value: {{ $issuer | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if not (empty ( include "hydra.dsn" . )) }}
|
||||||
|
{{- if not (include "ory.extraEnvContainsEnvName" (list .Values.deployment.extraEnv "DSN")) }}
|
||||||
|
- name: DSN
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ include "hydra.secretname" . }}
|
||||||
|
key: dsn
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
- name: SECRETS_SYSTEM
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ include "hydra.secretname" . }}
|
||||||
|
key: secretsSystem
|
||||||
|
- name: SECRETS_COOKIE
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ include "hydra.secretname" . }}
|
||||||
|
key: secretsCookie
|
||||||
|
{{- if .Values.deployment.extraEnv }}
|
||||||
|
{{- tpl (toYaml .Values.deployment.extraEnv) . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
resources:
|
||||||
|
{{- toYaml .Values.deployment.resources | nindent 12 }}
|
||||||
|
{{- if .Values.deployment.securityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml .Values.deployment.securityContext | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
lifecycle:
|
||||||
|
{{- toYaml .Values.deployment.lifecycle | nindent 12 }}
|
||||||
|
{{- if .Values.deployment.extraContainers }}
|
||||||
|
{{- tpl .Values.deployment.extraContainers . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
initContainers:
|
||||||
|
{{- if .Values.deployment.extraInitContainers }}
|
||||||
|
{{- tpl .Values.deployment.extraInitContainers . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if and ( .Values.hydra.automigration.enabled ) ( eq .Values.hydra.automigration.type "initContainer" ) }}
|
||||||
|
- name: {{ .Chart.Name }}-automigrate
|
||||||
|
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
|
||||||
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||||
|
{{- if .Values.hydra.automigration.customCommand }}
|
||||||
|
command: {{- toYaml .Values.hydra.automigration.customCommand | nindent 12 }}
|
||||||
|
{{- else }}
|
||||||
|
command: ["hydra"]
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.hydra.automigration.customArgs }}
|
||||||
|
args: {{- toYaml .Values.hydra.automigration.customArgs | nindent 12 }}
|
||||||
|
{{- else }}
|
||||||
|
args: ["migrate", "sql", "-e", "--yes", "--config", "/etc/config/hydra.yaml"]
|
||||||
|
{{- end }}
|
||||||
|
volumeMounts:
|
||||||
|
- name: {{ include "hydra.name" . }}-config-volume
|
||||||
|
mountPath: /etc/config
|
||||||
|
readOnly: true
|
||||||
|
{{- with .Values.deployment.extraVolumeMounts }}
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
env:
|
||||||
|
{{- if not (empty ( include "hydra.dsn" . )) }}
|
||||||
|
{{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }}
|
||||||
|
- name: DSN
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ include "hydra.secretname" . }}
|
||||||
|
key: dsn
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $migrationExtraEnv }}
|
||||||
|
{{- tpl (toYaml $migrationExtraEnv) . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.hydra.automigration.resources }}
|
||||||
|
resources:
|
||||||
|
{{- toYaml .Values.hydra.automigration.resources | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.deployment.initContainerSecurityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.priorityClassName }}
|
||||||
|
priorityClassName: {{ .Values.priorityClassName }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.deployment.nodeSelector }}
|
||||||
|
nodeSelector:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.deployment.tolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.affinity }}
|
||||||
|
affinity:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.deployment.topologySpreadConstraints }}
|
||||||
|
topologySpreadConstraints:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.deployment.podSecurityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.deployment.dnsConfig }}
|
||||||
|
dnsConfig:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
36
opencloud/charts/hydra/templates/hpa.yaml
Normal file
36
opencloud/charts/hydra/templates/hpa.yaml
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
{{- if .Values.deployment.autoscaling.enabled }}
|
||||||
|
apiVersion: autoscaling/v2
|
||||||
|
kind: HorizontalPodAutoscaler
|
||||||
|
metadata:
|
||||||
|
{{- if .Release.Namespace }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
name: {{ include "hydra.fullname" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "hydra.labels" . | nindent 4 }}
|
||||||
|
spec:
|
||||||
|
{{- with .Values.deployment.autoscaling.behavior }}
|
||||||
|
behavior: {{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
scaleTargetRef:
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
name: {{ include "hydra.fullname" . }}
|
||||||
|
minReplicas: {{ .Values.deployment.autoscaling.minReplicas }}
|
||||||
|
maxReplicas: {{ .Values.deployment.autoscaling.maxReplicas }}
|
||||||
|
metrics:
|
||||||
|
{{- with .Values.deployment.autoscaling.targetMemory }}
|
||||||
|
- type: Resource
|
||||||
|
resource:
|
||||||
|
name: memory
|
||||||
|
target:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.deployment.autoscaling.targetCPU}}
|
||||||
|
- type: Resource
|
||||||
|
resource:
|
||||||
|
name: cpu
|
||||||
|
target:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
54
opencloud/charts/hydra/templates/ingress-admin.yaml
Normal file
54
opencloud/charts/hydra/templates/ingress-admin.yaml
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
{{- if .Values.ingress.admin.enabled -}}
|
||||||
|
{{- $fullName := include "hydra.fullname" . -}}
|
||||||
|
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
{{- else -}}
|
||||||
|
apiVersion: networking.k8s.io/v1beta1
|
||||||
|
{{- end }}
|
||||||
|
kind: Ingress
|
||||||
|
metadata:
|
||||||
|
name: {{ $fullName }}-admin
|
||||||
|
{{- if .Release.Namespace }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
{{- include "hydra.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.ingress.admin.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
ingressClassName: {{ .Values.ingress.admin.className }}
|
||||||
|
{{- if .Values.ingress.admin.tls }}
|
||||||
|
tls:
|
||||||
|
{{- range .Values.ingress.admin.tls }}
|
||||||
|
- hosts:
|
||||||
|
{{- range .hosts }}
|
||||||
|
- {{ . | quote }}
|
||||||
|
{{- end }}
|
||||||
|
secretName: {{ .secretName }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
rules:
|
||||||
|
{{- range .Values.ingress.admin.hosts }}
|
||||||
|
- host: {{ .host | quote }}
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
{{- range .paths }}
|
||||||
|
- path: {{ .path }}
|
||||||
|
{{- if .pathType }}
|
||||||
|
pathType: {{ .pathType }}
|
||||||
|
{{- end }}
|
||||||
|
backend:
|
||||||
|
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
|
||||||
|
service:
|
||||||
|
name: {{ $fullName }}-admin
|
||||||
|
port:
|
||||||
|
name: {{ $.Values.service.admin.name }}
|
||||||
|
{{- else }}
|
||||||
|
serviceName: {{ $fullName }}-admin
|
||||||
|
servicePort: {{ $.Values.service.admin.name }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
54
opencloud/charts/hydra/templates/ingress-public.yaml
Normal file
54
opencloud/charts/hydra/templates/ingress-public.yaml
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
{{- if or .Values.ingress.public.enabled .Values.demo -}}
|
||||||
|
{{- $fullName := include "hydra.fullname" . -}}
|
||||||
|
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
{{- else -}}
|
||||||
|
apiVersion: networking.k8s.io/v1beta1
|
||||||
|
{{- end }}
|
||||||
|
kind: Ingress
|
||||||
|
metadata:
|
||||||
|
name: {{ $fullName }}-public
|
||||||
|
{{- if .Release.Namespace }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
{{- include "hydra.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.ingress.public.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
ingressClassName: {{ .Values.ingress.public.className }}
|
||||||
|
{{- if .Values.ingress.public.tls }}
|
||||||
|
tls:
|
||||||
|
{{- range .Values.ingress.public.tls }}
|
||||||
|
- hosts:
|
||||||
|
{{- range .hosts }}
|
||||||
|
- {{ . | quote }}
|
||||||
|
{{- end }}
|
||||||
|
secretName: {{ .secretName }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
rules:
|
||||||
|
{{- range .Values.ingress.public.hosts }}
|
||||||
|
- host: {{ .host | quote }}
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
{{- range .paths }}
|
||||||
|
- path: {{ .path }}
|
||||||
|
{{- if .pathType }}
|
||||||
|
pathType: {{ .pathType }}
|
||||||
|
{{- end }}
|
||||||
|
backend:
|
||||||
|
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
|
||||||
|
service:
|
||||||
|
name: {{ $fullName }}-public
|
||||||
|
port:
|
||||||
|
name: {{ $.Values.service.public.name }}
|
||||||
|
{{- else }}
|
||||||
|
serviceName: {{ $fullName }}-public
|
||||||
|
servicePort: {{ $.Values.service.public.name }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
17
opencloud/charts/hydra/templates/janitor-cron-job-rbac.yaml
Normal file
17
opencloud/charts/hydra/templates/janitor-cron-job-rbac.yaml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
{{- if .Values.cronjob.janitor.serviceAccount.create -}}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: {{ include "hydra.cronjob.janitor.serviceAccountName" . }}
|
||||||
|
{{- if .Release.Namespace }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
{{- include "hydra.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.cronjob.janitor.serviceAccount.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
automountServiceAccountToken: false
|
||||||
|
{{- end -}}
|
137
opencloud/charts/hydra/templates/janitor-cron-job.yaml
Normal file
137
opencloud/charts/hydra/templates/janitor-cron-job.yaml
Normal file
@ -0,0 +1,137 @@
|
|||||||
|
{{- if .Values.janitor.enabled -}}
|
||||||
|
{{- $janitorExtraEnv := ternary .Values.cronjob.janitor.extraEnv .Values.deployment.extraEnv (not (empty .Values.cronjob.janitor.extraEnv )) -}}
|
||||||
|
---
|
||||||
|
apiVersion: batch/v1
|
||||||
|
kind: CronJob
|
||||||
|
metadata:
|
||||||
|
name: {{ include "hydra.fullname" . }}-janitor
|
||||||
|
{{- if .Release.Namespace }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
{{- include "hydra.janitor.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.cronjob.janitor.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
annotations:
|
||||||
|
{{- with .Values.cronjob.janitor.annotations }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
concurrencyPolicy: Forbid
|
||||||
|
schedule: {{ .Values.cronjob.janitor.schedule | quote }}
|
||||||
|
jobTemplate:
|
||||||
|
spec:
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{- include "hydra.janitor.labels" . | nindent 12 }}
|
||||||
|
{{- with .Values.cronjob.janitor.labels }}
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.cronjob.janitor.podMetadata.labels }}
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
annotations:
|
||||||
|
{{- include "hydra.annotations.checksum" . | nindent 12 -}}
|
||||||
|
{{- with .Values.cronjob.janitor.annotations }}
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with $.Values.cronjob.janitor.podMetadata.annotations }}
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
restartPolicy: OnFailure
|
||||||
|
{{- with .Values.imagePullSecrets }}
|
||||||
|
imagePullSecrets:
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
serviceAccountName: {{ include "hydra.cronjob.janitor.serviceAccountName" . }}
|
||||||
|
automountServiceAccountToken: {{ .Values.cronjob.janitor.automountServiceAccountToken }}
|
||||||
|
volumes:
|
||||||
|
- name: {{ include "hydra.name" . }}-config-volume
|
||||||
|
configMap:
|
||||||
|
name: {{ include "hydra.fullname" . }}
|
||||||
|
{{- if .Values.cronjob.janitor.extraVolumes }}
|
||||||
|
{{- toYaml .Values.cronjob.janitor.extraVolumes | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
containers:
|
||||||
|
- name: janitor
|
||||||
|
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
|
||||||
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||||
|
{{- with .Values.cronjob.janitor.securityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml . | nindent 16 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.cronjob.janitor.customCommand }}
|
||||||
|
command: {{- toYaml .Values.cronjob.janitor.customCommand | nindent 14 }}
|
||||||
|
{{- else }}
|
||||||
|
command: ["hydra"]
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.cronjob.janitor.customArgs }}
|
||||||
|
args: {{- toYaml .Values.cronjob.janitor.customArgs | nindent 14 }}
|
||||||
|
{{- else }}
|
||||||
|
args:
|
||||||
|
- janitor
|
||||||
|
{{- if .Values.janitor.cleanupGrants }}
|
||||||
|
- --grants
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.janitor.cleanupRequests }}
|
||||||
|
- --requests
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.janitor.cleanupTokens }}
|
||||||
|
- --tokens
|
||||||
|
{{- end }}
|
||||||
|
- --batch-size
|
||||||
|
- {{ .Values.janitor.batchSize | quote }}
|
||||||
|
- --limit
|
||||||
|
- {{ .Values.janitor.limit | quote }}
|
||||||
|
- --config
|
||||||
|
- /etc/config/hydra.yaml
|
||||||
|
{{- end }}
|
||||||
|
env:
|
||||||
|
{{- if not (empty ( include "hydra.dsn" . )) }}
|
||||||
|
{{- if not (include "ory.extraEnvContainsEnvName" (list $janitorExtraEnv "DSN")) }}
|
||||||
|
- name: DSN
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ include "hydra.secretname" . }}
|
||||||
|
key: dsn
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with $janitorExtraEnv }}
|
||||||
|
{{- toYaml . | nindent 16 }}
|
||||||
|
{{- end }}
|
||||||
|
resources:
|
||||||
|
{{- toYaml .Values.cronjob.janitor.resources | nindent 16 }}
|
||||||
|
volumeMounts:
|
||||||
|
- name: {{ include "hydra.name" . }}-config-volume
|
||||||
|
mountPath: /etc/config
|
||||||
|
readOnly: true
|
||||||
|
{{- if .Values.cronjob.janitor.extraVolumeMounts }}
|
||||||
|
{{- toYaml .Values.cronjob.janitor.extraVolumeMounts | nindent 16 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.cronjob.janitor.extraContainers }}
|
||||||
|
{{- tpl .Values.cronjob.janitor.extraContainers . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.cronjob.janitor.extraInitContainers }}
|
||||||
|
initContainers:
|
||||||
|
{{- tpl .Values.cronjob.janitor.extraInitContainers . | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.cronjob.janitor.nodeSelector }}
|
||||||
|
nodeSelector:
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.cronjob.janitor.podSecurityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.cronjob.janitor.tolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.cronjob.janitor.affinity }}
|
||||||
|
affinity:
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
125
opencloud/charts/hydra/templates/job-migration.yaml
Normal file
125
opencloud/charts/hydra/templates/job-migration.yaml
Normal file
@ -0,0 +1,125 @@
|
|||||||
|
{{- include "hydra.automigration.typeVerification" . -}}
|
||||||
|
{{- if and ( .Values.hydra.automigration.enabled ) ( eq .Values.hydra.automigration.type "job" ) }}
|
||||||
|
{{- $nodeSelector := ternary .Values.job.nodeSelector .Values.deployment.nodeSelector (not (empty .Values.job.nodeSelector )) -}}
|
||||||
|
{{- $migrationExtraEnv := ternary .Values.job.extraEnv .Values.deployment.extraEnv (not (empty .Values.job.extraEnv )) -}}
|
||||||
|
{{- $resources := ternary .Values.job.resources .Values.hydra.automigration.resources (not (empty .Values.job.resources)) -}}
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: batch/v1
|
||||||
|
kind: Job
|
||||||
|
metadata:
|
||||||
|
name: {{ include "hydra.fullname" . }}-automigrate
|
||||||
|
{{- if .Release.Namespace }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
{{- include "hydra.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.job.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
annotations:
|
||||||
|
{{- with .Values.job.annotations }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
{{- with .Values.job.annotations }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.job.podMetadata.annotations }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: {{ include "hydra.fullname" . }}-automigrate
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
{{- with .Values.job.labels }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.job.podMetadata.labels }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- with .Values.imagePullSecrets }}
|
||||||
|
imagePullSecrets:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
serviceAccountName: {{ include "hydra.job.serviceAccountName" . }}
|
||||||
|
automountServiceAccountToken: {{ .Values.job.automountServiceAccountToken }}
|
||||||
|
containers:
|
||||||
|
- name: {{ .Chart.Name }}-automigrate
|
||||||
|
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
|
||||||
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||||
|
{{- if .Values.hydra.automigration.customCommand }}
|
||||||
|
command: {{- toYaml .Values.hydra.automigration.customCommand | nindent 10 }}
|
||||||
|
{{- else }}
|
||||||
|
command: ["hydra"]
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.hydra.automigration.customArgs }}
|
||||||
|
args: {{- toYaml .Values.hydra.automigration.customArgs | nindent 10 }}
|
||||||
|
{{- else }}
|
||||||
|
args: ["migrate", "sql", "-e", "--yes", "--config", "/etc/config/hydra.yaml"]
|
||||||
|
{{- end }}
|
||||||
|
env:
|
||||||
|
{{- if not (empty ( include "hydra.dsn" . )) }}
|
||||||
|
{{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }}
|
||||||
|
- name: DSN
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ include "hydra.secretname" . }}
|
||||||
|
key: dsn
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with $migrationExtraEnv }}
|
||||||
|
{{- toYaml . | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
lifecycle:
|
||||||
|
{{- if .Values.job.lifecycle }}
|
||||||
|
{{- tpl .Values.job.lifecycle . | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.deployment.securityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml . | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with $resources }}
|
||||||
|
resources:
|
||||||
|
{{- toYaml . | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
volumeMounts:
|
||||||
|
- name: {{ include "hydra.name" . }}-config-volume
|
||||||
|
mountPath: /etc/config
|
||||||
|
readOnly: true
|
||||||
|
{{- if .Values.deployment.extraVolumeMounts }}
|
||||||
|
{{- toYaml .Values.deployment.extraVolumeMounts | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.job.extraContainers }}
|
||||||
|
{{- tpl .Values.job.extraContainers . | nindent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.job.extraInitContainers }}
|
||||||
|
initContainers:
|
||||||
|
{{- tpl .Values.job.extraInitContainers . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
restartPolicy: Never
|
||||||
|
{{- with .Values.deployment.podSecurityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
shareProcessNamespace: {{ .Values.job.shareProcessNamespace }}
|
||||||
|
volumes:
|
||||||
|
- name: {{ include "hydra.name" . }}-config-volume
|
||||||
|
configMap:
|
||||||
|
name: {{ include "hydra.fullname" . }}-migrate
|
||||||
|
{{- if .Values.deployment.extraVolumes }}
|
||||||
|
{{- toYaml .Values.deployment.extraVolumes | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with $nodeSelector }}
|
||||||
|
nodeSelector:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.job.tolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
backoffLimit: {{ .Values.job.spec.backoffLimit }}
|
||||||
|
{{- end }}
|
17
opencloud/charts/hydra/templates/job-rbac.yaml
Normal file
17
opencloud/charts/hydra/templates/job-rbac.yaml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
{{- if .Values.job.serviceAccount.create -}}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: {{ include "hydra.job.serviceAccountName" . }}
|
||||||
|
{{- if .Release.Namespace }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
{{- include "hydra.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.job.serviceAccount.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
automountServiceAccountToken: false
|
||||||
|
{{- end -}}
|
18
opencloud/charts/hydra/templates/pdb.yaml
Normal file
18
opencloud/charts/hydra/templates/pdb.yaml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
{{- if .Values.pdb.enabled -}}
|
||||||
|
---
|
||||||
|
apiVersion: policy/v1
|
||||||
|
kind: PodDisruptionBudget
|
||||||
|
metadata:
|
||||||
|
name: {{ include "hydra.fullname" . }}
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: {{ include "hydra.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
{{- with .Values.pdb.spec.maxUnavailable }}
|
||||||
|
maxUnavailable: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.pdb.spec.minAvailable }}
|
||||||
|
minAvailable: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end -}}
|
53
opencloud/charts/hydra/templates/rbac-watcher.yaml
Normal file
53
opencloud/charts/hydra/templates/rbac-watcher.yaml
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
{{- if .Values.watcher.enabled }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: {{ include "hydra.serviceAccountName" . }}-watcher
|
||||||
|
{{- if .Release.Namespace }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: {{ include "hydra.name" . }}-watcher
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
automountServiceAccountToken: false
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: {{ include "hydra.fullname" . }}-watcher
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["apps"]
|
||||||
|
resources: ["deployments"]
|
||||||
|
verbs:
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
- get
|
||||||
|
- apiGroups: ["apps"]
|
||||||
|
resources: ["deployments"]
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- patch
|
||||||
|
- update
|
||||||
|
- watch
|
||||||
|
resourceNames:
|
||||||
|
- {{ include "hydra.fullname" . }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ include "hydra.fullname" . }}-watcher
|
||||||
|
{{- if .Release.Namespace }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: {{ include "hydra.fullname" . }}-watcher
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ include "hydra.fullname" . }}-watcher
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
17
opencloud/charts/hydra/templates/rbac.yaml
Normal file
17
opencloud/charts/hydra/templates/rbac.yaml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
{{- if .Values.deployment.serviceAccount.create -}}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: {{ include "hydra.serviceAccountName" . }}
|
||||||
|
{{- if .Release.Namespace }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
{{- include "hydra.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.deployment.serviceAccount.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
automountServiceAccountToken: false
|
||||||
|
{{- end }}
|
21
opencloud/charts/hydra/templates/secrets.yaml
Normal file
21
opencloud/charts/hydra/templates/secrets.yaml
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
{{- if .Values.secret.enabled -}}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: {{ include "hydra.secretname" . }}
|
||||||
|
{{- if .Release.Namespace }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
{{- include "hydra.labels" . | nindent 4 }}
|
||||||
|
annotations:
|
||||||
|
{{- with .Values.secret.secretAnnotations }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
# Generate a random secret if the user doesn't give one. User given password has priority
|
||||||
|
secretsSystem: {{ ( include "hydra.secrets.system" . | default ( randAlphaNum 32 )) | required "Value secrets.system can not be empty!" | b64enc | quote }}
|
||||||
|
secretsCookie: {{ ( include "hydra.secrets.cookie" . | default ( randAlphaNum 32 )) | required "Value secrets.cookie can not be empty!" | b64enc | quote }}
|
||||||
|
dsn: {{ include "hydra.dsn" . | b64enc | quote }}
|
||||||
|
{{- end -}}
|
71
opencloud/charts/hydra/templates/service-admin.yaml
Normal file
71
opencloud/charts/hydra/templates/service-admin.yaml
Normal file
@ -0,0 +1,71 @@
|
|||||||
|
{{- if .Values.service.admin.enabled -}}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ include "hydra.fullname" . }}-admin
|
||||||
|
{{- if .Release.Namespace }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
{{- include "hydra.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.service.admin.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
app.kubernetes.io/component: admin
|
||||||
|
annotations:
|
||||||
|
{{- with .Values.service.admin.annotations }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
type: {{ .Values.service.admin.type }}
|
||||||
|
{{- if eq .Values.service.admin.type "LoadBalancer" }}
|
||||||
|
{{- with .Values.service.admin.loadBalancerIP }}
|
||||||
|
loadBalancerIP: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
- port: {{ .Values.service.admin.port }}
|
||||||
|
targetPort: http-admin
|
||||||
|
protocol: TCP
|
||||||
|
name: {{ .Values.service.admin.name }}
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: {{ include "hydra.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
{{- if .Values.serviceMonitor.enabled }}
|
||||||
|
---
|
||||||
|
apiVersion: monitoring.coreos.com/v1
|
||||||
|
kind: ServiceMonitor
|
||||||
|
metadata:
|
||||||
|
name: {{ include "hydra.fullname" . }}-admin
|
||||||
|
{{- if .Release.Namespace }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/component: admin
|
||||||
|
{{- include "hydra.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.serviceMonitor.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.service.admin.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
endpoints:
|
||||||
|
- path: {{ .Values.service.admin.metricsPath }}
|
||||||
|
port: {{ .Values.service.admin.name }}
|
||||||
|
scheme: {{ .Values.serviceMonitor.scheme }}
|
||||||
|
interval: {{ .Values.serviceMonitor.scrapeInterval }}
|
||||||
|
scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
|
||||||
|
{{- with .Values.serviceMonitor.tlsConfig }}
|
||||||
|
tlsConfig:
|
||||||
|
{{- toYaml . | nindent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: {{ include "hydra.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: admin
|
||||||
|
{{- end -}}
|
||||||
|
{{- end }}
|
33
opencloud/charts/hydra/templates/service-public.yaml
Normal file
33
opencloud/charts/hydra/templates/service-public.yaml
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
{{- if .Values.service.public.enabled -}}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ include "hydra.fullname" . }}-public
|
||||||
|
{{- if .Release.Namespace }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
{{- include "hydra.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.service.public.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
annotations:
|
||||||
|
{{- with .Values.service.public.annotations }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
type: {{ .Values.service.public.type }}
|
||||||
|
{{- if eq .Values.service.public.type "LoadBalancer" }}
|
||||||
|
{{- with .Values.service.public.loadBalancerIP }}
|
||||||
|
loadBalancerIP: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
- port: {{ .Values.service.public.port }}
|
||||||
|
targetPort: http-public
|
||||||
|
protocol: TCP
|
||||||
|
name: {{ .Values.service.public.name }}
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: {{ include "hydra.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
{{- end }}
|
20
opencloud/charts/hydra/templates/tests/test-connection.yaml
Normal file
20
opencloud/charts/hydra/templates/tests/test-connection.yaml
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: Pod
|
||||||
|
metadata:
|
||||||
|
name: "{{ include "hydra.fullname" . }}-test-connection"
|
||||||
|
{{- if .Release.Namespace }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels: {{- include "hydra.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.test.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": test-success
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: healthcheck-ready
|
||||||
|
image: "{{ .Values.test.busybox.repository }}:{{ .Values.test.busybox.tag }}"
|
||||||
|
command: ['wget']
|
||||||
|
args: ['{{ include "hydra.fullname" . }}-admin:{{ .Values.service.admin.port }}/health/ready']
|
||||||
|
restartPolicy: Never
|
670
opencloud/charts/hydra/values.yaml
Normal file
670
opencloud/charts/hydra/values.yaml
Normal file
@ -0,0 +1,670 @@
|
|||||||
|
# -- Number of ORY Hydra members
|
||||||
|
replicaCount: 1
|
||||||
|
|
||||||
|
image:
|
||||||
|
# -- ORY Hydra image
|
||||||
|
repository: oryd/hydra
|
||||||
|
# -- ORY Hydra version
|
||||||
|
tag: v2.2.0
|
||||||
|
# -- Image pull policy
|
||||||
|
pullPolicy: IfNotPresent
|
||||||
|
|
||||||
|
# -- Image pull secrets
|
||||||
|
imagePullSecrets: []
|
||||||
|
# Chart name override
|
||||||
|
nameOverride: ""
|
||||||
|
# -- Full chart name override
|
||||||
|
fullnameOverride: ""
|
||||||
|
|
||||||
|
# -- Pod priority
|
||||||
|
# https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
|
||||||
|
priorityClassName: ""
|
||||||
|
|
||||||
|
## -- Configures the Kubernetes service
|
||||||
|
service:
|
||||||
|
# -- Configures the Kubernetes service for the proxy port.
|
||||||
|
public:
|
||||||
|
# -- En-/disable the service
|
||||||
|
enabled: true
|
||||||
|
# -- The service type
|
||||||
|
type: ClusterIP
|
||||||
|
# -- The load balancer IP
|
||||||
|
loadBalancerIP: ""
|
||||||
|
# -- The service port
|
||||||
|
port: 4444
|
||||||
|
# -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio)
|
||||||
|
name: http
|
||||||
|
# -- If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
|
||||||
|
annotations: {}
|
||||||
|
# kubernetes.io/ingress.class: nginx
|
||||||
|
# kubernetes.io/tls-acme: "true"
|
||||||
|
labels: {}
|
||||||
|
# If you do want to specify additional labels, uncomment the following
|
||||||
|
# lines, adjust them as necessary, and remove the curly braces after 'labels:'.
|
||||||
|
# e.g. app: hydra
|
||||||
|
# -- Configures the Kubernetes service for the api port.
|
||||||
|
admin:
|
||||||
|
# -- En-/disable the service
|
||||||
|
enabled: true
|
||||||
|
# -- The service type
|
||||||
|
type: ClusterIP
|
||||||
|
# -- The load balancer IP
|
||||||
|
loadBalancerIP: ""
|
||||||
|
# -- The service port
|
||||||
|
port: 4445
|
||||||
|
# -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio)
|
||||||
|
name: http
|
||||||
|
# -- If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
|
||||||
|
annotations: {}
|
||||||
|
# kubernetes.io/ingress.class: nginx
|
||||||
|
# kubernetes.io/tls-acme: "true"
|
||||||
|
labels: {}
|
||||||
|
# If you do want to specify additional labels, uncomment the following
|
||||||
|
# lines, adjust them as necessary, and remove the curly braces after 'labels:'.
|
||||||
|
# e.g. app: hydra
|
||||||
|
# -- Path to the metrics endpoint
|
||||||
|
metricsPath: /admin/metrics/prometheus
|
||||||
|
|
||||||
|
## -- Secret management
|
||||||
|
secret:
|
||||||
|
# -- switch to false to prevent creating the secret
|
||||||
|
enabled: true
|
||||||
|
# -- Provide custom name of existing secret, or custom name of secret to be created
|
||||||
|
nameOverride: ""
|
||||||
|
# nameOverride: "myCustomSecret"
|
||||||
|
# -- Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified.
|
||||||
|
secretAnnotations:
|
||||||
|
# Create the secret before installation, and only then. This saves the secret from regenerating during an upgrade
|
||||||
|
# pre-upgrade is needed to upgrade from 0.7.0 to newer. Can be deleted afterwards.
|
||||||
|
helm.sh/hook-weight: "0"
|
||||||
|
helm.sh/hook: "pre-install, pre-upgrade"
|
||||||
|
helm.sh/hook-delete-policy: "before-hook-creation"
|
||||||
|
helm.sh/resource-policy: "keep"
|
||||||
|
# -- switch to false to prevent checksum annotations being maintained and propogated to the pods
|
||||||
|
hashSumEnabled: true
|
||||||
|
|
||||||
|
## -- Configure ingress
|
||||||
|
ingress:
|
||||||
|
# -- Configure ingress for the proxy port.
|
||||||
|
public:
|
||||||
|
# -- En-/Disable the proxy ingress.
|
||||||
|
enabled: false
|
||||||
|
className: ""
|
||||||
|
annotations: {}
|
||||||
|
# kubernetes.io/ingress.class: nginx
|
||||||
|
# kubernetes.io/tls-acme: "true"
|
||||||
|
hosts:
|
||||||
|
- host: public.hydra.localhost
|
||||||
|
paths:
|
||||||
|
- path: /
|
||||||
|
pathType: ImplementationSpecific
|
||||||
|
# tls: []
|
||||||
|
# hosts:
|
||||||
|
# - proxy.hydra.local
|
||||||
|
# - secretName: hydra-proxy-example-tls
|
||||||
|
|
||||||
|
admin:
|
||||||
|
# -- En-/Disable the api ingress.
|
||||||
|
enabled: false
|
||||||
|
className: ""
|
||||||
|
annotations: {}
|
||||||
|
# If you do want to specify annotations, uncomment the following
|
||||||
|
# lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
|
||||||
|
# kubernetes.io/ingress.class: nginx
|
||||||
|
# kubernetes.io/tls-acme: "true"
|
||||||
|
hosts:
|
||||||
|
- host: admin.hydra.localhost
|
||||||
|
paths:
|
||||||
|
- path: /
|
||||||
|
pathType: ImplementationSpecific
|
||||||
|
# tls: []
|
||||||
|
# hosts:
|
||||||
|
# - api.hydra.local
|
||||||
|
# - secretName: hydra-api-example-tls
|
||||||
|
|
||||||
|
## -- Configure ORY Hydra itself
|
||||||
|
hydra:
|
||||||
|
# -- Ability to override the entrypoint of hydra container
|
||||||
|
# (e.g. to source dynamic secrets or export environment dynamic variables)
|
||||||
|
command: ["hydra"]
|
||||||
|
# -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand
|
||||||
|
customArgs: []
|
||||||
|
# -- The ORY Hydra configuration. For a full list of available settings, check:
|
||||||
|
# https://www.ory.sh/docs/hydra/reference/configuration
|
||||||
|
config:
|
||||||
|
serve:
|
||||||
|
public:
|
||||||
|
port: 4444
|
||||||
|
admin:
|
||||||
|
port: 4445
|
||||||
|
tls:
|
||||||
|
allow_termination_from:
|
||||||
|
- 10.0.0.0/8
|
||||||
|
- 172.16.0.0/12
|
||||||
|
- 192.168.0.0/16
|
||||||
|
# -- The secrets have to be provided as a string slice, example:
|
||||||
|
# system:
|
||||||
|
# - "OG5XbmxXa3dYeGplQXpQanYxeEFuRUFa"
|
||||||
|
# - "foo bar 123 456 lorem"
|
||||||
|
# - "foo bar 123 456 lorem 1"
|
||||||
|
# - "foo bar 123 456 lorem 2"
|
||||||
|
# - "foo bar 123 456 lorem 3"
|
||||||
|
secrets: {}
|
||||||
|
|
||||||
|
# -- Configure the urls used by hydra itself, such as the issuer.
|
||||||
|
# Note: some values are required for hydra to start, please refer to https://www.ory.sh/docs/hydra/self-hosted/kubernetes-helm-chart
|
||||||
|
# self:
|
||||||
|
# issuer: "https://public.hydra.localhost:4444/"
|
||||||
|
urls:
|
||||||
|
self: {}
|
||||||
|
|
||||||
|
# -- Enables database migration
|
||||||
|
automigration:
|
||||||
|
enabled: false
|
||||||
|
# -- Configure the way to execute database migration. Possible values: job, initContainer
|
||||||
|
# When set to job, the migration will be executed as a job on release or upgrade.
|
||||||
|
# When set to initContainer, the migration will be executed when kratos pod is created
|
||||||
|
# Defaults to job
|
||||||
|
type: job
|
||||||
|
# -- Ability to override the entrypoint of the automigration container
|
||||||
|
# (e.g. to source dynamic secrets or export environment dynamic variables)
|
||||||
|
customCommand: []
|
||||||
|
# -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand
|
||||||
|
# eg:
|
||||||
|
# - sleep 5;
|
||||||
|
# - kratos
|
||||||
|
customArgs: []
|
||||||
|
# -- resource requests and limits for the automigration initcontainer
|
||||||
|
resources: {}
|
||||||
|
|
||||||
|
# -- Enable dev mode, not secure in production environments
|
||||||
|
dev: false
|
||||||
|
|
||||||
|
## -- Deployment specific config
|
||||||
|
deployment:
|
||||||
|
strategy:
|
||||||
|
type: RollingUpdate
|
||||||
|
rollingUpdate:
|
||||||
|
maxSurge: "25%"
|
||||||
|
maxUnavailable: "25%"
|
||||||
|
|
||||||
|
# -- We usually recommend not to specify default resources and to leave this as a conscious choice for the user.
|
||||||
|
# This also increases chances charts run on environments with little
|
||||||
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
||||||
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
||||||
|
# limits:
|
||||||
|
# cpu: 100m
|
||||||
|
# memory: 128Mi
|
||||||
|
# requests:
|
||||||
|
# cpu: 100m
|
||||||
|
# memory: 128Mi
|
||||||
|
resources: {}
|
||||||
|
|
||||||
|
## -- initContainer securityContext for hydra & migration init
|
||||||
|
initContainerSecurityContext: {}
|
||||||
|
|
||||||
|
## -- pod securityContext for hydra & migration init
|
||||||
|
podSecurityContext:
|
||||||
|
fsGroupChangePolicy: "OnRootMismatch"
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 65534
|
||||||
|
fsGroup: 65534
|
||||||
|
runAsGroup: 65534
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
|
|
||||||
|
## -- container securityContext for hydra & migration init
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 65534
|
||||||
|
runAsGroup: 65534
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
privileged: false
|
||||||
|
seLinuxOptions:
|
||||||
|
level: "s0:c123,c456"
|
||||||
|
|
||||||
|
lifecycle: {}
|
||||||
|
|
||||||
|
# -- Set custom deployment level labels
|
||||||
|
labels: {}
|
||||||
|
|
||||||
|
# -- Set custom deployment level annotations
|
||||||
|
annotations: {}
|
||||||
|
|
||||||
|
# -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
|
||||||
|
podMetadata:
|
||||||
|
# -- Extra pod level labels
|
||||||
|
labels: {}
|
||||||
|
# -- Extra pod level annotations
|
||||||
|
annotations: {}
|
||||||
|
|
||||||
|
# -- Node labels for pod assignment.
|
||||||
|
nodeSelector: {}
|
||||||
|
# If you do want to specify node labels, uncomment the following
|
||||||
|
# lines, adjust them as necessary, and remove the curly braces after 'nodeSelector:'.
|
||||||
|
# foo: bar
|
||||||
|
|
||||||
|
# -- Array of extra envs to be passed to the deployment. Kubernetes format is expected. Value is processed with Helm
|
||||||
|
# `tpl`
|
||||||
|
# - name: FOO
|
||||||
|
# value: BAR
|
||||||
|
extraEnv: []
|
||||||
|
|
||||||
|
# -- Parameters for the automigration initContainer
|
||||||
|
automigration:
|
||||||
|
# -- Array of extra envs to be passed to the initContainer. Kubernetes format is expected. Value is processed with
|
||||||
|
# Helm `tpl`
|
||||||
|
# - name: FOO
|
||||||
|
# value: BAR
|
||||||
|
extraEnv: []
|
||||||
|
|
||||||
|
# -- Configure node tolerations.
|
||||||
|
tolerations: []
|
||||||
|
|
||||||
|
# -- Configure pod topologySpreadConstraints.
|
||||||
|
topologySpreadConstraints: []
|
||||||
|
# - maxSkew: 1
|
||||||
|
# topologyKey: topology.kubernetes.io/zone
|
||||||
|
# whenUnsatisfiable: DoNotSchedule
|
||||||
|
# labelSelector:
|
||||||
|
# matchLabels:
|
||||||
|
# app.kubernetes.io/name: hydra
|
||||||
|
# app.kubernetes.io/instance: hydra
|
||||||
|
|
||||||
|
# -- Configure pod dnsConfig.
|
||||||
|
dnsConfig: {}
|
||||||
|
# options:
|
||||||
|
# - name: "ndots"
|
||||||
|
# value: "1"
|
||||||
|
|
||||||
|
# -- Specify the serviceAccountName value.
|
||||||
|
# In some situations it is needed to provides specific permissions to Hydra deployments
|
||||||
|
# Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio.
|
||||||
|
# Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.
|
||||||
|
# -- Specify the serviceAccountName value.
|
||||||
|
# In some situations it is needed to provides specific permissions to Hydra deployments
|
||||||
|
# Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio.
|
||||||
|
# Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.
|
||||||
|
serviceAccount:
|
||||||
|
# -- Specifies whether a service account should be created
|
||||||
|
create: true
|
||||||
|
# -- Annotations to add to the service account
|
||||||
|
annotations: {}
|
||||||
|
# -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
|
||||||
|
name: ""
|
||||||
|
|
||||||
|
# -- If you want to mount external volume
|
||||||
|
extraVolumes: []
|
||||||
|
# - name: my-volume
|
||||||
|
# secret:
|
||||||
|
# secretName: my-secret
|
||||||
|
extraVolumeMounts: []
|
||||||
|
# - name: my-volume
|
||||||
|
# mountPath: /etc/secrets/my-secret
|
||||||
|
# readOnly: true
|
||||||
|
|
||||||
|
# For example, mount a secret containing Certificate root CA to verify database
|
||||||
|
# TLS connection.
|
||||||
|
# extraVolumes:
|
||||||
|
# - name: postgresql-tls
|
||||||
|
# secret:
|
||||||
|
# secretName: postgresql-root-ca
|
||||||
|
# extraVolumeMounts:
|
||||||
|
# - name: postgresql-tls
|
||||||
|
# mountPath: "/etc/postgresql-tls"
|
||||||
|
# readOnly: true
|
||||||
|
|
||||||
|
# -- Configure HPA
|
||||||
|
autoscaling:
|
||||||
|
enabled: false
|
||||||
|
minReplicas: 1
|
||||||
|
maxReplicas: 3
|
||||||
|
targetCPU: {}
|
||||||
|
# type: Utilization
|
||||||
|
# averageUtilization: 80
|
||||||
|
targetMemory: {}
|
||||||
|
# type: Utilization
|
||||||
|
# averageUtilization: 80
|
||||||
|
# -- Set custom behavior
|
||||||
|
# https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior
|
||||||
|
behavior: {}
|
||||||
|
|
||||||
|
# -- Default probe timers
|
||||||
|
readinessProbe:
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 10
|
||||||
|
failureThreshold: 5
|
||||||
|
# -- Default probe timers
|
||||||
|
startupProbe:
|
||||||
|
failureThreshold: 5
|
||||||
|
successThreshold: 1
|
||||||
|
periodSeconds: 1
|
||||||
|
timeoutSeconds: 1
|
||||||
|
initialDelaySeconds: 0
|
||||||
|
|
||||||
|
automountServiceAccountToken: false
|
||||||
|
|
||||||
|
terminationGracePeriodSeconds: 60
|
||||||
|
|
||||||
|
# -- If you want to add extra init containers. These are processed before the migration init container.
|
||||||
|
extraInitContainers: ""
|
||||||
|
# extraInitContainers: |
|
||||||
|
# - name: ...
|
||||||
|
# image: ...
|
||||||
|
|
||||||
|
# -- If you want to add extra sidecar containers.
|
||||||
|
extraContainers: ""
|
||||||
|
# extraContainers: |
|
||||||
|
# - name: ...
|
||||||
|
# image: ...
|
||||||
|
|
||||||
|
# -- Configure a custom livenessProbe. This overwrites the default object
|
||||||
|
customLivenessProbe: {}
|
||||||
|
# -- Configure a custom readinessProbe. This overwrites the default object
|
||||||
|
customReadinessProbe: {}
|
||||||
|
# -- Configure a custom startupProbe. This overwrites the default object
|
||||||
|
customStartupProbe: {}
|
||||||
|
# -- Number of revisions kept in history
|
||||||
|
revisionHistoryLimit: 5
|
||||||
|
|
||||||
|
## -- Values for initialization job
|
||||||
|
job:
|
||||||
|
# -- If you do want to specify annotations, uncomment the following
|
||||||
|
# lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
|
||||||
|
annotations:
|
||||||
|
helm.sh/hook-weight: "1"
|
||||||
|
helm.sh/hook: "pre-install, pre-upgrade"
|
||||||
|
helm.sh/hook-delete-policy: "before-hook-creation"
|
||||||
|
# kubernetes.io/ingress.class: nginx
|
||||||
|
# kubernetes.io/tls-acme: "true"
|
||||||
|
|
||||||
|
# -- Set custom deployment level labels
|
||||||
|
labels: {}
|
||||||
|
|
||||||
|
# -- If you want to add extra sidecar containers.
|
||||||
|
extraContainers: ""
|
||||||
|
# extraContainers: |
|
||||||
|
# - name: ...
|
||||||
|
# image: ...
|
||||||
|
|
||||||
|
# -- Array of extra envs to be passed to the job. This takes precedence over deployment variables. Kubernetes format
|
||||||
|
# is expected. Value is processed with Helm `tpl`
|
||||||
|
# - name: FOO
|
||||||
|
# value: BAR
|
||||||
|
extraEnv: []
|
||||||
|
|
||||||
|
# -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
|
||||||
|
podMetadata:
|
||||||
|
# -- Extra pod level labels
|
||||||
|
labels: {}
|
||||||
|
# -- Extra pod level annotations
|
||||||
|
annotations: {}
|
||||||
|
|
||||||
|
# -- If you want to add extra init containers.
|
||||||
|
# extraInitContainers: |
|
||||||
|
# - name: ...
|
||||||
|
# image: ...
|
||||||
|
extraInitContainers: ""
|
||||||
|
|
||||||
|
# -- Node labels for pod assignment.
|
||||||
|
nodeSelector: {}
|
||||||
|
# If you do want to specify node labels, uncomment the following
|
||||||
|
# lines, adjust them as necessary, and remove the curly braces after 'nodeSelector:'.
|
||||||
|
# foo: bar
|
||||||
|
|
||||||
|
# -- resource requests and limits for the automigration job
|
||||||
|
resources: {}
|
||||||
|
|
||||||
|
# -- Configure node tolerations.
|
||||||
|
tolerations: []
|
||||||
|
|
||||||
|
# -- If you want to add lifecycle hooks.
|
||||||
|
lifecycle: ""
|
||||||
|
# lifecycle: |
|
||||||
|
# preStop:
|
||||||
|
# exec:
|
||||||
|
# command: [...]
|
||||||
|
|
||||||
|
# -- Set automounting of the SA token
|
||||||
|
automountServiceAccountToken: true
|
||||||
|
|
||||||
|
# -- Set sharing process namespace
|
||||||
|
shareProcessNamespace: false
|
||||||
|
|
||||||
|
# -- Specify the serviceAccountName value.
|
||||||
|
# In some situations it is needed to provides specific permissions to Hydra deployments
|
||||||
|
# Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio.
|
||||||
|
# Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.
|
||||||
|
serviceAccount:
|
||||||
|
# -- Specifies whether a service account should be created
|
||||||
|
create: true
|
||||||
|
# -- Annotations to add to the service account
|
||||||
|
annotations:
|
||||||
|
helm.sh/hook-weight: "0"
|
||||||
|
helm.sh/hook: "pre-install, pre-upgrade"
|
||||||
|
helm.sh/hook-delete-policy: "before-hook-creation"
|
||||||
|
# -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
|
||||||
|
name: ""
|
||||||
|
|
||||||
|
spec:
|
||||||
|
# -- Set job back off limit
|
||||||
|
backoffLimit: 10
|
||||||
|
|
||||||
|
## -- Configure node affinity
|
||||||
|
affinity: {}
|
||||||
|
|
||||||
|
## -- Configures controller setup
|
||||||
|
maester:
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
## -- Values for the hydra admin service arguments to hydra-maester
|
||||||
|
hydra-maester:
|
||||||
|
adminService:
|
||||||
|
# -- The service name value may need to be set if you use `fullnameOverride` for the parent chart
|
||||||
|
name: ""
|
||||||
|
# -- You only need to set this port if you change the value for `service.admin.port` in the parent chart
|
||||||
|
# port:
|
||||||
|
|
||||||
|
## -- Sidecar watcher configuration
|
||||||
|
watcher:
|
||||||
|
enabled: false
|
||||||
|
image: oryd/k8s-toolbox:v0.0.7
|
||||||
|
# -- Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo
|
||||||
|
mountFile: ""
|
||||||
|
# -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
|
||||||
|
podMetadata:
|
||||||
|
# -- Extra pod level labels
|
||||||
|
labels: {}
|
||||||
|
# -- Extra pod level annotations
|
||||||
|
annotations: {}
|
||||||
|
# -- Label key used for managing applications
|
||||||
|
watchLabelKey: "ory.sh/watcher"
|
||||||
|
# -- Number of revisions kept in history
|
||||||
|
revisionHistoryLimit: 5
|
||||||
|
|
||||||
|
# -- pod securityContext for watcher deployment
|
||||||
|
podSecurityContext: {}
|
||||||
|
resources: {}
|
||||||
|
automountServiceAccountToken: true
|
||||||
|
|
||||||
|
# -- container securityContext for watcher deployment
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 100
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
privileged: false
|
||||||
|
|
||||||
|
## -- Janitor cron job configuration
|
||||||
|
janitor:
|
||||||
|
# -- Enable cleanup of stale database rows by periodically running the janitor command
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
# -- Configure if the trust relationships must be cleaned up
|
||||||
|
cleanupGrants: false
|
||||||
|
|
||||||
|
# -- Configure if the consent and authentication requests must be cleaned up
|
||||||
|
cleanupRequests: false
|
||||||
|
|
||||||
|
# -- Configure if the access and refresh tokens must be cleaned up
|
||||||
|
cleanupTokens: false
|
||||||
|
|
||||||
|
# -- Configure how many records are deleted with each iteration
|
||||||
|
batchSize: 100
|
||||||
|
|
||||||
|
# -- Configure how many records are retrieved from database for deletion
|
||||||
|
limit: 10000
|
||||||
|
|
||||||
|
## -- CronJob configuration
|
||||||
|
cronjob:
|
||||||
|
janitor:
|
||||||
|
# -- Configure how often the cron job is ran
|
||||||
|
schedule: "0 */1 * * *"
|
||||||
|
# -- Configure a custom entrypoint, overriding the default value
|
||||||
|
customCommand: []
|
||||||
|
|
||||||
|
# -- Configure the arguments of the entrypoint, overriding the default value
|
||||||
|
customArgs: []
|
||||||
|
|
||||||
|
# -- Array of extra envs to be passed to the cronjob. This takes precedence over deployment variables. Kubernetes
|
||||||
|
# format is expected. Value is processed with Helm `tpl`
|
||||||
|
# - name: FOO
|
||||||
|
# value: BAR
|
||||||
|
extraEnv: []
|
||||||
|
|
||||||
|
# -- If you want to add extra init containers. These are processed before the migration init container.
|
||||||
|
extraInitContainers: ""
|
||||||
|
# extraInitContainers: |
|
||||||
|
# - name: ...
|
||||||
|
# image: ...
|
||||||
|
|
||||||
|
# -- If you want to add extra sidecar containers.
|
||||||
|
extraContainers: ""
|
||||||
|
# extraContainers: |
|
||||||
|
# - name: ...
|
||||||
|
# image: ...
|
||||||
|
|
||||||
|
# -- If you want to mount external volume
|
||||||
|
extraVolumes: []
|
||||||
|
# - name: my-volume
|
||||||
|
# secret:
|
||||||
|
# secretName: my-secret
|
||||||
|
extraVolumeMounts: []
|
||||||
|
# - name: my-volume
|
||||||
|
# mountPath: /etc/secrets/my-secret
|
||||||
|
# readOnly: true
|
||||||
|
|
||||||
|
# -- Set custom cron job level labels
|
||||||
|
labels: {}
|
||||||
|
|
||||||
|
# -- Set custom cron job level annotations
|
||||||
|
annotations: {}
|
||||||
|
|
||||||
|
# -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
|
||||||
|
podMetadata:
|
||||||
|
# -- Extra pod level labels
|
||||||
|
labels: {}
|
||||||
|
|
||||||
|
# -- Extra pod level annotations
|
||||||
|
annotations: {}
|
||||||
|
|
||||||
|
# -- Configure node labels for pod assignment
|
||||||
|
nodeSelector: {}
|
||||||
|
|
||||||
|
# -- Configure node tolerations
|
||||||
|
tolerations: []
|
||||||
|
|
||||||
|
# -- Configure node affinity
|
||||||
|
affinity: {}
|
||||||
|
|
||||||
|
# -- Set automounting of the SA token
|
||||||
|
automountServiceAccountToken: true
|
||||||
|
|
||||||
|
# -- Specify the serviceAccountName value.
|
||||||
|
# In some situations it is needed to provides specific permissions to Hydra deployments
|
||||||
|
# Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio.
|
||||||
|
# Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.
|
||||||
|
serviceAccount:
|
||||||
|
# -- Specifies whether a service account should be created
|
||||||
|
create: true
|
||||||
|
# -- Annotations to add to the service account
|
||||||
|
annotations:
|
||||||
|
helm.sh/hook-weight: "0"
|
||||||
|
helm.sh/hook: "pre-install, pre-upgrade"
|
||||||
|
helm.sh/hook-delete-policy: "before-hook-creation"
|
||||||
|
# -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
|
||||||
|
name: ""
|
||||||
|
|
||||||
|
# -- Configure the containers' SecurityContext for the janitor cronjob
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 100
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
privileged: false
|
||||||
|
|
||||||
|
## -- pod securityContext for the janitor cronjob
|
||||||
|
podSecurityContext: {}
|
||||||
|
|
||||||
|
# -- We usually recommend not to specify default resources and to leave this as a conscious choice for the user.
|
||||||
|
# This also increases chances charts run on environments with little
|
||||||
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
||||||
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
||||||
|
# limits:
|
||||||
|
# cpu: 100m
|
||||||
|
# memory: 128Mi
|
||||||
|
# requests:
|
||||||
|
# cpu: 100m
|
||||||
|
# memory: 128Mi
|
||||||
|
resources:
|
||||||
|
limits: {}
|
||||||
|
requests: {}
|
||||||
|
|
||||||
|
## -- PodDistributionBudget configuration
|
||||||
|
pdb:
|
||||||
|
enabled: false
|
||||||
|
spec:
|
||||||
|
minAvailable: ""
|
||||||
|
maxUnavailable: ""
|
||||||
|
|
||||||
|
## -- Parameters for the Prometheus ServiceMonitor objects.
|
||||||
|
# Reference: https://docs.openshift.com/container-platform/4.6/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.html
|
||||||
|
serviceMonitor:
|
||||||
|
# -- switch to true to enable creating the ServiceMonitor
|
||||||
|
enabled: false
|
||||||
|
# -- HTTP scheme to use for scraping.
|
||||||
|
scheme: http
|
||||||
|
# -- Interval at which metrics should be scraped
|
||||||
|
scrapeInterval: 60s
|
||||||
|
# -- Timeout after which the scrape is ended
|
||||||
|
scrapeTimeout: 30s
|
||||||
|
# -- Provide additionnal labels to the ServiceMonitor ressource metadata
|
||||||
|
labels: {}
|
||||||
|
# -- TLS configuration to use when scraping the endpoint
|
||||||
|
tlsConfig: {}
|
||||||
|
|
||||||
|
configmap:
|
||||||
|
# -- switch to false to prevent checksum annotations being maintained and propogated to the pods
|
||||||
|
hashSumEnabled: true
|
||||||
|
|
||||||
|
test:
|
||||||
|
# -- Provide additional labels to the test pod
|
||||||
|
labels: {}
|
||||||
|
# -- use a busybox image from another repository
|
||||||
|
busybox:
|
||||||
|
repository: busybox
|
||||||
|
tag: 1
|
23
opencloud/charts/keto/.helmignore
Normal file
23
opencloud/charts/keto/.helmignore
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
# Patterns to ignore when building packages.
|
||||||
|
# This supports shell glob matching, relative path matching, and
|
||||||
|
# negation (prefixed with !). Only one pattern per line.
|
||||||
|
.DS_Store
|
||||||
|
# Common VCS dirs
|
||||||
|
.git/
|
||||||
|
.gitignore
|
||||||
|
.bzr/
|
||||||
|
.bzrignore
|
||||||
|
.hg/
|
||||||
|
.hgignore
|
||||||
|
.svn/
|
||||||
|
# Common backup files
|
||||||
|
*.swp
|
||||||
|
*.bak
|
||||||
|
*.tmp
|
||||||
|
*.orig
|
||||||
|
*~
|
||||||
|
# Various IDEs
|
||||||
|
.project
|
||||||
|
.idea/
|
||||||
|
*.tmproj
|
||||||
|
.vscode/
|
6
opencloud/charts/keto/Chart.lock
Normal file
6
opencloud/charts/keto/Chart.lock
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
dependencies:
|
||||||
|
- name: ory-commons
|
||||||
|
repository: file://../ory-commons
|
||||||
|
version: 0.1.0
|
||||||
|
digest: sha256:eec8978215334aad38275f0171681f1200220dccef4762ddeb197679fd287abb
|
||||||
|
generated: "2024-06-11T14:47:42.552973+02:00"
|
27
opencloud/charts/keto/Chart.yaml
Normal file
27
opencloud/charts/keto/Chart.yaml
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
apiVersion: v2
|
||||||
|
appVersion: v0.12.0
|
||||||
|
dependencies:
|
||||||
|
- alias: ory
|
||||||
|
name: ory-commons
|
||||||
|
repository: file://../ory-commons
|
||||||
|
version: 0.1.0
|
||||||
|
description: Access Control Policies as a Server
|
||||||
|
home: https://www.ory.sh/keto/
|
||||||
|
icon: https://raw.githubusercontent.com/ory/docs/master/docs/static/img/logo-keto.svg
|
||||||
|
keywords:
|
||||||
|
- rbac
|
||||||
|
- hrbac
|
||||||
|
- acl
|
||||||
|
- iam
|
||||||
|
- api-security
|
||||||
|
- security
|
||||||
|
maintainers:
|
||||||
|
- email: hi@ory.sh
|
||||||
|
name: ORY Team
|
||||||
|
url: https://www.ory.sh/
|
||||||
|
name: keto
|
||||||
|
sources:
|
||||||
|
- https://github.com/ory/keto
|
||||||
|
- https://github.com/ory/k8s
|
||||||
|
type: application
|
||||||
|
version: 0.50.2
|
187
opencloud/charts/keto/README.md
Normal file
187
opencloud/charts/keto/README.md
Normal file
@ -0,0 +1,187 @@
|
|||||||
|
# keto
|
||||||
|
|
||||||
|
![Version: 0.50.1](https://img.shields.io/badge/Version-0.50.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.12.0](https://img.shields.io/badge/AppVersion-v0.12.0-informational?style=flat-square)
|
||||||
|
|
||||||
|
Access Control Policies as a Server
|
||||||
|
|
||||||
|
**Homepage:** <https://www.ory.sh/keto/>
|
||||||
|
|
||||||
|
## Maintainers
|
||||||
|
|
||||||
|
| Name | Email | Url |
|
||||||
|
| ---- | ------ | --- |
|
||||||
|
| ORY Team | <hi@ory.sh> | <https://www.ory.sh/> |
|
||||||
|
|
||||||
|
## Source Code
|
||||||
|
|
||||||
|
* <https://github.com/ory/keto>
|
||||||
|
* <https://github.com/ory/k8s>
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
| Repository | Name | Version |
|
||||||
|
|------------|------|---------|
|
||||||
|
| file://../ory-commons | ory(ory-commons) | 0.1.0 |
|
||||||
|
|
||||||
|
## Values
|
||||||
|
|
||||||
|
| Key | Type | Default | Description |
|
||||||
|
|-----|------|---------|-------------|
|
||||||
|
| configmap.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods |
|
||||||
|
| deployment.affinity | object | `{}` | |
|
||||||
|
| deployment.annotations | object | `{}` | |
|
||||||
|
| deployment.automigration | object | `{"extraEnv":[]}` | Parameters for the automigration initContainer |
|
||||||
|
| deployment.automigration.extraEnv | list | `[]` | Array of extra envs to be passed to the initContainer. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR |
|
||||||
|
| deployment.automountServiceAccountToken | bool | `true` | |
|
||||||
|
| deployment.autoscaling | object | `{"behavior":{},"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPU":{},"targetMemory":{}}` | Autoscaling for keto deployment |
|
||||||
|
| deployment.autoscaling.behavior | object | `{}` | Set custom behavior https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior |
|
||||||
|
| deployment.customLivenessProbe | object | `{}` | |
|
||||||
|
| deployment.customReadinessProbe | object | `{}` | |
|
||||||
|
| deployment.customStartupProbe | object | `{}` | |
|
||||||
|
| deployment.dnsConfig | object | `{}` | Configure pod dnsConfig. |
|
||||||
|
| deployment.extraContainers | string | `""` | If you want to add extra sidecar containers. |
|
||||||
|
| deployment.extraEnv | list | `[]` | Array of extra Envs to be added to the deployment. Kubernetes format expected. Value is processed with Helm `tpl` - name: FOO value: BAR |
|
||||||
|
| deployment.extraInitContainers | object | `{}` | If you want to add extra init containers. These are processed before the migration init container. |
|
||||||
|
| deployment.extraLabels | object | `{}` | Extra labels to be added to the deployment, and pods. K8s object format expected foo: bar my.special.label/type: value |
|
||||||
|
| deployment.extraPorts | list | `[]` | Extra ports to be exposed by the main deployment |
|
||||||
|
| deployment.extraVolumeMounts | list | `[]` | Array of extra VolumeMounts to be added to the deployment. K8s format expected - name: my-volume mountPath: /etc/secrets/my-secret readOnly: true |
|
||||||
|
| deployment.extraVolumes | list | `[]` | Array of extra Volumes to be added to the deployment. K8s format expected - name: my-volume secret: secretName: my-secret |
|
||||||
|
| deployment.lifecycle | object | `{}` | |
|
||||||
|
| deployment.minReadySeconds | int | `0` | |
|
||||||
|
| deployment.nodeSelector | object | `{}` | |
|
||||||
|
| deployment.podAnnotations | object | `{}` | |
|
||||||
|
| deployment.podMetadata.annotations | object | `{}` | |
|
||||||
|
| deployment.podMetadata.labels | object | `{}` | |
|
||||||
|
| deployment.podSecurityContext | object | `{}` | |
|
||||||
|
| deployment.readinessProbe.failureThreshold | int | `5` | |
|
||||||
|
| deployment.readinessProbe.initialDelaySeconds | int | `5` | |
|
||||||
|
| deployment.readinessProbe.periodSeconds | int | `10` | |
|
||||||
|
| deployment.resources | object | `{}` | |
|
||||||
|
| deployment.revisionHistoryLimit | int | `5` | Number of revisions kept in history |
|
||||||
|
| deployment.startupProbe.failureThreshold | int | `5` | |
|
||||||
|
| deployment.startupProbe.initialDelaySeconds | int | `0` | |
|
||||||
|
| deployment.startupProbe.periodSeconds | int | `1` | |
|
||||||
|
| deployment.startupProbe.successThreshold | int | `1` | |
|
||||||
|
| deployment.startupProbe.timeoutSeconds | int | `1` | |
|
||||||
|
| deployment.strategy.rollingUpdate.maxSurge | string | `"25%"` | |
|
||||||
|
| deployment.strategy.rollingUpdate.maxUnavailable | string | `"25%"` | |
|
||||||
|
| deployment.strategy.type | string | `"RollingUpdate"` | |
|
||||||
|
| deployment.terminationGracePeriodSeconds | int | `60` | |
|
||||||
|
| deployment.tolerations | list | `[]` | |
|
||||||
|
| deployment.topologySpreadConstraints | list | `[]` | Configure pod topologySpreadConstraints. |
|
||||||
|
| extraServices | object | `{}` | |
|
||||||
|
| fullnameOverride | string | `""` | |
|
||||||
|
| image.pullPolicy | string | `"IfNotPresent"` | Default image pull policy |
|
||||||
|
| image.repository | string | `"oryd/keto"` | Ory KETO image |
|
||||||
|
| image.tag | string | `"v0.12.0"` | Ory KETO version |
|
||||||
|
| imagePullSecrets | list | `[]` | |
|
||||||
|
| ingress.read.annotations | object | `{}` | |
|
||||||
|
| ingress.read.className | string | `""` | |
|
||||||
|
| ingress.read.enabled | bool | `false` | |
|
||||||
|
| ingress.read.hosts[0].host | string | `"chart-example.local"` | |
|
||||||
|
| ingress.read.hosts[0].paths[0].path | string | `"/read"` | |
|
||||||
|
| ingress.read.hosts[0].paths[0].pathType | string | `"Prefix"` | |
|
||||||
|
| ingress.read.tls | list | `[]` | |
|
||||||
|
| ingress.write.annotations | object | `{}` | |
|
||||||
|
| ingress.write.className | string | `""` | |
|
||||||
|
| ingress.write.enabled | bool | `false` | |
|
||||||
|
| ingress.write.hosts[0].host | string | `"chart-example.local"` | |
|
||||||
|
| ingress.write.hosts[0].paths[0].path | string | `"/write"` | |
|
||||||
|
| ingress.write.hosts[0].paths[0].pathType | string | `"Prefix"` | |
|
||||||
|
| ingress.write.tls | list | `[]` | |
|
||||||
|
| job.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation,hook-succeeded","helm.sh/hook-weight":"1"}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. |
|
||||||
|
| job.automountServiceAccountToken | bool | `false` | Set automounting of the SA token |
|
||||||
|
| job.extraContainers | string | `""` | If you want to add extra sidecar containers. |
|
||||||
|
| job.extraEnv | list | `[]` | Array of extra envs to be passed to the job. This takes precedence over deployment variables. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR |
|
||||||
|
| job.extraInitContainers | string | `""` | If you want to add extra init containers. |
|
||||||
|
| job.lifecycle | string | `""` | If you want to add lifecycle hooks. |
|
||||||
|
| job.nodeSelector | object | `{}` | Node labels for pod assignment. |
|
||||||
|
| job.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
|
||||||
|
| job.podMetadata.annotations | object | `{}` | Extra pod level annotations |
|
||||||
|
| job.podMetadata.labels | object | `{}` | Extra pod level labels |
|
||||||
|
| job.resources | object | `{}` | Job resources |
|
||||||
|
| job.serviceAccount | object | `{"annotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"},"create":true,"name":""}` | Specify the serviceAccountName value. In some situations it is needed to provides specific permissions to Hydra deployments Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. |
|
||||||
|
| job.serviceAccount.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"}` | Annotations to add to the service account |
|
||||||
|
| job.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
|
||||||
|
| job.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
|
||||||
|
| job.shareProcessNamespace | bool | `false` | Set sharing process namespace |
|
||||||
|
| job.spec.backoffLimit | int | `10` | Set job back off limit |
|
||||||
|
| job.tolerations | list | `[]` | Configure node tolerations. |
|
||||||
|
| keto.automigration | object | `{"customArgs":[],"customCommand":[],"enabled":false,"resources":{},"type":"job"}` | Enables database migration |
|
||||||
|
| keto.automigration.customArgs | list | `[]` | Ability to override arguments of the entrypoint. Can be used in-depended of customCommand eg: - sleep 5; - keto |
|
||||||
|
| keto.automigration.customCommand | list | `[]` | Ability to override the entrypoint of the automigration container (e.g. to source dynamic secrets or export environment dynamic variables) |
|
||||||
|
| keto.automigration.resources | object | `{}` | resource requests and limits for the automigration initcontainer |
|
||||||
|
| keto.automigration.type | string | `"job"` | Configure the way to execute database migration. Possible values: job, initContainer When set to job, the migration will be executed as a job on release or upgrade. When set to initContainer, the migration will be executed when kratos pod is created Defaults to job |
|
||||||
|
| keto.command | list | `["keto"]` | Ability to override the entrypoint of keto container (e.g. to source dynamic secrets or export environment dynamic variables) |
|
||||||
|
| keto.config | object | `{"dsn":"memory","namespaces":[{"id":0,"name":"sample"}],"serve":{"metrics":{"port":4468},"read":{"port":4466},"write":{"port":4467}}}` | Direct keto config. Full documentation can be found in https://www.ory.sh/keto/docs/reference/configuration |
|
||||||
|
| keto.customArgs | list | `[]` | Ability to override arguments of the entrypoint. Can be used in-depended of customCommand |
|
||||||
|
| nameOverride | string | `""` | |
|
||||||
|
| pdb.enabled | bool | `false` | |
|
||||||
|
| pdb.spec.maxUnavailable | string | `""` | |
|
||||||
|
| pdb.spec.minAvailable | string | `""` | |
|
||||||
|
| podSecurityContext.fsGroup | int | `65534` | |
|
||||||
|
| podSecurityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` | |
|
||||||
|
| podSecurityContext.runAsGroup | int | `65534` | |
|
||||||
|
| podSecurityContext.runAsNonRoot | bool | `true` | |
|
||||||
|
| podSecurityContext.runAsUser | int | `65534` | |
|
||||||
|
| podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
|
||||||
|
| priorityClassName | string | `""` | Pod priority https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ |
|
||||||
|
| replicaCount | int | `1` | Number of replicas in deployment |
|
||||||
|
| secret.enabled | bool | `true` | Switch to false to prevent creating the secret |
|
||||||
|
| secret.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods |
|
||||||
|
| secret.nameOverride | string | `""` | Provide custom name of existing secret, or custom name of secret to be created |
|
||||||
|
| secret.secretAnnotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0","helm.sh/resource-policy":"keep"}` | Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified. |
|
||||||
|
| securityContext.allowPrivilegeEscalation | bool | `false` | |
|
||||||
|
| securityContext.capabilities.drop[0] | string | `"ALL"` | |
|
||||||
|
| securityContext.privileged | bool | `false` | |
|
||||||
|
| securityContext.readOnlyRootFilesystem | bool | `true` | |
|
||||||
|
| securityContext.runAsGroup | int | `65534` | |
|
||||||
|
| securityContext.runAsNonRoot | bool | `true` | |
|
||||||
|
| securityContext.runAsUser | int | `65534` | |
|
||||||
|
| securityContext.seLinuxOptions.level | string | `"s0:c123,c456"` | |
|
||||||
|
| securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
|
||||||
|
| service.metrics.annotations | object | `{}` | |
|
||||||
|
| service.metrics.enabled | bool | `false` | |
|
||||||
|
| service.metrics.loadBalancerIP | string | `""` | |
|
||||||
|
| service.metrics.name | string | `"http-metrics"` | |
|
||||||
|
| service.metrics.port | int | `80` | |
|
||||||
|
| service.metrics.type | string | `"ClusterIP"` | |
|
||||||
|
| service.read.appProtocol | string | `"grpc"` | |
|
||||||
|
| service.read.clusterIP | string | `""` | |
|
||||||
|
| service.read.enabled | bool | `true` | |
|
||||||
|
| service.read.headless.enabled | bool | `true` | |
|
||||||
|
| service.read.loadBalancerIP | string | `""` | |
|
||||||
|
| service.read.name | string | `"grpc-read"` | |
|
||||||
|
| service.read.port | int | `80` | |
|
||||||
|
| service.read.type | string | `"ClusterIP"` | |
|
||||||
|
| service.write.appProtocol | string | `"grpc"` | |
|
||||||
|
| service.write.clusterIP | string | `""` | |
|
||||||
|
| service.write.enabled | bool | `true` | |
|
||||||
|
| service.write.headless.enabled | bool | `true` | |
|
||||||
|
| service.write.loadBalancerIP | string | `""` | |
|
||||||
|
| service.write.name | string | `"grpc-write"` | |
|
||||||
|
| service.write.port | int | `80` | |
|
||||||
|
| service.write.type | string | `"ClusterIP"` | |
|
||||||
|
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
|
||||||
|
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
|
||||||
|
| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
|
||||||
|
| serviceMonitor.labels | object | `{}` | Provide additionnal labels to the ServiceMonitor ressource metadata |
|
||||||
|
| serviceMonitor.scheme | string | `"http"` | HTTP scheme to use for scraping. |
|
||||||
|
| serviceMonitor.scrapeInterval | string | `"60s"` | Interval at which metrics should be scraped |
|
||||||
|
| serviceMonitor.scrapeTimeout | string | `"30s"` | Timeout after which the scrape is ended |
|
||||||
|
| serviceMonitor.tlsConfig | object | `{}` | TLS configuration to use when scraping the endpoint |
|
||||||
|
| test.busybox | object | `{"repository":"busybox","tag":1}` | use a busybox image from another repository |
|
||||||
|
| test.labels | object | `{}` | Provide additional labels to the test pod |
|
||||||
|
| watcher.automountServiceAccountToken | bool | `true` | |
|
||||||
|
| watcher.enabled | bool | `false` | |
|
||||||
|
| watcher.image | string | `"oryd/k8s-toolbox:v0.0.7"` | |
|
||||||
|
| watcher.mountFile | string | `""` | Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo |
|
||||||
|
| watcher.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
|
||||||
|
| watcher.podMetadata.annotations | object | `{}` | Extra pod level annotations |
|
||||||
|
| watcher.podMetadata.labels | object | `{}` | Extra pod level labels |
|
||||||
|
| watcher.resources | object | `{}` | |
|
||||||
|
| watcher.revisionHistoryLimit | int | `5` | Number of revisions kept in history |
|
||||||
|
| watcher.watchLabelKey | string | `"ory.sh/watcher"` | Label key used for managing applications |
|
||||||
|
|
||||||
|
----------------------------------------------
|
||||||
|
Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)
|
23
opencloud/charts/keto/charts/ory-commons/.helmignore
Normal file
23
opencloud/charts/keto/charts/ory-commons/.helmignore
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
# Patterns to ignore when building packages.
|
||||||
|
# This supports shell glob matching, relative path matching, and
|
||||||
|
# negation (prefixed with !). Only one pattern per line.
|
||||||
|
.DS_Store
|
||||||
|
# Common VCS dirs
|
||||||
|
.git/
|
||||||
|
.gitignore
|
||||||
|
.bzr/
|
||||||
|
.bzrignore
|
||||||
|
.hg/
|
||||||
|
.hgignore
|
||||||
|
.svn/
|
||||||
|
# Common backup files
|
||||||
|
*.swp
|
||||||
|
*.bak
|
||||||
|
*.tmp
|
||||||
|
*.orig
|
||||||
|
*~
|
||||||
|
# Various IDEs
|
||||||
|
.project
|
||||||
|
.idea/
|
||||||
|
*.tmproj
|
||||||
|
.vscode/
|
6
opencloud/charts/keto/charts/ory-commons/Chart.yaml
Normal file
6
opencloud/charts/keto/charts/ory-commons/Chart.yaml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
apiVersion: v2
|
||||||
|
appVersion: 0.0.0
|
||||||
|
description: 'Collection of helper function for the Ory Helm environment '
|
||||||
|
name: ory-commons
|
||||||
|
type: library
|
||||||
|
version: 0.1.0
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user