progress
ci / build (push) Failing after 7m5s
Details
ci / build (push) Failing after 7m5s
Details
This commit is contained in:
parent
287321bb1e
commit
ebe65e067d
|
@ -13,6 +13,15 @@ jobs:
|
||||||
- uses: actions/checkout@v3
|
- uses: actions/checkout@v3
|
||||||
name: Check out code
|
name: Check out code
|
||||||
|
|
||||||
|
- uses: mr-smithers-excellent/docker-build-push@v6
|
||||||
|
name: Build futureporn/migrations
|
||||||
|
with:
|
||||||
|
image: futureporn/migrations
|
||||||
|
tags: latest
|
||||||
|
registry: gitea.futureporn.net
|
||||||
|
dockerfile: d.migrations.dockerfile
|
||||||
|
username: ${{ secrets.DOCKER_USERNAME }}
|
||||||
|
password: ${{ secrets.DOCKER_PASSWORD }}
|
||||||
|
|
||||||
- uses: mr-smithers-excellent/docker-build-push@v6
|
- uses: mr-smithers-excellent/docker-build-push@v6
|
||||||
name: Build futureporn/worker
|
name: Build futureporn/worker
|
||||||
|
@ -24,17 +33,6 @@ jobs:
|
||||||
username: ${{ secrets.DOCKER_USERNAME }}
|
username: ${{ secrets.DOCKER_USERNAME }}
|
||||||
password: ${{ secrets.DOCKER_PASSWORD }}
|
password: ${{ secrets.DOCKER_PASSWORD }}
|
||||||
|
|
||||||
- uses: mr-smithers-excellent/docker-build-push@v6
|
|
||||||
name: Build futureporn/scout
|
|
||||||
with:
|
|
||||||
image: futureporn/scout
|
|
||||||
tags: latest
|
|
||||||
target: scout
|
|
||||||
registry: gitea.futureporn.net
|
|
||||||
dockerfile: d.scout.dockerfile
|
|
||||||
username: ${{ secrets.DOCKER_USERNAME }}
|
|
||||||
password: ${{ secrets.DOCKER_PASSWORD }}
|
|
||||||
|
|
||||||
- uses: mr-smithers-excellent/docker-build-push@v6
|
- uses: mr-smithers-excellent/docker-build-push@v6
|
||||||
name: Build futureporn/next
|
name: Build futureporn/next
|
||||||
with:
|
with:
|
||||||
|
|
|
@ -1,5 +1,7 @@
|
||||||
git monorepo.
|
git monorepo.
|
||||||
|
|
||||||
|
TypeScript
|
||||||
|
|
||||||
pnpm for workspaces.
|
pnpm for workspaces.
|
||||||
|
|
||||||
Kubernetes for Development using Tiltfile
|
Kubernetes for Development using Tiltfile
|
||||||
|
@ -10,7 +12,7 @@ Tested on VKE v1.30.0+1 (PVCs on other versions may not be fulfilled)
|
||||||
|
|
||||||
direnv for loading .envrc
|
direnv for loading .envrc
|
||||||
|
|
||||||
Temporal for work queue, cron
|
pg-boss for work queue, cron
|
||||||
|
|
||||||
Postgres for data storage
|
Postgres for data storage
|
||||||
|
|
||||||
|
|
10
Makefile
10
Makefile
|
@ -13,7 +13,7 @@ secrets:
|
||||||
flux:
|
flux:
|
||||||
./scripts/flux-bootstrap.sh
|
./scripts/flux-bootstrap.sh
|
||||||
|
|
||||||
cluster: echoenv kind namespaces secrets velero chisel flux metrics
|
cluster: echoenv kind namespaces secrets velero flux metrics
|
||||||
|
|
||||||
metrics:
|
metrics:
|
||||||
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
|
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
|
||||||
|
@ -21,7 +21,7 @@ metrics:
|
||||||
echoenv:
|
echoenv:
|
||||||
echo "[echoenv] Using ${ENV} environment. If this is not what you want, export ENV=development|staging|production"
|
echo "[echoenv] Using ${ENV} environment. If this is not what you want, export ENV=development|staging|production"
|
||||||
|
|
||||||
scrap: namespaces secrets velero chisel flux
|
scrap: namespaces secrets velero flux
|
||||||
|
|
||||||
velero:
|
velero:
|
||||||
./scripts/velero-create.sh
|
./scripts/velero-create.sh
|
||||||
|
@ -30,6 +30,9 @@ tilt:
|
||||||
kind get kubeconfig > ~/.kube/futureporn.yaml
|
kind get kubeconfig > ~/.kube/futureporn.yaml
|
||||||
KUBECONFIG=~/.kube/futureporn.yaml tilt up -f ./Tiltfile
|
KUBECONFIG=~/.kube/futureporn.yaml tilt up -f ./Tiltfile
|
||||||
|
|
||||||
|
cert-manager:
|
||||||
|
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.1/cert-manager.yaml
|
||||||
|
|
||||||
exoscale:
|
exoscale:
|
||||||
kubectl apply -f https://raw.githubusercontent.com/exoscale/cert-manager-webhook-exoscale/master/deploy/exoscale-webhook-kustomize/deploy.yaml
|
kubectl apply -f https://raw.githubusercontent.com/exoscale/cert-manager-webhook-exoscale/master/deploy/exoscale-webhook-kustomize/deploy.yaml
|
||||||
|
|
||||||
|
@ -39,9 +42,6 @@ kind:
|
||||||
kindload:
|
kindload:
|
||||||
./scripts/kind-load.sh
|
./scripts/kind-load.sh
|
||||||
|
|
||||||
chisel:
|
|
||||||
./scripts/k8s-chisel-operator.sh
|
|
||||||
|
|
||||||
clean:
|
clean:
|
||||||
kind delete cluster
|
kind delete cluster
|
||||||
dotenvx run -f .env.${ENV} -- node ./packages/infra/vultr-delete-orphaned-resources.js
|
dotenvx run -f .env.${ENV} -- node ./packages/infra/vultr-delete-orphaned-resources.js
|
||||||
|
|
223
Tiltfile
223
Tiltfile
|
@ -9,6 +9,8 @@ secret_settings(
|
||||||
disable_scrub=True
|
disable_scrub=True
|
||||||
)
|
)
|
||||||
|
|
||||||
|
## helm_remote and deploy_cert_manager are BANNED because they use too much bandwidth and crash my computer
|
||||||
|
##
|
||||||
## cert-manager slows down Tilt updates so I prefer to keep it commented unless I specifically need to test certs
|
## cert-manager slows down Tilt updates so I prefer to keep it commented unless I specifically need to test certs
|
||||||
## cert-manager loaded using this extension is PAINFULLY SLOW, and it must re-install and re-test every time the Tiltfile changes.
|
## cert-manager loaded using this extension is PAINFULLY SLOW, and it must re-install and re-test every time the Tiltfile changes.
|
||||||
## additionally, it is SYNCRHONOUS, which means nothing else can update until cert-manager is updated. @see https://github.com/tilt-dev/tilt-extensions/pull/90#issuecomment-704381205
|
## additionally, it is SYNCRHONOUS, which means nothing else can update until cert-manager is updated. @see https://github.com/tilt-dev/tilt-extensions/pull/90#issuecomment-704381205
|
||||||
|
@ -18,8 +20,7 @@ secret_settings(
|
||||||
# load_to_kind=True,
|
# load_to_kind=True,
|
||||||
# version='v1.15.1',
|
# version='v1.15.1',
|
||||||
# )
|
# )
|
||||||
|
# load('ext://helm_remote', 'helm_remote')
|
||||||
load('ext://helm_remote', 'helm_remote')
|
|
||||||
|
|
||||||
load('ext://dotenv', 'dotenv')
|
load('ext://dotenv', 'dotenv')
|
||||||
dotenv(fn='.env.development')
|
dotenv(fn='.env.development')
|
||||||
|
@ -56,24 +57,6 @@ dotenv(fn='.env.development')
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
helm_remote(
|
|
||||||
'traefik',
|
|
||||||
repo_name='traefik',
|
|
||||||
repo_url='https://traefik.github.io/charts',
|
|
||||||
namespace='futureporn',
|
|
||||||
version='28.3.0',
|
|
||||||
set=[
|
|
||||||
'globalArguments[0]=--global.sendanonymoususage=false',
|
|
||||||
'service.enabled=true',
|
|
||||||
'logs.access.enabled=true',
|
|
||||||
'logs.access.format=json',
|
|
||||||
'logs.general.level=DEBUG',
|
|
||||||
'logs.general.format=json',
|
|
||||||
'providers.kubernetesIngress.publishedService.enabled=true',
|
|
||||||
]
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
# helm_remote(
|
# helm_remote(
|
||||||
# 'nitter',
|
# 'nitter',
|
||||||
# repo_name='truecharts',
|
# repo_name='truecharts',
|
||||||
|
@ -111,8 +94,25 @@ k8s_yaml(helm(
|
||||||
'./charts/fp',
|
'./charts/fp',
|
||||||
values=['./charts/fp/values.yaml'],
|
values=['./charts/fp/values.yaml'],
|
||||||
))
|
))
|
||||||
|
## we are using a local helm chart instead of using helm_remote because that command makes the tilt builds Hella slow.
|
||||||
|
## to download this chart, we used the following commands.
|
||||||
|
## future re-pulling is needed to keep things up-to-date.
|
||||||
|
##
|
||||||
|
## helm repo add bitnami https://charts.bitnami.com/bitnami
|
||||||
|
## helm pull bitnami/postgresql --untar --destination ./charts/postgresql
|
||||||
|
k8s_yaml(helm(
|
||||||
|
'./charts/postgresql/postgresql',
|
||||||
|
namespace='futureporn',
|
||||||
|
values=[
|
||||||
|
'./charts/postgresql/values-overrides.yaml'
|
||||||
|
]
|
||||||
|
))
|
||||||
|
|
||||||
|
k8s_yaml(helm(
|
||||||
|
'./charts/cert-manager/cert-manager',
|
||||||
|
namespace='cert-manager',
|
||||||
|
values=['./charts/cert-manager/values-overrides.yaml']
|
||||||
|
))
|
||||||
|
|
||||||
|
|
||||||
# docker_build('fp/link2cid', './packages/link2cid')
|
# docker_build('fp/link2cid', './packages/link2cid')
|
||||||
|
@ -126,13 +126,14 @@ docker_build(
|
||||||
'./package.json',
|
'./package.json',
|
||||||
'./pnpm-lock.yaml',
|
'./pnpm-lock.yaml',
|
||||||
'./pnpm-workspace.yaml',
|
'./pnpm-workspace.yaml',
|
||||||
'./packages/strapi',
|
'./services/strapi',
|
||||||
'./packages/types',
|
'./packages/types',
|
||||||
],
|
],
|
||||||
live_update=[
|
live_update=[
|
||||||
sync('./packages/strapi', '/app'),
|
sync('./services/strapi', '/app'),
|
||||||
run('cd /app && pnpm i', trigger=['./packages/strapi/package.json', './packages/strapi/pnpm-lock.yaml'])
|
run('cd /app && pnpm i', trigger=['./services/strapi/package.json', './services/strapi/pnpm-lock.yaml'])
|
||||||
]
|
],
|
||||||
|
pull=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
# docker_build(
|
# docker_build(
|
||||||
|
@ -172,7 +173,7 @@ cmd_button('postgres:create',
|
||||||
text='create (empty) databases',
|
text='create (empty) databases',
|
||||||
)
|
)
|
||||||
cmd_button('postgres:restore',
|
cmd_button('postgres:restore',
|
||||||
argv=['dotenvx', 'run', '-f', '.env.development', '--', './scripts/postgres-restore.sh'],
|
argv=['./scripts/postgres-restore.sh'],
|
||||||
resource='postgresql-primary',
|
resource='postgresql-primary',
|
||||||
icon_name='upload',
|
icon_name='upload',
|
||||||
text='restore db from backup',
|
text='restore db from backup',
|
||||||
|
@ -191,13 +192,26 @@ cmd_button('capture-api:create',
|
||||||
text='Start Recording'
|
text='Start Recording'
|
||||||
)
|
)
|
||||||
|
|
||||||
cmd_button('postgres:graphile',
|
cmd_button('postgrest:restore',
|
||||||
argv=['sh', './scripts/postgres-test-graphile.sh'],
|
argv=['./scripts/postgrest.sh'],
|
||||||
resource='postgresql-primary',
|
resource='postgrest',
|
||||||
icon_name='graph',
|
icon_name='start',
|
||||||
text='create graphile test job',
|
text='initialize',
|
||||||
)
|
)
|
||||||
|
|
||||||
|
cmd_button('postgrest:migrate',
|
||||||
|
argv=[''],
|
||||||
|
resource='postgrest',
|
||||||
|
icon_name='directions_run',
|
||||||
|
text='Run migrations',
|
||||||
|
)
|
||||||
|
|
||||||
|
cmd_button('pgadmin4:restore',
|
||||||
|
argv=['./scripts/pgadmin-import-connection.sh'],
|
||||||
|
resource='pgadmin4',
|
||||||
|
icon_name='hub',
|
||||||
|
text='import connection',
|
||||||
|
)
|
||||||
|
|
||||||
## Uncomment the following for fp/next in dev mode
|
## Uncomment the following for fp/next in dev mode
|
||||||
## this is useful for changing the UI and seeing results
|
## this is useful for changing the UI and seeing results
|
||||||
|
@ -210,8 +224,9 @@ docker_build(
|
||||||
'NEXT_PUBLIC_STRAPI_URL': 'https://strapi.fp.sbtp.xyz'
|
'NEXT_PUBLIC_STRAPI_URL': 'https://strapi.fp.sbtp.xyz'
|
||||||
},
|
},
|
||||||
live_update=[
|
live_update=[
|
||||||
sync('./packages/next', '/app')
|
sync('./services/next', '/app')
|
||||||
]
|
],
|
||||||
|
pull=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
@ -240,16 +255,17 @@ docker_build(
|
||||||
'./pnpm-workspace.yaml',
|
'./pnpm-workspace.yaml',
|
||||||
'./packages/image',
|
'./packages/image',
|
||||||
'./packages/scout',
|
'./packages/scout',
|
||||||
'./packages/mailbox',
|
'./services/mailbox',
|
||||||
'./packages/types',
|
'./packages/types',
|
||||||
'./packages/utils',
|
'./packages/utils',
|
||||||
'./packages/video',
|
'./packages/video',
|
||||||
'./packages/storage',
|
'./packages/storage',
|
||||||
],
|
],
|
||||||
live_update=[
|
live_update=[
|
||||||
sync('./packages/mailbox', '/app'),
|
sync('./services/mailbox', '/app'),
|
||||||
run('cd /app && pnpm i', trigger=['./packages/mailbox/package.json', './packages/mailbox/pnpm-lock.yaml']),
|
run('cd /app && pnpm i', trigger=['./services/mailbox/package.json', './services/mailbox/pnpm-lock.yaml']),
|
||||||
],
|
],
|
||||||
|
pull=False,
|
||||||
# entrypoint='pnpm nodemon --ext js,ts,json,yaml --exec node --no-warnings=ExperimentalWarning --loader ts-node/esm ./src/index.ts'
|
# entrypoint='pnpm nodemon --ext js,ts,json,yaml --exec node --no-warnings=ExperimentalWarning --loader ts-node/esm ./src/index.ts'
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -293,7 +309,8 @@ docker_build(
|
||||||
],
|
],
|
||||||
live_update=[
|
live_update=[
|
||||||
sync('./packages/capture/dist', '/app/dist'),
|
sync('./packages/capture/dist', '/app/dist'),
|
||||||
]
|
],
|
||||||
|
pull=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
@ -321,14 +338,14 @@ docker_build(
|
||||||
# )
|
# )
|
||||||
|
|
||||||
|
|
||||||
k8s_resource(
|
# k8s_resource(
|
||||||
workload='uppy',
|
# workload='uppy',
|
||||||
links=[
|
# links=[
|
||||||
link('https://uppy.fp.sbtp.xyz'),
|
# link('https://uppy.fp.sbtp.xyz'),
|
||||||
],
|
# ],
|
||||||
resource_deps=['redis-master'],
|
# resource_deps=['redis-master'],
|
||||||
labels=['backend'],
|
# labels=['backend'],
|
||||||
)
|
# )
|
||||||
k8s_resource(
|
k8s_resource(
|
||||||
workload='next',
|
workload='next',
|
||||||
port_forwards=['3000'],
|
port_forwards=['3000'],
|
||||||
|
@ -352,36 +369,19 @@ k8s_resource(
|
||||||
k8s_resource(
|
k8s_resource(
|
||||||
workload='postgresql-primary',
|
workload='postgresql-primary',
|
||||||
port_forwards=['5432'],
|
port_forwards=['5432'],
|
||||||
labels=['backend'],
|
labels=['database'],
|
||||||
)
|
)
|
||||||
|
|
||||||
k8s_resource(
|
k8s_resource(
|
||||||
workload='traefik',
|
workload='postgresql-read',
|
||||||
port_forwards=['9000:9000'],
|
labels=['database']
|
||||||
links=[
|
|
||||||
link('http://localhost:9000/dashboard')
|
|
||||||
],
|
|
||||||
labels=['networking'],
|
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
k8s_resource(
|
k8s_resource(
|
||||||
workload='mailbox',
|
workload='mailbox',
|
||||||
resource_deps=['postgresql-primary', 'strapi'],
|
resource_deps=['postgresql-primary', 'strapi'],
|
||||||
labels=['backend'],
|
labels=['backend'],
|
||||||
)
|
)
|
||||||
|
|
||||||
# k8s_resource(
|
|
||||||
# workload='',
|
|
||||||
|
|
||||||
# )
|
|
||||||
|
|
||||||
# k8s_resource(
|
|
||||||
# workload='pgadmin',
|
|
||||||
# port_forwards=['5050'],
|
|
||||||
# resource_deps=['postgresql-primary']
|
|
||||||
# )
|
|
||||||
|
|
||||||
# k8s_resource(
|
# k8s_resource(
|
||||||
# workload='nitter',
|
# workload='nitter',
|
||||||
|
@ -406,41 +406,23 @@ k8s_resource(
|
||||||
# 'grafana.sidecar.dashboards.provider.foldersFromFileStructure=true'
|
# 'grafana.sidecar.dashboards.provider.foldersFromFileStructure=true'
|
||||||
# ]
|
# ]
|
||||||
# )
|
# )
|
||||||
helm_remote(
|
|
||||||
'postgresql',
|
|
||||||
repo_name='postgresql',
|
|
||||||
repo_url='https://charts.bitnami.com/bitnami',
|
|
||||||
namespace='futureporn',
|
|
||||||
version='15.5.17',
|
|
||||||
set=[
|
|
||||||
'auth.enablePostgresUser=true',
|
|
||||||
'auth.existingSecret=postgresql',
|
|
||||||
# 'architecture=standalone',
|
|
||||||
'architecture=replication',
|
|
||||||
'readReplicas.replicaCount=3',
|
|
||||||
'replication.syncronousCommit=on',
|
|
||||||
'replication.numSyncronousReplicas=1',
|
|
||||||
'replication.applicationName=futureporn',
|
|
||||||
'image.debug=true',
|
|
||||||
'auth.usePasswordFiles=true',
|
|
||||||
]
|
|
||||||
)
|
|
||||||
|
|
||||||
## redis is only here for uppy's usage.
|
## redis is only here for uppy's usage.
|
||||||
## If we can engineer a way to delete redis, let's do it
|
## If we can engineer a way to delete redis, let's do it
|
||||||
helm_remote(
|
# helm_remote(
|
||||||
'redis',
|
# 'redis',
|
||||||
repo_name='redis',
|
# repo_name='redis',
|
||||||
repo_url='https://charts.bitnami.com/bitnami',
|
# repo_url='https://charts.bitnami.com/bitnami',
|
||||||
namespace='futureporn',
|
# namespace='futureporn',
|
||||||
version='19.6.1',
|
# version='19.6.1',
|
||||||
set=[
|
# set=[
|
||||||
'auth.existingSecret=redis',
|
# 'auth.existingSecret=redis',
|
||||||
'auth.existingSecretPasswordKey=password',
|
# 'auth.existingSecretPasswordKey=password',
|
||||||
'replica.persistence.enabled=false',
|
# 'replica.persistence.enabled=false',
|
||||||
'architecture=standalone'
|
# 'architecture=standalone'
|
||||||
]
|
# ]
|
||||||
)
|
# )
|
||||||
|
|
||||||
k8s_resource(
|
k8s_resource(
|
||||||
workload='external-dns',
|
workload='external-dns',
|
||||||
|
@ -453,15 +435,12 @@ k8s_resource(
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
k8s_resource(
|
# k8s_resource(
|
||||||
workload='redis-master',
|
# workload='redis-master',
|
||||||
labels=['backend']
|
# labels=['backend']
|
||||||
)
|
# )
|
||||||
|
|
||||||
|
|
||||||
k8s_resource(
|
|
||||||
workload='postgresql-read',
|
|
||||||
labels=['backend']
|
|
||||||
)
|
|
||||||
# k8s_resource(
|
# k8s_resource(
|
||||||
# workload='bot',
|
# workload='bot',
|
||||||
# labels=['backend'],
|
# labels=['backend'],
|
||||||
|
@ -471,9 +450,41 @@ k8s_resource(
|
||||||
workload='capture-api',
|
workload='capture-api',
|
||||||
port_forwards=['5003'],
|
port_forwards=['5003'],
|
||||||
labels=['backend'],
|
labels=['backend'],
|
||||||
|
resource_deps=['postgrest', 'postgresql-primary'],
|
||||||
)
|
)
|
||||||
|
|
||||||
k8s_resource(
|
k8s_resource(
|
||||||
workload='capture-worker',
|
workload='capture-worker',
|
||||||
labels=['backend'],
|
labels=['backend'],
|
||||||
|
resource_deps=['postgrest', 'postgresql-primary'],
|
||||||
)
|
)
|
||||||
|
k8s_resource(
|
||||||
|
workload='postgrest',
|
||||||
|
port_forwards=['9000'],
|
||||||
|
labels=['database'],
|
||||||
|
resource_deps=['postgresql-primary'],
|
||||||
|
)
|
||||||
|
|
||||||
|
k8s_resource(
|
||||||
|
workload='pgadmin4',
|
||||||
|
port_forwards=['5050:80'],
|
||||||
|
labels=['database'],
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
k8s_resource(
|
||||||
|
workload='cert-manager',
|
||||||
|
labels=['certificates'],
|
||||||
|
)
|
||||||
|
k8s_resource(
|
||||||
|
workload='cert-manager-cainjector',
|
||||||
|
labels=['certificates'],
|
||||||
|
)
|
||||||
|
k8s_resource(
|
||||||
|
workload='cert-manager-webhook',
|
||||||
|
labels=['certificates'],
|
||||||
|
)
|
||||||
|
k8s_resource(
|
||||||
|
workload='cert-manager-startupapicheck',
|
||||||
|
labels=['certificates'],
|
||||||
|
)
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
# Futureporn Helm charts
|
||||||
|
|
||||||
|
These charts define the bulk of Futureporn's Kubernetes (k8s) payload. (Some of the infrastrucutre-specific payload is at `<PROJECT_ROOT>/flux/`)
|
||||||
|
In production, Flux CD deploys these charts into the k8s cluster.
|
||||||
|
|
||||||
|
|
||||||
|
## development
|
||||||
|
|
||||||
|
We are using a local Helm charts instead of using Tilt's `helm_remote` because that command makes the Tilt builds Hella slow.
|
||||||
|
|
||||||
|
We override default values in the parent folder.
|
||||||
|
|
||||||
|
/charts/postgresql/postgresql/values.yaml
|
||||||
|
/charts/postgresql/values-overrides.yaml
|
||||||
|
|
||||||
|
### postgresql
|
||||||
|
|
||||||
|
helm repo add bitnami https://charts.bitnami.com/bitnami --force-update
|
||||||
|
helm pull bitnami/postgresql --untar --destination ./charts/postgresql
|
||||||
|
|
||||||
|
### cert-manager
|
||||||
|
|
||||||
|
helm repo add jetstack https://charts.jetstack.io --force-update
|
||||||
|
helm pull jetstack/cert-manager --untar --destination ./charts/cert-manager
|
|
@ -0,0 +1,26 @@
|
||||||
|
annotations:
|
||||||
|
artifacthub.io/category: security
|
||||||
|
artifacthub.io/license: Apache-2.0
|
||||||
|
artifacthub.io/prerelease: "false"
|
||||||
|
artifacthub.io/signKey: |
|
||||||
|
fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
|
||||||
|
url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
|
||||||
|
apiVersion: v2
|
||||||
|
appVersion: v1.15.1
|
||||||
|
description: A Helm chart for cert-manager
|
||||||
|
home: https://cert-manager.io
|
||||||
|
icon: https://raw.githubusercontent.com/cert-manager/community/4d35a69437d21b76322157e6284be4cd64e6d2b7/logo/logo-small.png
|
||||||
|
keywords:
|
||||||
|
- cert-manager
|
||||||
|
- kube-lego
|
||||||
|
- letsencrypt
|
||||||
|
- tls
|
||||||
|
kubeVersion: '>= 1.22.0-0'
|
||||||
|
maintainers:
|
||||||
|
- email: cert-manager-maintainers@googlegroups.com
|
||||||
|
name: cert-manager-maintainers
|
||||||
|
url: https://cert-manager.io
|
||||||
|
name: cert-manager
|
||||||
|
sources:
|
||||||
|
- https://github.com/cert-manager/cert-manager
|
||||||
|
version: v1.15.1
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,18 @@
|
||||||
|
{{- if .Values.installCRDs }}
|
||||||
|
⚠️ WARNING: `installCRDs` is deprecated, use `crds.enabled` instead.
|
||||||
|
{{- end }}
|
||||||
|
cert-manager {{ .Chart.AppVersion }} has been deployed successfully!
|
||||||
|
|
||||||
|
In order to begin issuing certificates, you will need to set up a ClusterIssuer
|
||||||
|
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
|
||||||
|
|
||||||
|
More information on the different types of issuers and how to configure them
|
||||||
|
can be found in our documentation:
|
||||||
|
|
||||||
|
https://cert-manager.io/docs/configuration/
|
||||||
|
|
||||||
|
For information on how to configure cert-manager to automatically provision
|
||||||
|
Certificates for Ingress resources, take a look at the `ingress-shim`
|
||||||
|
documentation:
|
||||||
|
|
||||||
|
https://cert-manager.io/docs/usage/ingress/
|
|
@ -0,0 +1,202 @@
|
||||||
|
{{/* vim: set filetype=mustache: */}}
|
||||||
|
{{/*
|
||||||
|
Expand the name of the chart.
|
||||||
|
*/}}
|
||||||
|
{{- define "cert-manager.name" -}}
|
||||||
|
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create a default fully qualified app name.
|
||||||
|
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||||
|
*/}}
|
||||||
|
{{- define "cert-manager.fullname" -}}
|
||||||
|
{{- if .Values.fullnameOverride -}}
|
||||||
|
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||||
|
{{- if contains $name .Release.Name -}}
|
||||||
|
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create the name of the service account to use
|
||||||
|
*/}}
|
||||||
|
{{- define "cert-manager.serviceAccountName" -}}
|
||||||
|
{{- if .Values.serviceAccount.create -}}
|
||||||
|
{{ default (include "cert-manager.fullname" .) .Values.serviceAccount.name }}
|
||||||
|
{{- else -}}
|
||||||
|
{{ default "default" .Values.serviceAccount.name }}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Webhook templates
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Expand the name of the chart.
|
||||||
|
Manually fix the 'app' and 'name' labels to 'webhook' to maintain
|
||||||
|
compatibility with the v0.9 deployment selector.
|
||||||
|
*/}}
|
||||||
|
{{- define "webhook.name" -}}
|
||||||
|
{{- printf "webhook" -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create a default fully qualified app name.
|
||||||
|
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||||
|
If release name contains chart name it will be used as a full name.
|
||||||
|
*/}}
|
||||||
|
{{- define "webhook.fullname" -}}
|
||||||
|
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 55 | trimSuffix "-" -}}
|
||||||
|
{{- printf "%s-webhook" $trimmedName | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- define "webhook.caRef" -}}
|
||||||
|
{{- template "cert-manager.namespace" }}/{{ template "webhook.fullname" . }}-ca
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create the name of the service account to use
|
||||||
|
*/}}
|
||||||
|
{{- define "webhook.serviceAccountName" -}}
|
||||||
|
{{- if .Values.webhook.serviceAccount.create -}}
|
||||||
|
{{ default (include "webhook.fullname" .) .Values.webhook.serviceAccount.name }}
|
||||||
|
{{- else -}}
|
||||||
|
{{ default "default" .Values.webhook.serviceAccount.name }}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
cainjector templates
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Expand the name of the chart.
|
||||||
|
Manually fix the 'app' and 'name' labels to 'cainjector' to maintain
|
||||||
|
compatibility with the v0.9 deployment selector.
|
||||||
|
*/}}
|
||||||
|
{{- define "cainjector.name" -}}
|
||||||
|
{{- printf "cainjector" -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create a default fully qualified app name.
|
||||||
|
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||||
|
If release name contains chart name it will be used as a full name.
|
||||||
|
*/}}
|
||||||
|
{{- define "cainjector.fullname" -}}
|
||||||
|
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}}
|
||||||
|
{{- printf "%s-cainjector" $trimmedName | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create the name of the service account to use
|
||||||
|
*/}}
|
||||||
|
{{- define "cainjector.serviceAccountName" -}}
|
||||||
|
{{- if .Values.cainjector.serviceAccount.create -}}
|
||||||
|
{{ default (include "cainjector.fullname" .) .Values.cainjector.serviceAccount.name }}
|
||||||
|
{{- else -}}
|
||||||
|
{{ default "default" .Values.cainjector.serviceAccount.name }}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
startupapicheck templates
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Expand the name of the chart.
|
||||||
|
Manually fix the 'app' and 'name' labels to 'startupapicheck' to maintain
|
||||||
|
compatibility with the v0.9 deployment selector.
|
||||||
|
*/}}
|
||||||
|
{{- define "startupapicheck.name" -}}
|
||||||
|
{{- printf "startupapicheck" -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create a default fully qualified app name.
|
||||||
|
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||||
|
If release name contains chart name it will be used as a full name.
|
||||||
|
*/}}
|
||||||
|
{{- define "startupapicheck.fullname" -}}
|
||||||
|
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}}
|
||||||
|
{{- printf "%s-startupapicheck" $trimmedName | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create the name of the service account to use
|
||||||
|
*/}}
|
||||||
|
{{- define "startupapicheck.serviceAccountName" -}}
|
||||||
|
{{- if .Values.startupapicheck.serviceAccount.create -}}
|
||||||
|
{{ default (include "startupapicheck.fullname" .) .Values.startupapicheck.serviceAccount.name }}
|
||||||
|
{{- else -}}
|
||||||
|
{{ default "default" .Values.startupapicheck.serviceAccount.name }}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create chart name and version as used by the chart label.
|
||||||
|
*/}}
|
||||||
|
{{- define "chartName" -}}
|
||||||
|
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Labels that should be added on each resource
|
||||||
|
*/}}
|
||||||
|
{{- define "labels" -}}
|
||||||
|
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||||
|
{{- if eq (default "helm" .Values.creator) "helm" }}
|
||||||
|
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||||
|
helm.sh/chart: {{ include "chartName" . }}
|
||||||
|
{{- end -}}
|
||||||
|
{{- if .Values.global.commonLabels}}
|
||||||
|
{{ toYaml .Values.global.commonLabels }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Namespace for all resources to be installed into
|
||||||
|
If not defined in values file then the helm release namespace is used
|
||||||
|
By default this is not set so the helm release namespace will be used
|
||||||
|
|
||||||
|
This gets around an problem within helm discussed here
|
||||||
|
https://github.com/helm/helm/issues/5358
|
||||||
|
*/}}
|
||||||
|
{{- define "cert-manager.namespace" -}}
|
||||||
|
{{ .Values.namespace | default .Release.Namespace }}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Util function for generating the image URL based on the provided options.
|
||||||
|
IMPORTANT: This function is standarized across all charts in the cert-manager GH organization.
|
||||||
|
Any changes to this function should also be made in cert-manager, trust-manager, approver-policy, ...
|
||||||
|
See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linked PRs.
|
||||||
|
*/}}
|
||||||
|
{{- define "image" -}}
|
||||||
|
{{- $defaultTag := index . 1 -}}
|
||||||
|
{{- with index . 0 -}}
|
||||||
|
{{- if .registry -}}{{ printf "%s/%s" .registry .repository }}{{- else -}}{{- .repository -}}{{- end -}}
|
||||||
|
{{- if .digest -}}{{ printf "@%s" .digest }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Check that the user has not set both .installCRDs and .crds.enabled or
|
||||||
|
set .installCRDs and disabled .crds.keep.
|
||||||
|
.installCRDs is deprecated and users should use .crds.enabled and .crds.keep instead.
|
||||||
|
*/}}
|
||||||
|
{{- define "cert-manager.crd-check" -}}
|
||||||
|
{{- if and (.Values.installCRDs) (.Values.crds.enabled) }}
|
||||||
|
{{- fail "ERROR: the deprecated .installCRDs option cannot be enabled at the same time as its replacement .crds.enabled" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if and (.Values.installCRDs) (not .Values.crds.keep) }}
|
||||||
|
{{- fail "ERROR: .crds.keep is not compatible with .installCRDs, please use .crds.enabled and .crds.keep instead" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end -}}
|
|
@ -0,0 +1,18 @@
|
||||||
|
{{- if .Values.cainjector.config -}}
|
||||||
|
{{- $_ := .Values.cainjector.config.apiVersion | required ".Values.cainjector.config.apiVersion must be set !" -}}
|
||||||
|
{{- $_ := .Values.cainjector.config.kind | required ".Values.cainjector.config.kind must be set !" -}}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: {{ include "cainjector.fullname" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "cainjector"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
data:
|
||||||
|
config.yaml: |
|
||||||
|
{{- .Values.cainjector.config | toYaml | nindent 4 }}
|
||||||
|
{{- end -}}
|
|
@ -0,0 +1,140 @@
|
||||||
|
{{- if .Values.cainjector.enabled }}
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: {{ include "cainjector.fullname" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "cainjector"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.cainjector.deploymentAnnotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
replicas: {{ .Values.cainjector.replicaCount }}
|
||||||
|
{{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
|
||||||
|
{{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
|
||||||
|
revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
|
||||||
|
{{- end }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "cainjector"
|
||||||
|
{{- with .Values.cainjector.strategy }}
|
||||||
|
strategy:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "cainjector"
|
||||||
|
{{- include "labels" . | nindent 8 }}
|
||||||
|
{{- with .Values.cainjector.podLabels }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.cainjector.podAnnotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
serviceAccountName: {{ template "cainjector.serviceAccountName" . }}
|
||||||
|
{{- if hasKey .Values.cainjector "automountServiceAccountToken" }}
|
||||||
|
automountServiceAccountToken: {{ .Values.cainjector.automountServiceAccountToken }}
|
||||||
|
{{- end }}
|
||||||
|
enableServiceLinks: {{ .Values.cainjector.enableServiceLinks }}
|
||||||
|
{{- with .Values.global.priorityClassName }}
|
||||||
|
priorityClassName: {{ . | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.cainjector.securityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
containers:
|
||||||
|
- name: {{ .Chart.Name }}-cainjector
|
||||||
|
image: "{{ template "image" (tuple .Values.cainjector.image $.Chart.AppVersion) }}"
|
||||||
|
imagePullPolicy: {{ .Values.cainjector.image.pullPolicy }}
|
||||||
|
args:
|
||||||
|
{{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
|
||||||
|
{{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
|
||||||
|
- --v={{ .Values.global.logLevel }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.cainjector.config }}
|
||||||
|
- --config=/var/cert-manager/config/config.yaml
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.global.leaderElection }}
|
||||||
|
- --leader-election-namespace={{ .namespace }}
|
||||||
|
{{- if .leaseDuration }}
|
||||||
|
- --leader-election-lease-duration={{ .leaseDuration }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .renewDeadline }}
|
||||||
|
- --leader-election-renew-deadline={{ .renewDeadline }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .retryPeriod }}
|
||||||
|
- --leader-election-retry-period={{ .retryPeriod }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.cainjector.featureGates}}
|
||||||
|
- --feature-gates={{ . }}
|
||||||
|
{{- end}}
|
||||||
|
{{- with .Values.cainjector.extraArgs }}
|
||||||
|
{{- toYaml . | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
env:
|
||||||
|
- name: POD_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
{{- with .Values.cainjector.containerSecurityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.cainjector.resources }}
|
||||||
|
resources:
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if or .Values.cainjector.config .Values.cainjector.volumeMounts }}
|
||||||
|
volumeMounts:
|
||||||
|
{{- if .Values.cainjector.config }}
|
||||||
|
- name: config
|
||||||
|
mountPath: /var/cert-manager/config
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.cainjector.volumeMounts }}
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.cainjector.nodeSelector }}
|
||||||
|
nodeSelector:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.cainjector.affinity }}
|
||||||
|
affinity:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.cainjector.tolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.cainjector.topologySpreadConstraints }}
|
||||||
|
topologySpreadConstraints:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if or .Values.cainjector.volumes .Values.cainjector.config }}
|
||||||
|
volumes:
|
||||||
|
{{- if .Values.cainjector.config }}
|
||||||
|
- name: config
|
||||||
|
configMap:
|
||||||
|
name: {{ include "cainjector.fullname" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{ with .Values.cainjector.volumes }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,29 @@
|
||||||
|
{{- if .Values.cainjector.podDisruptionBudget.enabled }}
|
||||||
|
apiVersion: policy/v1
|
||||||
|
kind: PodDisruptionBudget
|
||||||
|
metadata:
|
||||||
|
name: {{ include "cainjector.fullname" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "cainjector"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "cainjector"
|
||||||
|
|
||||||
|
{{- if not (or (hasKey .Values.cainjector.podDisruptionBudget "minAvailable") (hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable")) }}
|
||||||
|
minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
|
||||||
|
{{- end }}
|
||||||
|
{{- if hasKey .Values.cainjector.podDisruptionBudget "minAvailable" }}
|
||||||
|
minAvailable: {{ .Values.cainjector.podDisruptionBudget.minAvailable }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable" }}
|
||||||
|
maxUnavailable: {{ .Values.cainjector.podDisruptionBudget.maxUnavailable }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,20 @@
|
||||||
|
{{- if .Values.cainjector.enabled }}
|
||||||
|
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cainjector.fullname" . }}-psp
|
||||||
|
labels:
|
||||||
|
app: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "cainjector"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ['policy']
|
||||||
|
resources: ['podsecuritypolicies']
|
||||||
|
verbs: ['use']
|
||||||
|
resourceNames:
|
||||||
|
- {{ template "cainjector.fullname" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,22 @@
|
||||||
|
{{- if .Values.cainjector.enabled }}
|
||||||
|
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cainjector.fullname" . }}-psp
|
||||||
|
labels:
|
||||||
|
app: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "cainjector"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: {{ template "cainjector.fullname" . }}-psp
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ template "cainjector.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,51 @@
|
||||||
|
{{- if .Values.cainjector.enabled }}
|
||||||
|
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodSecurityPolicy
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cainjector.fullname" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "cainjector"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
annotations:
|
||||||
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
||||||
|
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||||
|
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
|
||||||
|
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
|
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
privileged: false
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
allowedCapabilities: [] # default set of capabilities are implicitly allowed
|
||||||
|
volumes:
|
||||||
|
- 'configMap'
|
||||||
|
- 'emptyDir'
|
||||||
|
- 'projected'
|
||||||
|
- 'secret'
|
||||||
|
- 'downwardAPI'
|
||||||
|
hostNetwork: false
|
||||||
|
hostIPC: false
|
||||||
|
hostPID: false
|
||||||
|
runAsUser:
|
||||||
|
rule: 'MustRunAs'
|
||||||
|
ranges:
|
||||||
|
- min: 1000
|
||||||
|
max: 1000
|
||||||
|
seLinux:
|
||||||
|
rule: 'RunAsAny'
|
||||||
|
supplementalGroups:
|
||||||
|
rule: 'MustRunAs'
|
||||||
|
ranges:
|
||||||
|
- min: 1000
|
||||||
|
max: 1000
|
||||||
|
fsGroup:
|
||||||
|
rule: 'MustRunAs'
|
||||||
|
ranges:
|
||||||
|
- min: 1000
|
||||||
|
max: 1000
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,103 @@
|
||||||
|
{{- if .Values.cainjector.enabled }}
|
||||||
|
{{- if .Values.global.rbac.create }}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cainjector.fullname" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "cainjector"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["certificates"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["events"]
|
||||||
|
verbs: ["get", "create", "update", "patch"]
|
||||||
|
- apiGroups: ["admissionregistration.k8s.io"]
|
||||||
|
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
|
||||||
|
verbs: ["get", "list", "watch", "update", "patch"]
|
||||||
|
- apiGroups: ["apiregistration.k8s.io"]
|
||||||
|
resources: ["apiservices"]
|
||||||
|
verbs: ["get", "list", "watch", "update", "patch"]
|
||||||
|
- apiGroups: ["apiextensions.k8s.io"]
|
||||||
|
resources: ["customresourcedefinitions"]
|
||||||
|
verbs: ["get", "list", "watch", "update", "patch"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cainjector.fullname" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "cainjector"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: {{ template "cainjector.fullname" . }}
|
||||||
|
subjects:
|
||||||
|
- name: {{ template "cainjector.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
kind: ServiceAccount
|
||||||
|
|
||||||
|
---
|
||||||
|
# leader election rules
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cainjector.fullname" . }}:leaderelection
|
||||||
|
namespace: {{ .Values.global.leaderElection.namespace }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "cainjector"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
# Used for leader election by the controller
|
||||||
|
# cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
|
||||||
|
# see cmd/cainjector/start.go#L113
|
||||||
|
# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
|
||||||
|
# see cmd/cainjector/start.go#L137
|
||||||
|
- apiGroups: ["coordination.k8s.io"]
|
||||||
|
resources: ["leases"]
|
||||||
|
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
|
||||||
|
verbs: ["get", "update", "patch"]
|
||||||
|
- apiGroups: ["coordination.k8s.io"]
|
||||||
|
resources: ["leases"]
|
||||||
|
verbs: ["create"]
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
# grant cert-manager permission to manage the leaderelection configmap in the
|
||||||
|
# leader election namespace
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ include "cainjector.fullname" . }}:leaderelection
|
||||||
|
namespace: {{ .Values.global.leaderElection.namespace }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "cainjector"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: {{ template "cainjector.fullname" . }}:leaderelection
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ template "cainjector.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,27 @@
|
||||||
|
{{- if .Values.cainjector.enabled }}
|
||||||
|
{{- if .Values.cainjector.serviceAccount.create }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
automountServiceAccountToken: {{ .Values.cainjector.serviceAccount.automountServiceAccountToken }}
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cainjector.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
{{- with .Values.cainjector.serviceAccount.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "cainjector"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.cainjector.serviceAccount.labels }}
|
||||||
|
{{ toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.global.imagePullSecrets }}
|
||||||
|
imagePullSecrets:
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,18 @@
|
||||||
|
{{- if .Values.config -}}
|
||||||
|
{{- $_ := .Values.config.apiVersion | required ".Values.config.apiVersion must be set !" -}}
|
||||||
|
{{- $_ := .Values.config.kind | required ".Values.config.kind must be set !" -}}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: {{ include "cert-manager.fullname" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
data:
|
||||||
|
config.yaml: |
|
||||||
|
{{- .Values.config | toYaml | nindent 4 }}
|
||||||
|
{{- end -}}
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,231 @@
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ template "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.deploymentAnnotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
replicas: {{ .Values.replicaCount }}
|
||||||
|
{{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
|
||||||
|
{{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
|
||||||
|
revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
|
||||||
|
{{- end }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- with .Values.strategy }}
|
||||||
|
strategy:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: {{ template "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 8 }}
|
||||||
|
{{- with .Values.podLabels }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.podAnnotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if and .Values.prometheus.enabled (not (or .Values.prometheus.servicemonitor.enabled .Values.prometheus.podmonitor.enabled)) }}
|
||||||
|
{{- if not .Values.podAnnotations }}
|
||||||
|
annotations:
|
||||||
|
{{- end }}
|
||||||
|
prometheus.io/path: "/metrics"
|
||||||
|
prometheus.io/scrape: 'true'
|
||||||
|
prometheus.io/port: '9402'
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
serviceAccountName: {{ template "cert-manager.serviceAccountName" . }}
|
||||||
|
{{- if hasKey .Values "automountServiceAccountToken" }}
|
||||||
|
automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
|
||||||
|
{{- end }}
|
||||||
|
enableServiceLinks: {{ .Values.enableServiceLinks }}
|
||||||
|
{{- with .Values.global.priorityClassName }}
|
||||||
|
priorityClassName: {{ . | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.securityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if or .Values.volumes .Values.config}}
|
||||||
|
volumes:
|
||||||
|
{{- if .Values.config }}
|
||||||
|
- name: config
|
||||||
|
configMap:
|
||||||
|
name: {{ include "cert-manager.fullname" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{ with .Values.volumes }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
containers:
|
||||||
|
- name: {{ .Chart.Name }}-controller
|
||||||
|
image: "{{ template "image" (tuple .Values.image $.Chart.AppVersion) }}"
|
||||||
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||||
|
args:
|
||||||
|
{{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
|
||||||
|
{{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
|
||||||
|
- --v={{ .Values.global.logLevel }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.config }}
|
||||||
|
- --config=/var/cert-manager/config/config.yaml
|
||||||
|
{{- end }}
|
||||||
|
{{- $config := default .Values.config "" }}
|
||||||
|
{{- if .Values.clusterResourceNamespace }}
|
||||||
|
- --cluster-resource-namespace={{ .Values.clusterResourceNamespace }}
|
||||||
|
{{- else }}
|
||||||
|
- --cluster-resource-namespace=$(POD_NAMESPACE)
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.global.leaderElection }}
|
||||||
|
- --leader-election-namespace={{ .namespace }}
|
||||||
|
{{- if .leaseDuration }}
|
||||||
|
- --leader-election-lease-duration={{ .leaseDuration }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .renewDeadline }}
|
||||||
|
- --leader-election-renew-deadline={{ .renewDeadline }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .retryPeriod }}
|
||||||
|
- --leader-election-retry-period={{ .retryPeriod }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.acmesolver.image }}
|
||||||
|
- --acme-http01-solver-image={{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.extraArgs }}
|
||||||
|
{{- toYaml . | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.ingressShim }}
|
||||||
|
{{- if .defaultIssuerName }}
|
||||||
|
- --default-issuer-name={{ .defaultIssuerName }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .defaultIssuerKind }}
|
||||||
|
- --default-issuer-kind={{ .defaultIssuerKind }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .defaultIssuerGroup }}
|
||||||
|
- --default-issuer-group={{ .defaultIssuerGroup }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.featureGates }}
|
||||||
|
- --feature-gates={{ .Values.featureGates }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.maxConcurrentChallenges }}
|
||||||
|
- --max-concurrent-challenges={{ .Values.maxConcurrentChallenges }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.enableCertificateOwnerRef }}
|
||||||
|
- --enable-certificate-owner-ref=true
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.dns01RecursiveNameserversOnly }}
|
||||||
|
- --dns01-recursive-nameservers-only=true
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.dns01RecursiveNameservers }}
|
||||||
|
- --dns01-recursive-nameservers={{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.disableAutoApproval }}
|
||||||
|
- --controllers=-certificaterequests-approver
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
- containerPort: 9402
|
||||||
|
name: http-metrics
|
||||||
|
protocol: TCP
|
||||||
|
- containerPort: 9403
|
||||||
|
name: http-healthz
|
||||||
|
protocol: TCP
|
||||||
|
{{- with .Values.containerSecurityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if or .Values.config .Values.volumeMounts }}
|
||||||
|
volumeMounts:
|
||||||
|
{{- if .Values.config }}
|
||||||
|
- name: config
|
||||||
|
mountPath: /var/cert-manager/config
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.volumeMounts }}
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
env:
|
||||||
|
- name: POD_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
{{- with .Values.extraEnv }}
|
||||||
|
{{- toYaml . | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.http_proxy }}
|
||||||
|
- name: HTTP_PROXY
|
||||||
|
value: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.https_proxy }}
|
||||||
|
- name: HTTPS_PROXY
|
||||||
|
value: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.no_proxy }}
|
||||||
|
- name: NO_PROXY
|
||||||
|
value: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.resources }}
|
||||||
|
resources:
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- with .Values.livenessProbe }}
|
||||||
|
{{- if .enabled }}
|
||||||
|
# LivenessProbe settings are based on those used for the Kubernetes
|
||||||
|
# controller-manager. See:
|
||||||
|
# https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
|
||||||
|
livenessProbe:
|
||||||
|
httpGet:
|
||||||
|
port: http-healthz
|
||||||
|
path: /livez
|
||||||
|
scheme: HTTP
|
||||||
|
initialDelaySeconds: {{ .initialDelaySeconds }}
|
||||||
|
periodSeconds: {{ .periodSeconds }}
|
||||||
|
timeoutSeconds: {{ .timeoutSeconds }}
|
||||||
|
successThreshold: {{ .successThreshold }}
|
||||||
|
failureThreshold: {{ .failureThreshold }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.nodeSelector }}
|
||||||
|
nodeSelector:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.affinity }}
|
||||||
|
affinity:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.tolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.topologySpreadConstraints }}
|
||||||
|
topologySpreadConstraints:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.podDnsPolicy }}
|
||||||
|
dnsPolicy: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.podDnsConfig }}
|
||||||
|
dnsConfig:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.hostAliases }}
|
||||||
|
hostAliases: {{ toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,4 @@
|
||||||
|
{{ range .Values.extraObjects }}
|
||||||
|
---
|
||||||
|
{{ tpl . $ }}
|
||||||
|
{{ end }}
|
|
@ -0,0 +1,19 @@
|
||||||
|
{{- if .Values.webhook.networkPolicy.enabled }}
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: NetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: {{ template "webhook.fullname" . }}-allow-egress
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
spec:
|
||||||
|
egress:
|
||||||
|
{{- with .Values.webhook.networkPolicy.egress }}
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
podSelector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "webhook"
|
||||||
|
policyTypes:
|
||||||
|
- Egress
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,21 @@
|
||||||
|
{{- if .Values.webhook.networkPolicy.enabled }}
|
||||||
|
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: NetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: {{ template "webhook.fullname" . }}-allow-ingress
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
spec:
|
||||||
|
ingress:
|
||||||
|
{{- with .Values.webhook.networkPolicy.ingress }}
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
podSelector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "webhook"
|
||||||
|
policyTypes:
|
||||||
|
- Ingress
|
||||||
|
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,29 @@
|
||||||
|
{{- if .Values.podDisruptionBudget.enabled }}
|
||||||
|
apiVersion: policy/v1
|
||||||
|
kind: PodDisruptionBudget
|
||||||
|
metadata:
|
||||||
|
name: {{ include "cert-manager.fullname" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
|
||||||
|
{{- if not (or (hasKey .Values.podDisruptionBudget "minAvailable") (hasKey .Values.podDisruptionBudget "maxUnavailable")) }}
|
||||||
|
minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
|
||||||
|
{{- end }}
|
||||||
|
{{- if hasKey .Values.podDisruptionBudget "minAvailable" }}
|
||||||
|
minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if hasKey .Values.podDisruptionBudget "maxUnavailable" }}
|
||||||
|
maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,50 @@
|
||||||
|
{{- if and .Values.prometheus.enabled (and .Values.prometheus.podmonitor.enabled .Values.prometheus.servicemonitor.enabled) }}
|
||||||
|
{{- fail "Either .Values.prometheus.podmonitor.enabled or .Values.prometheus.servicemonitor.enabled can be enabled at a time, but not both." }}
|
||||||
|
{{- else if and .Values.prometheus.enabled .Values.prometheus.podmonitor.enabled }}
|
||||||
|
apiVersion: monitoring.coreos.com/v1
|
||||||
|
kind: PodMonitor
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}
|
||||||
|
{{- if .Values.prometheus.podmonitor.namespace }}
|
||||||
|
namespace: {{ .Values.prometheus.podmonitor.namespace }}
|
||||||
|
{{- else }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
prometheus: {{ .Values.prometheus.podmonitor.prometheusInstance }}
|
||||||
|
{{- with .Values.prometheus.podmonitor.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.prometheus.podmonitor.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- with .Values.prometheus.podmonitor.annotations }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
jobLabel: {{ template "cert-manager.fullname" . }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- if .Values.prometheus.podmonitor.namespace }}
|
||||||
|
namespaceSelector:
|
||||||
|
matchNames:
|
||||||
|
- {{ include "cert-manager.namespace" . }}
|
||||||
|
{{- end }}
|
||||||
|
podMetricsEndpoints:
|
||||||
|
- port: http-metrics
|
||||||
|
path: {{ .Values.prometheus.podmonitor.path }}
|
||||||
|
interval: {{ .Values.prometheus.podmonitor.interval }}
|
||||||
|
scrapeTimeout: {{ .Values.prometheus.podmonitor.scrapeTimeout }}
|
||||||
|
honorLabels: {{ .Values.prometheus.podmonitor.honorLabels }}
|
||||||
|
{{- with .Values.prometheus.servicemonitor.endpointAdditionalProperties }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,18 @@
|
||||||
|
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-psp
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ['policy']
|
||||||
|
resources: ['podsecuritypolicies']
|
||||||
|
verbs: ['use']
|
||||||
|
resourceNames:
|
||||||
|
- {{ template "cert-manager.fullname" . }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,20 @@
|
||||||
|
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-psp
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-psp
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ template "cert-manager.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,49 @@
|
||||||
|
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodSecurityPolicy
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
annotations:
|
||||||
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
||||||
|
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||||
|
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
|
||||||
|
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
|
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
privileged: false
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
allowedCapabilities: [] # default set of capabilities are implicitly allowed
|
||||||
|
volumes:
|
||||||
|
- 'configMap'
|
||||||
|
- 'emptyDir'
|
||||||
|
- 'projected'
|
||||||
|
- 'secret'
|
||||||
|
- 'downwardAPI'
|
||||||
|
hostNetwork: false
|
||||||
|
hostIPC: false
|
||||||
|
hostPID: false
|
||||||
|
runAsUser:
|
||||||
|
rule: 'MustRunAs'
|
||||||
|
ranges:
|
||||||
|
- min: 1000
|
||||||
|
max: 1000
|
||||||
|
seLinux:
|
||||||
|
rule: 'RunAsAny'
|
||||||
|
supplementalGroups:
|
||||||
|
rule: 'MustRunAs'
|
||||||
|
ranges:
|
||||||
|
- min: 1000
|
||||||
|
max: 1000
|
||||||
|
fsGroup:
|
||||||
|
rule: 'MustRunAs'
|
||||||
|
ranges:
|
||||||
|
- min: 1000
|
||||||
|
max: 1000
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,574 @@
|
||||||
|
{{- if .Values.global.rbac.create }}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}:leaderelection
|
||||||
|
namespace: {{ .Values.global.leaderElection.namespace }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["coordination.k8s.io"]
|
||||||
|
resources: ["leases"]
|
||||||
|
resourceNames: ["cert-manager-controller"]
|
||||||
|
verbs: ["get", "update", "patch"]
|
||||||
|
- apiGroups: ["coordination.k8s.io"]
|
||||||
|
resources: ["leases"]
|
||||||
|
verbs: ["create"]
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
# grant cert-manager permission to manage the leaderelection configmap in the
|
||||||
|
# leader election namespace
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ include "cert-manager.fullname" . }}:leaderelection
|
||||||
|
namespace: {{ .Values.global.leaderElection.namespace }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: {{ template "cert-manager.fullname" . }}:leaderelection
|
||||||
|
subjects:
|
||||||
|
- apiGroup: ""
|
||||||
|
kind: ServiceAccount
|
||||||
|
name: {{ template "cert-manager.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
# Issuer controller role
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-controller-issuers
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["issuers", "issuers/status"]
|
||||||
|
verbs: ["update", "patch"]
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["issuers"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["events"]
|
||||||
|
verbs: ["create", "patch"]
|
||||||
|
---
|
||||||
|
|
||||||
|
# ClusterIssuer controller role
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["clusterissuers", "clusterissuers/status"]
|
||||||
|
verbs: ["update", "patch"]
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["clusterissuers"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["events"]
|
||||||
|
verbs: ["create", "patch"]
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
# Certificates controller role
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-controller-certificates
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
|
||||||
|
verbs: ["update", "patch"]
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||||
|
# admission controller enabled:
|
||||||
|
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["certificates/finalizers", "certificaterequests/finalizers"]
|
||||||
|
verbs: ["update"]
|
||||||
|
- apiGroups: ["acme.cert-manager.io"]
|
||||||
|
resources: ["orders"]
|
||||||
|
verbs: ["create", "delete", "get", "list", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["events"]
|
||||||
|
verbs: ["create", "patch"]
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
# Orders controller role
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-controller-orders
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["acme.cert-manager.io"]
|
||||||
|
resources: ["orders", "orders/status"]
|
||||||
|
verbs: ["update", "patch"]
|
||||||
|
- apiGroups: ["acme.cert-manager.io"]
|
||||||
|
resources: ["orders", "challenges"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["clusterissuers", "issuers"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: ["acme.cert-manager.io"]
|
||||||
|
resources: ["challenges"]
|
||||||
|
verbs: ["create", "delete"]
|
||||||
|
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||||
|
# admission controller enabled:
|
||||||
|
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||||
|
- apiGroups: ["acme.cert-manager.io"]
|
||||||
|
resources: ["orders/finalizers"]
|
||||||
|
verbs: ["update"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["events"]
|
||||||
|
verbs: ["create", "patch"]
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
# Challenges controller role
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-controller-challenges
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
# Use to update challenge resource status
|
||||||
|
- apiGroups: ["acme.cert-manager.io"]
|
||||||
|
resources: ["challenges", "challenges/status"]
|
||||||
|
verbs: ["update", "patch"]
|
||||||
|
# Used to watch challenge resources
|
||||||
|
- apiGroups: ["acme.cert-manager.io"]
|
||||||
|
resources: ["challenges"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
# Used to watch challenges, issuer and clusterissuer resources
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["issuers", "clusterissuers"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
# Need to be able to retrieve ACME account private key to complete challenges
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
# Used to create events
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["events"]
|
||||||
|
verbs: ["create", "patch"]
|
||||||
|
# HTTP01 rules
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["pods", "services"]
|
||||||
|
verbs: ["get", "list", "watch", "create", "delete"]
|
||||||
|
- apiGroups: ["networking.k8s.io"]
|
||||||
|
resources: ["ingresses"]
|
||||||
|
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
||||||
|
- apiGroups: [ "gateway.networking.k8s.io" ]
|
||||||
|
resources: [ "httproutes" ]
|
||||||
|
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
||||||
|
# We require the ability to specify a custom hostname when we are creating
|
||||||
|
# new ingress resources.
|
||||||
|
# See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
|
||||||
|
- apiGroups: ["route.openshift.io"]
|
||||||
|
resources: ["routes/custom-host"]
|
||||||
|
verbs: ["create"]
|
||||||
|
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||||
|
# admission controller enabled:
|
||||||
|
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||||
|
- apiGroups: ["acme.cert-manager.io"]
|
||||||
|
resources: ["challenges/finalizers"]
|
||||||
|
verbs: ["update"]
|
||||||
|
# DNS01 rules (duplicated above)
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
# ingress-shim controller role
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["certificates", "certificaterequests"]
|
||||||
|
verbs: ["create", "update", "delete"]
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: ["networking.k8s.io"]
|
||||||
|
resources: ["ingresses"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||||
|
# admission controller enabled:
|
||||||
|
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||||
|
- apiGroups: ["networking.k8s.io"]
|
||||||
|
resources: ["ingresses/finalizers"]
|
||||||
|
verbs: ["update"]
|
||||||
|
- apiGroups: ["gateway.networking.k8s.io"]
|
||||||
|
resources: ["gateways", "httproutes"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: ["gateway.networking.k8s.io"]
|
||||||
|
resources: ["gateways/finalizers", "httproutes/finalizers"]
|
||||||
|
verbs: ["update"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["events"]
|
||||||
|
verbs: ["create", "patch"]
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-controller-issuers
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-controller-issuers
|
||||||
|
subjects:
|
||||||
|
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
kind: ServiceAccount
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
|
||||||
|
subjects:
|
||||||
|
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
kind: ServiceAccount
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-controller-certificates
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-controller-certificates
|
||||||
|
subjects:
|
||||||
|
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
kind: ServiceAccount
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-controller-orders
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-controller-orders
|
||||||
|
subjects:
|
||||||
|
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
kind: ServiceAccount
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-controller-challenges
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-controller-challenges
|
||||||
|
subjects:
|
||||||
|
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
kind: ServiceAccount
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
|
||||||
|
subjects:
|
||||||
|
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
kind: ServiceAccount
|
||||||
|
|
||||||
|
{{- if .Values.global.rbac.aggregateClusterRoles }}
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-cluster-view
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["clusterissuers"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
|
||||||
|
{{- end }}
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-view
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
{{- if .Values.global.rbac.aggregateClusterRoles }}
|
||||||
|
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
||||||
|
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||||
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||||
|
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
|
||||||
|
{{- end }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["certificates", "certificaterequests", "issuers"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: ["acme.cert-manager.io"]
|
||||||
|
resources: ["challenges", "orders"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-edit
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
{{- if .Values.global.rbac.aggregateClusterRoles }}
|
||||||
|
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||||
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||||
|
{{- end }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["certificates", "certificaterequests", "issuers"]
|
||||||
|
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["certificates/status"]
|
||||||
|
verbs: ["update"]
|
||||||
|
- apiGroups: ["acme.cert-manager.io"]
|
||||||
|
resources: ["challenges", "orders"]
|
||||||
|
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
{{- if not .Values.disableAutoApproval -}}
|
||||||
|
|
||||||
|
# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "cert-manager"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["signers"]
|
||||||
|
verbs: ["approve"]
|
||||||
|
{{- with .Values.approveSignerNames }}
|
||||||
|
resourceNames:
|
||||||
|
{{- range . }}
|
||||||
|
- {{ . | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "cert-manager"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
|
||||||
|
subjects:
|
||||||
|
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
kind: ServiceAccount
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
# Permission to:
|
||||||
|
# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
|
||||||
|
# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "cert-manager"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["certificates.k8s.io"]
|
||||||
|
resources: ["certificatesigningrequests"]
|
||||||
|
verbs: ["get", "list", "watch", "update"]
|
||||||
|
- apiGroups: ["certificates.k8s.io"]
|
||||||
|
resources: ["certificatesigningrequests/status"]
|
||||||
|
verbs: ["update", "patch"]
|
||||||
|
- apiGroups: ["certificates.k8s.io"]
|
||||||
|
resources: ["signers"]
|
||||||
|
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
|
||||||
|
verbs: ["sign"]
|
||||||
|
- apiGroups: ["authorization.k8s.io"]
|
||||||
|
resources: ["subjectaccessreviews"]
|
||||||
|
verbs: ["create"]
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "cert-manager"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
|
||||||
|
subjects:
|
||||||
|
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
kind: ServiceAccount
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,37 @@
|
||||||
|
{{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
{{- with .Values.serviceAnnotations }}
|
||||||
|
annotations:
|
||||||
|
{{ toYaml . | indent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.serviceLabels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
type: ClusterIP
|
||||||
|
{{- if .Values.serviceIPFamilyPolicy }}
|
||||||
|
ipFamilyPolicy: {{ .Values.serviceIPFamilyPolicy }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.serviceIPFamilies }}
|
||||||
|
ipFamilies: {{ .Values.serviceIPFamilies | toYaml | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: 9402
|
||||||
|
name: tcp-prometheus-servicemonitor
|
||||||
|
targetPort: {{ .Values.prometheus.servicemonitor.targetPort }}
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,25 @@
|
||||||
|
{{- if .Values.serviceAccount.create }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
{{- with .Values.global.imagePullSecrets }}
|
||||||
|
imagePullSecrets:
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
{{- with .Values.serviceAccount.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.serviceAccount.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,50 @@
|
||||||
|
{{- if and .Values.prometheus.enabled (and .Values.prometheus.podmonitor.enabled .Values.prometheus.servicemonitor.enabled) }}
|
||||||
|
{{- fail "Either .Values.prometheus.podmonitor.enabled or .Values.prometheus.servicemonitor.enabled can be enabled at a time, but not both." }}
|
||||||
|
{{- else if and .Values.prometheus.enabled .Values.prometheus.servicemonitor.enabled }}
|
||||||
|
apiVersion: monitoring.coreos.com/v1
|
||||||
|
kind: ServiceMonitor
|
||||||
|
metadata:
|
||||||
|
name: {{ template "cert-manager.fullname" . }}
|
||||||
|
{{- if .Values.prometheus.servicemonitor.namespace }}
|
||||||
|
namespace: {{ .Values.prometheus.servicemonitor.namespace }}
|
||||||
|
{{- else }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
prometheus: {{ .Values.prometheus.servicemonitor.prometheusInstance }}
|
||||||
|
{{- with .Values.prometheus.servicemonitor.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.prometheus.servicemonitor.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- with .Values.prometheus.servicemonitor.annotations }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
jobLabel: {{ template "cert-manager.fullname" . }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "controller"
|
||||||
|
{{- if .Values.prometheus.servicemonitor.namespace }}
|
||||||
|
namespaceSelector:
|
||||||
|
matchNames:
|
||||||
|
- {{ include "cert-manager.namespace" . }}
|
||||||
|
{{- end }}
|
||||||
|
endpoints:
|
||||||
|
- targetPort: {{ .Values.prometheus.servicemonitor.targetPort }}
|
||||||
|
path: {{ .Values.prometheus.servicemonitor.path }}
|
||||||
|
interval: {{ .Values.prometheus.servicemonitor.interval }}
|
||||||
|
scrapeTimeout: {{ .Values.prometheus.servicemonitor.scrapeTimeout }}
|
||||||
|
honorLabels: {{ .Values.prometheus.servicemonitor.honorLabels }}
|
||||||
|
{{- with .Values.prometheus.servicemonitor.endpointAdditionalProperties }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,87 @@
|
||||||
|
{{- if .Values.startupapicheck.enabled }}
|
||||||
|
apiVersion: batch/v1
|
||||||
|
kind: Job
|
||||||
|
metadata:
|
||||||
|
name: {{ include "startupapicheck.fullname" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "startupapicheck.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "startupapicheck"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.startupapicheck.jobAnnotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
backoffLimit: {{ .Values.startupapicheck.backoffLimit }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: {{ include "startupapicheck.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "startupapicheck"
|
||||||
|
{{- include "labels" . | nindent 8 }}
|
||||||
|
{{- with .Values.startupapicheck.podLabels }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.startupapicheck.podAnnotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
restartPolicy: OnFailure
|
||||||
|
serviceAccountName: {{ template "startupapicheck.serviceAccountName" . }}
|
||||||
|
{{- if hasKey .Values.startupapicheck "automountServiceAccountToken" }}
|
||||||
|
automountServiceAccountToken: {{ .Values.startupapicheck.automountServiceAccountToken }}
|
||||||
|
{{- end }}
|
||||||
|
enableServiceLinks: {{ .Values.startupapicheck.enableServiceLinks }}
|
||||||
|
{{- with .Values.global.priorityClassName }}
|
||||||
|
priorityClassName: {{ . | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.startupapicheck.securityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
containers:
|
||||||
|
- name: {{ .Chart.Name }}-startupapicheck
|
||||||
|
image: "{{ template "image" (tuple .Values.startupapicheck.image $.Chart.AppVersion) }}"
|
||||||
|
imagePullPolicy: {{ .Values.startupapicheck.image.pullPolicy }}
|
||||||
|
args:
|
||||||
|
- check
|
||||||
|
- api
|
||||||
|
- --wait={{ .Values.startupapicheck.timeout }}
|
||||||
|
{{- with .Values.startupapicheck.extraArgs }}
|
||||||
|
{{- toYaml . | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.startupapicheck.containerSecurityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.startupapicheck.resources }}
|
||||||
|
resources:
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.startupapicheck.volumeMounts }}
|
||||||
|
volumeMounts:
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.startupapicheck.nodeSelector }}
|
||||||
|
nodeSelector:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.startupapicheck.affinity }}
|
||||||
|
affinity:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.startupapicheck.tolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.startupapicheck.volumes }}
|
||||||
|
volumes:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,24 @@
|
||||||
|
{{- if .Values.startupapicheck.enabled }}
|
||||||
|
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: {{ template "startupapicheck.fullname" . }}-psp
|
||||||
|
labels:
|
||||||
|
app: {{ include "startupapicheck.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "startupapicheck"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ['policy']
|
||||||
|
resources: ['podsecuritypolicies']
|
||||||
|
verbs: ['use']
|
||||||
|
resourceNames:
|
||||||
|
- {{ template "startupapicheck.fullname" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,26 @@
|
||||||
|
{{- if .Values.startupapicheck.enabled }}
|
||||||
|
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ template "startupapicheck.fullname" . }}-psp
|
||||||
|
labels:
|
||||||
|
app: {{ include "startupapicheck.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "startupapicheck"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: {{ template "startupapicheck.fullname" . }}-psp
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ template "startupapicheck.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,51 @@
|
||||||
|
{{- if .Values.startupapicheck.enabled }}
|
||||||
|
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodSecurityPolicy
|
||||||
|
metadata:
|
||||||
|
name: {{ template "startupapicheck.fullname" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "startupapicheck.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "startupapicheck"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
annotations:
|
||||||
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
||||||
|
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||||
|
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
|
||||||
|
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
|
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
privileged: false
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
allowedCapabilities: [] # default set of capabilities are implicitly allowed
|
||||||
|
volumes:
|
||||||
|
- 'projected'
|
||||||
|
- 'secret'
|
||||||
|
hostNetwork: false
|
||||||
|
hostIPC: false
|
||||||
|
hostPID: false
|
||||||
|
runAsUser:
|
||||||
|
rule: 'MustRunAs'
|
||||||
|
ranges:
|
||||||
|
- min: 1000
|
||||||
|
max: 1000
|
||||||
|
seLinux:
|
||||||
|
rule: 'RunAsAny'
|
||||||
|
supplementalGroups:
|
||||||
|
rule: 'MustRunAs'
|
||||||
|
ranges:
|
||||||
|
- min: 1000
|
||||||
|
max: 1000
|
||||||
|
fsGroup:
|
||||||
|
rule: 'MustRunAs'
|
||||||
|
ranges:
|
||||||
|
- min: 1000
|
||||||
|
max: 1000
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,48 @@
|
||||||
|
{{- if .Values.startupapicheck.enabled }}
|
||||||
|
{{- if .Values.global.rbac.create }}
|
||||||
|
# create certificate role
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: {{ template "startupapicheck.fullname" . }}:create-cert
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "startupapicheck.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "startupapicheck"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["certificates"]
|
||||||
|
verbs: ["create"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ include "startupapicheck.fullname" . }}:create-cert
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "startupapicheck.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "startupapicheck"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: {{ template "startupapicheck.fullname" . }}:create-cert
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ template "startupapicheck.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,27 @@
|
||||||
|
{{- if .Values.startupapicheck.enabled }}
|
||||||
|
{{- if .Values.startupapicheck.serviceAccount.create }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
automountServiceAccountToken: {{ .Values.startupapicheck.serviceAccount.automountServiceAccountToken }}
|
||||||
|
metadata:
|
||||||
|
name: {{ template "startupapicheck.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
{{- with .Values.startupapicheck.serviceAccount.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "startupapicheck.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "startupapicheck"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.startupapicheck.serviceAccount.labels }}
|
||||||
|
{{ toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.global.imagePullSecrets }}
|
||||||
|
imagePullSecrets:
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,18 @@
|
||||||
|
{{- if .Values.webhook.config -}}
|
||||||
|
{{- $_ := .Values.webhook.config.apiVersion | required ".Values.webhook.config.apiVersion must be set !" -}}
|
||||||
|
{{- $_ := .Values.webhook.config.kind | required ".Values.webhook.config.kind must be set !" -}}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: {{ include "webhook.fullname" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "webhook"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
data:
|
||||||
|
config.yaml: |
|
||||||
|
{{- .Values.webhook.config | toYaml | nindent 4 }}
|
||||||
|
{{- end -}}
|
|
@ -0,0 +1,192 @@
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: {{ include "webhook.fullname" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "webhook"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.webhook.deploymentAnnotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
replicas: {{ .Values.webhook.replicaCount }}
|
||||||
|
{{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
|
||||||
|
{{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
|
||||||
|
revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
|
||||||
|
{{- end }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "webhook"
|
||||||
|
{{- with .Values.webhook.strategy }}
|
||||||
|
strategy:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "webhook"
|
||||||
|
{{- include "labels" . | nindent 8 }}
|
||||||
|
{{- with .Values.webhook.podLabels }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.webhook.podAnnotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
serviceAccountName: {{ template "webhook.serviceAccountName" . }}
|
||||||
|
{{- if hasKey .Values.webhook "automountServiceAccountToken" }}
|
||||||
|
automountServiceAccountToken: {{ .Values.webhook.automountServiceAccountToken }}
|
||||||
|
{{- end }}
|
||||||
|
enableServiceLinks: {{ .Values.webhook.enableServiceLinks }}
|
||||||
|
{{- with .Values.global.priorityClassName }}
|
||||||
|
priorityClassName: {{ . | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.webhook.securityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.webhook.hostNetwork }}
|
||||||
|
hostNetwork: true
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.webhook.hostNetwork }}
|
||||||
|
dnsPolicy: ClusterFirstWithHostNet
|
||||||
|
{{- end }}
|
||||||
|
containers:
|
||||||
|
- name: {{ .Chart.Name }}-webhook
|
||||||
|
image: "{{ template "image" (tuple .Values.webhook.image $.Chart.AppVersion) }}"
|
||||||
|
imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
|
||||||
|
args:
|
||||||
|
{{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
|
||||||
|
{{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
|
||||||
|
- --v={{ .Values.global.logLevel }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.webhook.config }}
|
||||||
|
- --config=/var/cert-manager/config/config.yaml
|
||||||
|
{{- end }}
|
||||||
|
{{- $config := default .Values.webhook.config "" }}
|
||||||
|
{{ if not $config.securePort -}}
|
||||||
|
- --secure-port={{ .Values.webhook.securePort }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.webhook.featureGates }}
|
||||||
|
- --feature-gates={{ .Values.webhook.featureGates }}
|
||||||
|
{{- end }}
|
||||||
|
{{- $tlsConfig := default $config.tlsConfig "" }}
|
||||||
|
{{ if or (not $config.tlsConfig) (and (not $tlsConfig.dynamic) (not $tlsConfig.filesystem) ) -}}
|
||||||
|
- --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
|
||||||
|
- --dynamic-serving-ca-secret-name={{ template "webhook.fullname" . }}-ca
|
||||||
|
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }}
|
||||||
|
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE)
|
||||||
|
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE).svc
|
||||||
|
{{ if .Values.webhook.url.host }}
|
||||||
|
- --dynamic-serving-dns-names={{ .Values.webhook.url.host }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.webhook.extraArgs }}
|
||||||
|
{{- toYaml . | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
- name: https
|
||||||
|
protocol: TCP
|
||||||
|
{{- if $config.securePort }}
|
||||||
|
containerPort: {{ $config.securePort }}
|
||||||
|
{{- else if .Values.webhook.securePort }}
|
||||||
|
containerPort: {{ .Values.webhook.securePort }}
|
||||||
|
{{- else }}
|
||||||
|
containerPort: 6443
|
||||||
|
{{- end }}
|
||||||
|
- name: healthcheck
|
||||||
|
protocol: TCP
|
||||||
|
{{- if $config.healthzPort }}
|
||||||
|
containerPort: {{ $config.healthzPort }}
|
||||||
|
{{- else }}
|
||||||
|
containerPort: 6080
|
||||||
|
{{- end }}
|
||||||
|
livenessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /livez
|
||||||
|
{{- if $config.healthzPort }}
|
||||||
|
port: {{ $config.healthzPort }}
|
||||||
|
{{- else }}
|
||||||
|
port: 6080
|
||||||
|
{{- end }}
|
||||||
|
scheme: HTTP
|
||||||
|
initialDelaySeconds: {{ .Values.webhook.livenessProbe.initialDelaySeconds }}
|
||||||
|
periodSeconds: {{ .Values.webhook.livenessProbe.periodSeconds }}
|
||||||
|
timeoutSeconds: {{ .Values.webhook.livenessProbe.timeoutSeconds }}
|
||||||
|
successThreshold: {{ .Values.webhook.livenessProbe.successThreshold }}
|
||||||
|
failureThreshold: {{ .Values.webhook.livenessProbe.failureThreshold }}
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /healthz
|
||||||
|
{{- if $config.healthzPort }}
|
||||||
|
port: {{ $config.healthzPort }}
|
||||||
|
{{- else }}
|
||||||
|
port: 6080
|
||||||
|
{{- end }}
|
||||||
|
scheme: HTTP
|
||||||
|
initialDelaySeconds: {{ .Values.webhook.readinessProbe.initialDelaySeconds }}
|
||||||
|
periodSeconds: {{ .Values.webhook.readinessProbe.periodSeconds }}
|
||||||
|
timeoutSeconds: {{ .Values.webhook.readinessProbe.timeoutSeconds }}
|
||||||
|
successThreshold: {{ .Values.webhook.readinessProbe.successThreshold }}
|
||||||
|
failureThreshold: {{ .Values.webhook.readinessProbe.failureThreshold }}
|
||||||
|
{{- with .Values.webhook.containerSecurityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
env:
|
||||||
|
- name: POD_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
{{- with .Values.webhook.resources }}
|
||||||
|
resources:
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if or .Values.webhook.config .Values.webhook.volumeMounts }}
|
||||||
|
volumeMounts:
|
||||||
|
{{- if .Values.webhook.config }}
|
||||||
|
- name: config
|
||||||
|
mountPath: /var/cert-manager/config
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.webhook.volumeMounts }}
|
||||||
|
{{- toYaml . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.webhook.nodeSelector }}
|
||||||
|
nodeSelector:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.webhook.affinity }}
|
||||||
|
affinity:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.webhook.tolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.webhook.topologySpreadConstraints }}
|
||||||
|
topologySpreadConstraints:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if or .Values.webhook.config .Values.webhook.volumes }}
|
||||||
|
volumes:
|
||||||
|
{{- if .Values.webhook.config }}
|
||||||
|
- name: config
|
||||||
|
configMap:
|
||||||
|
name: {{ include "webhook.fullname" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.webhook.volumes }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,48 @@
|
||||||
|
apiVersion: admissionregistration.k8s.io/v1
|
||||||
|
kind: MutatingWebhookConfiguration
|
||||||
|
metadata:
|
||||||
|
name: {{ include "webhook.fullname" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "webhook"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/inject-ca-from-secret: {{ printf "%s/%s-ca" (include "cert-manager.namespace" .) (include "webhook.fullname" .) | quote }}
|
||||||
|
{{- with .Values.webhook.mutatingWebhookConfigurationAnnotations }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
webhooks:
|
||||||
|
- name: webhook.cert-manager.io
|
||||||
|
{{- with .Values.webhook.mutatingWebhookConfiguration.namespaceSelector }}
|
||||||
|
namespaceSelector:
|
||||||
|
{{- toYaml . | nindent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- "cert-manager.io"
|
||||||
|
apiVersions:
|
||||||
|
- "v1"
|
||||||
|
operations:
|
||||||
|
- CREATE
|
||||||
|
resources:
|
||||||
|
- "certificaterequests"
|
||||||
|
admissionReviewVersions: ["v1"]
|
||||||
|
# This webhook only accepts v1 cert-manager resources.
|
||||||
|
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
|
||||||
|
# this webhook (after the resources have been converted to v1).
|
||||||
|
matchPolicy: Equivalent
|
||||||
|
timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
|
||||||
|
failurePolicy: Fail
|
||||||
|
# Only include 'sideEffects' field in Kubernetes 1.12+
|
||||||
|
sideEffects: None
|
||||||
|
clientConfig:
|
||||||
|
{{- if .Values.webhook.url.host }}
|
||||||
|
url: https://{{ .Values.webhook.url.host }}/mutate
|
||||||
|
{{- else }}
|
||||||
|
service:
|
||||||
|
name: {{ template "webhook.fullname" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
path: /mutate
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,29 @@
|
||||||
|
{{- if .Values.webhook.podDisruptionBudget.enabled }}
|
||||||
|
apiVersion: policy/v1
|
||||||
|
kind: PodDisruptionBudget
|
||||||
|
metadata:
|
||||||
|
name: {{ include "webhook.fullname" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "webhook"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "webhook"
|
||||||
|
|
||||||
|
{{- if not (or (hasKey .Values.webhook.podDisruptionBudget "minAvailable") (hasKey .Values.webhook.podDisruptionBudget "maxUnavailable")) }}
|
||||||
|
minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
|
||||||
|
{{- end }}
|
||||||
|
{{- if hasKey .Values.webhook.podDisruptionBudget "minAvailable" }}
|
||||||
|
minAvailable: {{ .Values.webhook.podDisruptionBudget.minAvailable }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if hasKey .Values.webhook.podDisruptionBudget "maxUnavailable" }}
|
||||||
|
maxUnavailable: {{ .Values.webhook.podDisruptionBudget.maxUnavailable }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,18 @@
|
||||||
|
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: {{ template "webhook.fullname" . }}-psp
|
||||||
|
labels:
|
||||||
|
app: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "webhook"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ['policy']
|
||||||
|
resources: ['podsecuritypolicies']
|
||||||
|
verbs: ['use']
|
||||||
|
resourceNames:
|
||||||
|
- {{ template "webhook.fullname" . }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,20 @@
|
||||||
|
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ template "webhook.fullname" . }}-psp
|
||||||
|
labels:
|
||||||
|
app: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "webhook"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: {{ template "webhook.fullname" . }}-psp
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ template "webhook.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,54 @@
|
||||||
|
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodSecurityPolicy
|
||||||
|
metadata:
|
||||||
|
name: {{ template "webhook.fullname" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "webhook"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
annotations:
|
||||||
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
||||||
|
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||||
|
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
|
||||||
|
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
|
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
privileged: false
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
allowedCapabilities: [] # default set of capabilities are implicitly allowed
|
||||||
|
volumes:
|
||||||
|
- 'configMap'
|
||||||
|
- 'emptyDir'
|
||||||
|
- 'projected'
|
||||||
|
- 'secret'
|
||||||
|
- 'downwardAPI'
|
||||||
|
hostNetwork: {{ .Values.webhook.hostNetwork }}
|
||||||
|
{{- if .Values.webhook.hostNetwork }}
|
||||||
|
hostPorts:
|
||||||
|
- max: {{ .Values.webhook.securePort }}
|
||||||
|
min: {{ .Values.webhook.securePort }}
|
||||||
|
{{- end }}
|
||||||
|
hostIPC: false
|
||||||
|
hostPID: false
|
||||||
|
runAsUser:
|
||||||
|
rule: 'MustRunAs'
|
||||||
|
ranges:
|
||||||
|
- min: 1000
|
||||||
|
max: 1000
|
||||||
|
seLinux:
|
||||||
|
rule: 'RunAsAny'
|
||||||
|
supplementalGroups:
|
||||||
|
rule: 'MustRunAs'
|
||||||
|
ranges:
|
||||||
|
- min: 1000
|
||||||
|
max: 1000
|
||||||
|
fsGroup:
|
||||||
|
rule: 'MustRunAs'
|
||||||
|
ranges:
|
||||||
|
- min: 1000
|
||||||
|
max: 1000
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,83 @@
|
||||||
|
{{- if .Values.global.rbac.create }}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: {{ template "webhook.fullname" . }}:dynamic-serving
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "webhook"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
resourceNames:
|
||||||
|
- '{{ template "webhook.fullname" . }}-ca'
|
||||||
|
verbs: ["get", "list", "watch", "update"]
|
||||||
|
# It's not possible to grant CREATE permission on a single resourceName.
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["create"]
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ template "webhook.fullname" . }}:dynamic-serving
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "webhook"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: {{ template "webhook.fullname" . }}:dynamic-serving
|
||||||
|
subjects:
|
||||||
|
- apiGroup: ""
|
||||||
|
kind: ServiceAccount
|
||||||
|
name: {{ template "webhook.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: {{ template "webhook.fullname" . }}:subjectaccessreviews
|
||||||
|
labels:
|
||||||
|
app: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "webhook"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["authorization.k8s.io"]
|
||||||
|
resources: ["subjectaccessreviews"]
|
||||||
|
verbs: ["create"]
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ template "webhook.fullname" . }}:subjectaccessreviews
|
||||||
|
labels:
|
||||||
|
app: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "webhook"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: {{ template "webhook.fullname" . }}:subjectaccessreviews
|
||||||
|
subjects:
|
||||||
|
- apiGroup: ""
|
||||||
|
kind: ServiceAccount
|
||||||
|
name: {{ template "webhook.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,38 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ template "webhook.fullname" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
{{- with .Values.webhook.serviceAnnotations }}
|
||||||
|
annotations:
|
||||||
|
{{ toYaml . | indent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "webhook"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.webhook.serviceLabels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
type: {{ .Values.webhook.serviceType }}
|
||||||
|
{{- if .Values.webhook.serviceIPFamilyPolicy }}
|
||||||
|
ipFamilyPolicy: {{ .Values.webhook.serviceIPFamilyPolicy }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.webhook.serviceIPFamilies }}
|
||||||
|
ipFamilies: {{ .Values.webhook.serviceIPFamilies | toYaml | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.webhook.loadBalancerIP }}
|
||||||
|
loadBalancerIP: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
- name: https
|
||||||
|
port: 443
|
||||||
|
protocol: TCP
|
||||||
|
targetPort: "https"
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "webhook"
|
|
@ -0,0 +1,25 @@
|
||||||
|
{{- if .Values.webhook.serviceAccount.create }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automountServiceAccountToken }}
|
||||||
|
metadata:
|
||||||
|
name: {{ template "webhook.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
{{- with .Values.webhook.serviceAccount.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "webhook"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.webhook.serviceAccount.labels }}
|
||||||
|
{{ toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.global.imagePullSecrets }}
|
||||||
|
imagePullSecrets:
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,49 @@
|
||||||
|
apiVersion: admissionregistration.k8s.io/v1
|
||||||
|
kind: ValidatingWebhookConfiguration
|
||||||
|
metadata:
|
||||||
|
name: {{ include "webhook.fullname" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: "webhook"
|
||||||
|
{{- include "labels" . | nindent 4 }}
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/inject-ca-from-secret: {{ printf "%s/%s-ca" (include "cert-manager.namespace" .) (include "webhook.fullname" .) | quote}}
|
||||||
|
{{- with .Values.webhook.validatingWebhookConfigurationAnnotations }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
webhooks:
|
||||||
|
- name: webhook.cert-manager.io
|
||||||
|
{{- with .Values.webhook.validatingWebhookConfiguration.namespaceSelector }}
|
||||||
|
namespaceSelector:
|
||||||
|
{{- toYaml . | nindent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- "cert-manager.io"
|
||||||
|
- "acme.cert-manager.io"
|
||||||
|
apiVersions:
|
||||||
|
- "v1"
|
||||||
|
operations:
|
||||||
|
- CREATE
|
||||||
|
- UPDATE
|
||||||
|
resources:
|
||||||
|
- "*/*"
|
||||||
|
admissionReviewVersions: ["v1"]
|
||||||
|
# This webhook only accepts v1 cert-manager resources.
|
||||||
|
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
|
||||||
|
# this webhook (after the resources have been converted to v1).
|
||||||
|
matchPolicy: Equivalent
|
||||||
|
timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
|
||||||
|
failurePolicy: Fail
|
||||||
|
sideEffects: None
|
||||||
|
clientConfig:
|
||||||
|
{{- if .Values.webhook.url.host }}
|
||||||
|
url: https://{{ .Values.webhook.url.host }}/validate
|
||||||
|
{{- else }}
|
||||||
|
service:
|
||||||
|
name: {{ template "webhook.fullname" . }}
|
||||||
|
namespace: {{ include "cert-manager.namespace" . }}
|
||||||
|
path: /validate
|
||||||
|
{{- end }}
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,2 @@
|
||||||
|
fullnameOverride: cert-manager
|
||||||
|
installCRDs: true
|
|
@ -0,0 +1,3 @@
|
||||||
|
templates that I may or may not use soon.
|
||||||
|
|
||||||
|
(@todo probably delete this entire dir)
|
|
@ -0,0 +1,53 @@
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: postgresql
|
||||||
|
namespace: futureporn
|
||||||
|
labels:
|
||||||
|
app: postgresql
|
||||||
|
spec:
|
||||||
|
replicas: {{ .Values.postgresql.replicas }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: postgresql
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: postgresql
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: postgresql
|
||||||
|
image: "{{ .Values.postgresql.image }}"
|
||||||
|
ports:
|
||||||
|
- name: http
|
||||||
|
containerPort: {{ .Values.postgresql.port }}
|
||||||
|
env:
|
||||||
|
- name: POSTGRES_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: postgresql
|
||||||
|
key: password
|
||||||
|
- name: POSTGRES_USER
|
||||||
|
value: futureporn
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: postgresql
|
||||||
|
namespace: futureporn
|
||||||
|
annotations:
|
||||||
|
external-dns.alpha.kubernetes.io/hostname: "{{ .Values.postgresql.hostname }}"
|
||||||
|
spec:
|
||||||
|
type: LoadBalancer
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: postgresql
|
||||||
|
ports:
|
||||||
|
- name: http
|
||||||
|
port: {{ .Values.postgresql.port }}
|
||||||
|
targetPort: http
|
||||||
|
protocol: TCP
|
|
@ -99,7 +99,6 @@ metadata:
|
||||||
namespace: futureporn
|
namespace: futureporn
|
||||||
annotations:
|
annotations:
|
||||||
external-dns.alpha.kubernetes.io/hostname: "{{ .Values.trigger.hostname }}"
|
external-dns.alpha.kubernetes.io/hostname: "{{ .Values.trigger.hostname }}"
|
||||||
chisel-operator.io/exit-node-name: "trigger-exit-node"
|
|
||||||
spec:
|
spec:
|
||||||
type: LoadBalancer
|
type: LoadBalancer
|
||||||
ports:
|
ports:
|
||||||
|
@ -109,59 +108,3 @@ spec:
|
||||||
selector:
|
selector:
|
||||||
app: trigger
|
app: trigger
|
||||||
|
|
||||||
|
|
||||||
{{ if eq .Values.environment "development" }}
|
|
||||||
---
|
|
||||||
apiVersion: chisel-operator.io/v2
|
|
||||||
kind: ExitNode
|
|
||||||
metadata:
|
|
||||||
name: trigger-exit-node
|
|
||||||
namespace: futureporn
|
|
||||||
spec:
|
|
||||||
host: "{{ .Values.chisel.exitNodeIp }}"
|
|
||||||
port: 9090
|
|
||||||
auth: chisel
|
|
||||||
{{ end }}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: traefik.io/v1alpha1
|
|
||||||
kind: IngressRoute
|
|
||||||
metadata:
|
|
||||||
name: trigger-http
|
|
||||||
namespace: futureporn
|
|
||||||
spec:
|
|
||||||
entryPoints:
|
|
||||||
- web
|
|
||||||
routes:
|
|
||||||
- match: Host(`trigger.fp.sbtp.xyz`)
|
|
||||||
kind: Rule
|
|
||||||
middlewares:
|
|
||||||
- name: redirect
|
|
||||||
namespace: futureporn
|
|
||||||
services:
|
|
||||||
- name: trigger
|
|
||||||
namespace: futureporn
|
|
||||||
port: 3030
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: traefik.io/v1alpha1
|
|
||||||
kind: IngressRoute
|
|
||||||
metadata:
|
|
||||||
name: trigger-https
|
|
||||||
namespace: futureporn
|
|
||||||
annotations:
|
|
||||||
cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}"
|
|
||||||
spec:
|
|
||||||
entryPoints:
|
|
||||||
- websecure
|
|
||||||
routes:
|
|
||||||
- match: Host(`trigger.fp.sbtp.xyz`)
|
|
||||||
kind: Rule
|
|
||||||
services:
|
|
||||||
- name: trigger
|
|
||||||
namespace: futureporn
|
|
||||||
port: 3030
|
|
||||||
tls:
|
|
||||||
secretName: trigger-tls
|
|
||||||
|
|
|
@ -38,11 +38,11 @@ spec:
|
||||||
env:
|
env:
|
||||||
- name: FUNCTION
|
- name: FUNCTION
|
||||||
value: worker
|
value: worker
|
||||||
- name: DATABASE_URL
|
- name: PGBOSS_URL
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
name: capture
|
name: capture
|
||||||
key: databaseUrl
|
key: pgbossUrl
|
||||||
- name: PORT
|
- name: PORT
|
||||||
value: "{{ .Values.capture.api.port }}"
|
value: "{{ .Values.capture.api.port }}"
|
||||||
- name: S3_ENDPOINT
|
- name: S3_ENDPOINT
|
||||||
|
@ -63,8 +63,8 @@ spec:
|
||||||
key: s3SecretAccessKey
|
key: s3SecretAccessKey
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
cpu: 1000m
|
cpu: 250m
|
||||||
memory: 2Gi
|
memory: 512Mi
|
||||||
restartPolicy: Always
|
restartPolicy: Always
|
||||||
|
|
||||||
|
|
||||||
|
@ -95,15 +95,15 @@ spec:
|
||||||
env:
|
env:
|
||||||
- name: FUNCTION
|
- name: FUNCTION
|
||||||
value: api
|
value: api
|
||||||
- name: DATABASE_URL
|
- name: PGBOSS_URL
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
name: capture
|
name: capture
|
||||||
key: databaseUrl
|
key: pgbossUrl
|
||||||
- name: PORT
|
- name: PORT
|
||||||
value: "{{ .Values.capture.api.port }}"
|
value: "{{ .Values.capture.api.port }}"
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
cpu: 100m
|
cpu: 100m
|
||||||
memory: 256Mi
|
memory: 128Mi
|
||||||
restartPolicy: Always
|
restartPolicy: Always
|
|
@ -32,7 +32,6 @@ metadata:
|
||||||
namespace: futureporn
|
namespace: futureporn
|
||||||
annotations:
|
annotations:
|
||||||
external-dns.alpha.kubernetes.io/hostname: "{{ .Values.next.hostname }}"
|
external-dns.alpha.kubernetes.io/hostname: "{{ .Values.next.hostname }}"
|
||||||
chisel-operator.io/exit-node-name: "next-exit-node"
|
|
||||||
spec:
|
spec:
|
||||||
type: LoadBalancer
|
type: LoadBalancer
|
||||||
selector:
|
selector:
|
||||||
|
@ -53,13 +52,11 @@ spec:
|
||||||
# name: next
|
# name: next
|
||||||
# namespace: futureporn
|
# namespace: futureporn
|
||||||
# annotations:
|
# annotations:
|
||||||
# traefik.ingress.kubernetes.io/router.entrypoints: http
|
|
||||||
# traefik.ingress.kubernetes.io/router.tls: "true"
|
|
||||||
# cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}"
|
# cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}"
|
||||||
# kubernetes.io/ingress.class: traefik
|
# kubernetes.io/ingress.class: nginx
|
||||||
# external-dns.alpha.kubernetes.io/hostname: "{{ .Values.next.hostname }}"
|
# external-dns.alpha.kubernetes.io/hostname: "{{ .Values.next.hostname }}"
|
||||||
# spec:
|
# spec:
|
||||||
# ingressClassName: traefik
|
# ingressClassName: nginx
|
||||||
# backend:
|
# backend:
|
||||||
# serviceName: next
|
# serviceName: next
|
||||||
# servicePort: 3000
|
# servicePort: 3000
|
||||||
|
@ -80,19 +77,6 @@ spec:
|
||||||
# number: 3000
|
# number: 3000
|
||||||
# {{ end }}
|
# {{ end }}
|
||||||
|
|
||||||
{{ if eq .Values.environment "development" }}
|
|
||||||
---
|
|
||||||
apiVersion: chisel-operator.io/v2
|
|
||||||
kind: ExitNode
|
|
||||||
metadata:
|
|
||||||
name: next-exit-node
|
|
||||||
namespace: futureporn
|
|
||||||
spec:
|
|
||||||
host: "{{ .Values.chisel.exitNodeIp }}"
|
|
||||||
port: 9090
|
|
||||||
auth: chisel
|
|
||||||
{{ end }}
|
|
||||||
|
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
# apiVersion: networking.k8s.io/v1
|
# apiVersion: networking.k8s.io/v1
|
||||||
|
@ -101,9 +85,7 @@ spec:
|
||||||
# name: next
|
# name: next
|
||||||
# namespace: futureporn
|
# namespace: futureporn
|
||||||
# annotations:
|
# annotations:
|
||||||
# traefik.ingress.kubernetes.io/router.entrypoints: web
|
|
||||||
# traefik.ingress.kubernetes.io/router.tls: "true"
|
|
||||||
# cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}"
|
|
||||||
# spec:
|
# spec:
|
||||||
# rules:
|
# rules:
|
||||||
# - host: next.fp.sbtp.xyz
|
# - host: next.fp.sbtp.xyz
|
||||||
|
@ -134,44 +116,3 @@ spec:
|
||||||
dnsNames:
|
dnsNames:
|
||||||
- "{{ .Values.next.hostname }}"
|
- "{{ .Values.next.hostname }}"
|
||||||
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: traefik.io/v1alpha1
|
|
||||||
kind: IngressRoute
|
|
||||||
metadata:
|
|
||||||
name: next-http
|
|
||||||
namespace: futureporn
|
|
||||||
spec:
|
|
||||||
entryPoints:
|
|
||||||
- web
|
|
||||||
routes:
|
|
||||||
- match: Host(`next.fp.sbtp.xyz`)
|
|
||||||
kind: Rule
|
|
||||||
middlewares:
|
|
||||||
- name: redirect
|
|
||||||
namespace: futureporn
|
|
||||||
services:
|
|
||||||
- name: next
|
|
||||||
port: 3000
|
|
||||||
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: traefik.io/v1alpha1
|
|
||||||
kind: IngressRoute
|
|
||||||
metadata:
|
|
||||||
name: next-https
|
|
||||||
namespace: futureporn
|
|
||||||
annotations:
|
|
||||||
cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}"
|
|
||||||
spec:
|
|
||||||
entryPoints:
|
|
||||||
- websecure
|
|
||||||
routes:
|
|
||||||
- match: Host(`next.fp.sbtp.xyz`)
|
|
||||||
kind: Rule
|
|
||||||
services:
|
|
||||||
- name: next
|
|
||||||
namespace: futureporn
|
|
||||||
port: 3000
|
|
||||||
tls:
|
|
||||||
secretName: next-tls
|
|
|
@ -0,0 +1,55 @@
|
||||||
|
## Resist the urge to delete this container! We use it again and again!
|
||||||
|
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: pgadmin4
|
||||||
|
namespace: futureporn
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: pgadmin4
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: pgadmin4
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: pgadmin4
|
||||||
|
image: docker.io/dpage/pgadmin4:latest
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
memory: 256Mi
|
||||||
|
requests:
|
||||||
|
memory: 100Mi
|
||||||
|
env:
|
||||||
|
- name: PGADMIN_DEFAULT_EMAIL
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: pgadmin4
|
||||||
|
key: email
|
||||||
|
- name: PGADMIN_DEFAULT_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: pgadmin4
|
||||||
|
key: password
|
||||||
|
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: pgadmin4
|
||||||
|
namespace: futureporn
|
||||||
|
spec:
|
||||||
|
type: NodePort
|
||||||
|
ports:
|
||||||
|
- port: 5050
|
||||||
|
targetPort: 80
|
||||||
|
protocol: TCP
|
||||||
|
selector:
|
||||||
|
app: pgadmin4
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,44 @@
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: postgrest
|
||||||
|
namespace: futureporn
|
||||||
|
labels:
|
||||||
|
app: postgrest
|
||||||
|
spec:
|
||||||
|
replicas: {{ .Values.postgrest.replicas }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: postgrest
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: postgrest
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: postgrest
|
||||||
|
image: "{{ .Values.postgrest.image }}"
|
||||||
|
ports:
|
||||||
|
- name: http
|
||||||
|
containerPort: {{ .Values.postgrest.port }}
|
||||||
|
env:
|
||||||
|
- name: PGRST_DB_ANON_ROLE
|
||||||
|
value: anonymous
|
||||||
|
- name: PGRST_SERVER_PORT
|
||||||
|
value: "{{ .Values.postgrest.port }}"
|
||||||
|
- name: PGRST_DB_SCHEMAS
|
||||||
|
value: "{{ .Values.postgrest.schemas }}"
|
||||||
|
- name: PGRST_DB_URI
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: postgrest
|
||||||
|
key: dbUri
|
||||||
|
- name: PGRST_JWT_SECRET
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: postgrest
|
||||||
|
key: jwtSecret
|
|
@ -1,123 +0,0 @@
|
||||||
# apiVersion: apps/v1
|
|
||||||
# kind: ReplicaSet
|
|
||||||
# metadata:
|
|
||||||
# name: scout-worker
|
|
||||||
# namespace: futureporn
|
|
||||||
# labels:
|
|
||||||
# app: scout-worker
|
|
||||||
# spec:
|
|
||||||
# replicas: {{ .Values.scout.replicas }}
|
|
||||||
# selector:
|
|
||||||
# matchLabels:
|
|
||||||
# app: scout-worker
|
|
||||||
# template:
|
|
||||||
# metadata:
|
|
||||||
# labels:
|
|
||||||
# app: scout-worker
|
|
||||||
# spec:
|
|
||||||
# containers:
|
|
||||||
# - name: scout-worker
|
|
||||||
# image: "{{ .Values.scout.imageName }}"
|
|
||||||
# imagePullPolicy: Always
|
|
||||||
# ports:
|
|
||||||
# - containerPort: 8080
|
|
||||||
# env:
|
|
||||||
# - name: TEMPORAL_SERVICE_ADDRESS
|
|
||||||
# value: "temporal-frontend.futureporn.svc.cluster.local:7233"
|
|
||||||
# - name: TEMPORAL_NAMESPACE
|
|
||||||
# value: "futureporn"
|
|
||||||
# - name: TEMPORAL_TASK_QUEUE
|
|
||||||
# value: "scout"
|
|
||||||
# - name: S3_BUCKET_NAME
|
|
||||||
# value: "{{ .Values.scout.s3BucketName }}"
|
|
||||||
# - name: CDN_BUCKET_URL
|
|
||||||
# value: "{{ .Values.scout.cdnBucketUrl }}"
|
|
||||||
# - name: STRAPI_URL
|
|
||||||
# value: https://strapi.fp.sbtp.xyz
|
|
||||||
# - name: S3_BUCKET_APPLICATION_KEY
|
|
||||||
# valueFrom:
|
|
||||||
# secretKeyRef:
|
|
||||||
# name: scout
|
|
||||||
# key: s3BucketApplicationKey
|
|
||||||
# - name: S3_BUCKET_KEY_ID
|
|
||||||
# valueFrom:
|
|
||||||
# secretKeyRef:
|
|
||||||
# name: scout
|
|
||||||
# key: s3BucketKeyId
|
|
||||||
# - name: SCOUT_NITTER_ACCESS_KEY
|
|
||||||
# valueFrom:
|
|
||||||
# secretKeyRef:
|
|
||||||
# name: scout
|
|
||||||
# key: nitterAccessKey
|
|
||||||
# - name: SCOUT_NITTER_URL
|
|
||||||
# value: https://nitter.sbtp.xyz
|
|
||||||
# - name: SCOUT_RECENTS_TOKEN
|
|
||||||
# valueFrom:
|
|
||||||
# secretKeyRef:
|
|
||||||
# name: scout
|
|
||||||
# key: recentsToken
|
|
||||||
# - name: SCOUT_STRAPI_API_KEY
|
|
||||||
# valueFrom:
|
|
||||||
# secretKeyRef:
|
|
||||||
# name: scout
|
|
||||||
# key: strapiApiKey
|
|
||||||
# resources:
|
|
||||||
# limits:
|
|
||||||
# cpu: "500m"
|
|
||||||
# memory: "512Mi"
|
|
||||||
# requests:
|
|
||||||
# cpu: "250m"
|
|
||||||
# memory: "256Mi"
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: scout
|
|
||||||
namespace: futureporn
|
|
||||||
labels:
|
|
||||||
app: scout
|
|
||||||
spec:
|
|
||||||
replicas: {{ .Values.scout.replicas }}
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app: scout
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: scout
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: scout
|
|
||||||
image: "{{ .Values.scout.imageName }}"
|
|
||||||
ports:
|
|
||||||
- name: http
|
|
||||||
containerPort: 3000
|
|
||||||
env:
|
|
||||||
- name: SCOUT_IMAP_SERVER
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: scout
|
|
||||||
key: imapServer
|
|
||||||
- name: SCOUT_IMAP_PORT
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: scout
|
|
||||||
key: imapPort
|
|
||||||
- name: SCOUT_IMAP_USERNAME
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: scout
|
|
||||||
key: imapUsername
|
|
||||||
- name: SCOUT_IMAP_PASSWORD
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: scout
|
|
||||||
key: imapPassword
|
|
||||||
- name: SCOUT_IMAP_ACCESS_TOKEN
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: scout
|
|
||||||
key: imapAccessToken
|
|
|
@ -6,7 +6,6 @@ metadata:
|
||||||
namespace: futureporn
|
namespace: futureporn
|
||||||
annotations:
|
annotations:
|
||||||
external-dns.alpha.kubernetes.io/hostname: "{{ .Values.strapi.hostname }}"
|
external-dns.alpha.kubernetes.io/hostname: "{{ .Values.strapi.hostname }}"
|
||||||
chisel-operator.io/exit-node-name: "strapi-exit-node"
|
|
||||||
spec:
|
spec:
|
||||||
type: LoadBalancer
|
type: LoadBalancer
|
||||||
selector:
|
selector:
|
||||||
|
@ -26,7 +25,7 @@ metadata:
|
||||||
labels:
|
labels:
|
||||||
app.kubernetes.io/name: strapi
|
app.kubernetes.io/name: strapi
|
||||||
spec:
|
spec:
|
||||||
replicas: 2
|
replicas: {{ .Values.strapi.replicas }}
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
app: strapi
|
app: strapi
|
||||||
|
@ -70,7 +69,7 @@ spec:
|
||||||
- name: DATABASE_CLIENT
|
- name: DATABASE_CLIENT
|
||||||
value: postgres
|
value: postgres
|
||||||
- name: DATABASE_HOST
|
- name: DATABASE_HOST
|
||||||
value: postgresql-primary.futureporn.svc.cluster.local
|
value: postgresql.futureporn.svc.cluster.local
|
||||||
- name: DATABASE_NAME
|
- name: DATABASE_NAME
|
||||||
value: futureporn-strapi
|
value: futureporn-strapi
|
||||||
- name: JWT_SECRET
|
- name: JWT_SECRET
|
||||||
|
@ -164,19 +163,6 @@ spec:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
{{ if eq .Values.environment "development" }}
|
|
||||||
---
|
|
||||||
apiVersion: chisel-operator.io/v2
|
|
||||||
kind: ExitNode
|
|
||||||
metadata:
|
|
||||||
name: strapi-exit-node
|
|
||||||
namespace: futureporn
|
|
||||||
spec:
|
|
||||||
host: "{{ .Values.chisel.exitNodeIp }}"
|
|
||||||
port: 9090
|
|
||||||
auth: chisel
|
|
||||||
{{ end }}
|
|
||||||
|
|
||||||
---
|
---
|
||||||
apiVersion: cert-manager.io/v1
|
apiVersion: cert-manager.io/v1
|
||||||
kind: Certificate
|
kind: Certificate
|
||||||
|
@ -191,44 +177,3 @@ spec:
|
||||||
dnsNames:
|
dnsNames:
|
||||||
- "{{ .Values.strapi.hostname }}"
|
- "{{ .Values.strapi.hostname }}"
|
||||||
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: traefik.io/v1alpha1
|
|
||||||
kind: IngressRoute
|
|
||||||
metadata:
|
|
||||||
name: strapi-http
|
|
||||||
namespace: futureporn
|
|
||||||
spec:
|
|
||||||
entryPoints:
|
|
||||||
- web
|
|
||||||
routes:
|
|
||||||
- match: Host(`strapi.fp.sbtp.xyz`)
|
|
||||||
kind: Rule
|
|
||||||
middlewares:
|
|
||||||
- name: redirect
|
|
||||||
namespace: futureporn
|
|
||||||
services:
|
|
||||||
- name: strapi
|
|
||||||
namespace: futureporn
|
|
||||||
port: 1339
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: traefik.io/v1alpha1
|
|
||||||
kind: IngressRoute
|
|
||||||
metadata:
|
|
||||||
name: strapi-https
|
|
||||||
namespace: futureporn
|
|
||||||
annotations:
|
|
||||||
cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}"
|
|
||||||
spec:
|
|
||||||
entryPoints:
|
|
||||||
- websecure
|
|
||||||
routes:
|
|
||||||
- match: Host(`strapi.fp.sbtp.xyz`)
|
|
||||||
kind: Rule
|
|
||||||
services:
|
|
||||||
- name: strapi
|
|
||||||
namespace: futureporn
|
|
||||||
port: 1339
|
|
||||||
tls:
|
|
||||||
secretName: strapi-tls
|
|
|
@ -1,77 +0,0 @@
|
||||||
---
|
|
||||||
apiVersion: traefik.io/v1alpha1
|
|
||||||
kind: Middleware
|
|
||||||
metadata:
|
|
||||||
name: redirect
|
|
||||||
namespace: futureporn
|
|
||||||
|
|
||||||
spec:
|
|
||||||
redirectScheme:
|
|
||||||
scheme: https
|
|
||||||
permanent: true
|
|
||||||
|
|
||||||
|
|
||||||
{{ if eq .Values.environment "development" }}
|
|
||||||
---
|
|
||||||
apiVersion: chisel-operator.io/v2
|
|
||||||
kind: ExitNode
|
|
||||||
metadata:
|
|
||||||
name: traefik-exit-node
|
|
||||||
namespace: futureporn
|
|
||||||
spec:
|
|
||||||
host: "{{ .Values.chisel.exitNodeIp }}"
|
|
||||||
port: 9090
|
|
||||||
auth: chisel
|
|
||||||
{{ end }}
|
|
||||||
|
|
||||||
|
|
||||||
# ---
|
|
||||||
# apiVersion: v1
|
|
||||||
# kind: Service
|
|
||||||
# metadata:
|
|
||||||
# name: traefik
|
|
||||||
# namespace: futureporn
|
|
||||||
# annotations:
|
|
||||||
|
|
||||||
# meta.helm.sh/release-name: fp
|
|
||||||
# spec:
|
|
||||||
# type: LoadBalancer
|
|
||||||
# selector:
|
|
||||||
# app: traefik
|
|
||||||
# ports:
|
|
||||||
# - protocol: TCP
|
|
||||||
# port: 443
|
|
||||||
# targetPort: 8443
|
|
||||||
|
|
||||||
# ---
|
|
||||||
# apiVersion: networking.k8s.io/v1
|
|
||||||
# kind: Ingress
|
|
||||||
# metadata:
|
|
||||||
# name: traefik
|
|
||||||
# namespace: futureporn
|
|
||||||
# annotations:
|
|
||||||
# kubernetes.io/ingress.class: traefik
|
|
||||||
# traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
||||||
# traefik.ingress.kubernetes.io/router.tls: "true"
|
|
||||||
# cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}"
|
|
||||||
# traefik.ingress.kubernetes.io/router.middlewares: futureporn-redirect@kubernetescrd
|
|
||||||
# spec:
|
|
||||||
# ingressClassName: traefik
|
|
||||||
# rules:
|
|
||||||
# - http:
|
|
||||||
# paths:
|
|
||||||
# - path: /
|
|
||||||
# pathType: Prefix
|
|
||||||
# backend:
|
|
||||||
# service:
|
|
||||||
# name: traefik
|
|
||||||
# port:
|
|
||||||
# number: 443
|
|
||||||
# tls:
|
|
||||||
# - hosts:
|
|
||||||
# - "{{ .Values.echo.hostname }}"
|
|
||||||
# secretName: echo-cert
|
|
||||||
# - "{{ .Values.next.hostname }}"
|
|
||||||
# secretName: next-cert
|
|
||||||
# - "{{ .Values.strapi.hostname }}"
|
|
||||||
# secretName: strapi-cert
|
|
|
@ -135,7 +135,6 @@ metadata:
|
||||||
namespace: futureporn
|
namespace: futureporn
|
||||||
annotations:
|
annotations:
|
||||||
external-dns.alpha.kubernetes.io/hostname: "{{ .Values.uppy.hostname }}"
|
external-dns.alpha.kubernetes.io/hostname: "{{ .Values.uppy.hostname }}"
|
||||||
chisel-operator.io/exit-node-name: "uppy-exit-node"
|
|
||||||
spec:
|
spec:
|
||||||
type: LoadBalancer
|
type: LoadBalancer
|
||||||
ports:
|
ports:
|
||||||
|
@ -146,63 +145,9 @@ spec:
|
||||||
app: uppy
|
app: uppy
|
||||||
|
|
||||||
|
|
||||||
{{ if eq .Values.environment "development" }}
|
|
||||||
---
|
|
||||||
apiVersion: chisel-operator.io/v2
|
|
||||||
kind: ExitNode
|
|
||||||
metadata:
|
|
||||||
name: uppy-exit-node
|
|
||||||
namespace: futureporn
|
|
||||||
spec:
|
|
||||||
host: "{{ .Values.chisel.exitNodeIp }}"
|
|
||||||
port: 9090
|
|
||||||
auth: chisel
|
|
||||||
{{ end }}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: traefik.io/v1alpha1
|
|
||||||
kind: IngressRoute
|
|
||||||
metadata:
|
|
||||||
name: uppy-http
|
|
||||||
namespace: futureporn
|
|
||||||
spec:
|
|
||||||
entryPoints:
|
|
||||||
- web
|
|
||||||
routes:
|
|
||||||
- match: Host(`uppy.fp.sbtp.xyz`)
|
|
||||||
kind: Rule
|
|
||||||
middlewares:
|
|
||||||
- name: redirect
|
|
||||||
namespace: futureporn
|
|
||||||
services:
|
|
||||||
- name: uppy
|
|
||||||
namespace: futureporn
|
|
||||||
port: 3020
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: traefik.io/v1alpha1
|
|
||||||
kind: IngressRoute
|
|
||||||
metadata:
|
|
||||||
name: uppy-https
|
|
||||||
namespace: futureporn
|
|
||||||
annotations:
|
|
||||||
cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}"
|
|
||||||
spec:
|
|
||||||
entryPoints:
|
|
||||||
- websecure
|
|
||||||
routes:
|
|
||||||
- match: Host(`uppy.fp.sbtp.xyz`)
|
|
||||||
kind: Rule
|
|
||||||
services:
|
|
||||||
- name: uppy
|
|
||||||
namespace: futureporn
|
|
||||||
port: 3020
|
|
||||||
tls:
|
|
||||||
secretName: uppy-tls
|
|
||||||
|
|
||||||
|
|
||||||
# Welcome to Companion v4.15.1
|
# Welcome to Companion v4.15.1
|
||||||
# ===================================
|
# ===================================
|
||||||
|
|
||||||
|
|
|
@ -1,3 +1,8 @@
|
||||||
|
## values.yaml
|
||||||
|
## this file is for development values only.
|
||||||
|
## these values are loaded by Tilt.
|
||||||
|
## For production values, see <PROJECT_ROOT>/flux/clusters/production
|
||||||
|
|
||||||
environment: development
|
environment: development
|
||||||
# storageClassName: csi-hostpath-sc # used by minikube
|
# storageClassName: csi-hostpath-sc # used by minikube
|
||||||
storageClassName: standard # used by Kind
|
storageClassName: standard # used by Kind
|
||||||
|
@ -12,12 +17,12 @@ link2cid:
|
||||||
next:
|
next:
|
||||||
imageName: fp/next
|
imageName: fp/next
|
||||||
hostname: next.fp.sbtp.xyz
|
hostname: next.fp.sbtp.xyz
|
||||||
ingressClassName: traefik
|
ingressClassName: nginx
|
||||||
nodeExtraCaCerts: /app/letsencrypt-stg-root-x1.pem
|
nodeExtraCaCerts: /app/letsencrypt-stg-root-x1.pem
|
||||||
capture:
|
capture:
|
||||||
imageName: fp/capture
|
imageName: fp/capture
|
||||||
worker:
|
worker:
|
||||||
replicas: 2
|
replicas: 1
|
||||||
api:
|
api:
|
||||||
port: 5003
|
port: 5003
|
||||||
replicas: 1
|
replicas: 1
|
||||||
|
@ -27,30 +32,19 @@ mailbox:
|
||||||
cdnBucketUrl: https://fp-dev.b-cdn.net
|
cdnBucketUrl: https://fp-dev.b-cdn.net
|
||||||
s3BucketName: fp-dev
|
s3BucketName: fp-dev
|
||||||
port: 5000
|
port: 5000
|
||||||
scout:
|
|
||||||
replicas: 1
|
|
||||||
imageName: fp/scout
|
|
||||||
# worker:
|
|
||||||
# imageName: fp/scout-
|
|
||||||
# replicas: 1
|
|
||||||
pubsubServerUrl: https://realtime.futureporn.svc.cluster.local/faye
|
|
||||||
hostname: next.futureporn.svc.cluster.local
|
|
||||||
cdnBucketUrl: https://fp-dev.b-cdn.net
|
|
||||||
s3BucketName: fp-dev
|
|
||||||
strapi:
|
strapi:
|
||||||
|
replicas: 1
|
||||||
imageName: fp/strapi
|
imageName: fp/strapi
|
||||||
port: 1339
|
port: 1339
|
||||||
url: https://strapi.fp.sbtp.xyz
|
url: https://strapi.fp.sbtp.xyz
|
||||||
hostname: strapi.fp.sbtp.xyz
|
hostname: strapi.fp.sbtp.xyz
|
||||||
# hostname: strapi.futureporn.svc.cluster.local ## https://gitea.futureporn.net/futureporn/pm/issues/126
|
# hostname: strapi.futureporn.svc.cluster.local ## https://gitea.futureporn.net/futureporn/pm/issues/126
|
||||||
ingressClassName: traefik
|
ingressClassName: nginx
|
||||||
ngrok:
|
ngrok:
|
||||||
hostname: grateful-engaging-cicada.ngrok-free.app
|
hostname: grateful-engaging-cicada.ngrok-free.app
|
||||||
realtime:
|
realtime:
|
||||||
imageName: fp/realtime
|
imageName: fp/realtime
|
||||||
adminEmail: cj@futureporn.net
|
adminEmail: cj@futureporn.net
|
||||||
chisel:
|
|
||||||
exitNodeIp: "155.138.254.201"
|
|
||||||
echo:
|
echo:
|
||||||
hostname: echo.fp.sbtp.xyz
|
hostname: echo.fp.sbtp.xyz
|
||||||
uppy:
|
uppy:
|
||||||
|
@ -72,10 +66,13 @@ bot:
|
||||||
discordGuildId: "1084674137391374338"
|
discordGuildId: "1084674137391374338"
|
||||||
imageName: fp/bot
|
imageName: fp/bot
|
||||||
replicas: 1
|
replicas: 1
|
||||||
# trigger:
|
postgrest:
|
||||||
# imageName: ghcr.io/triggerdotdev/trigger.dev:self-host-rc.3
|
image: postgrest/postgrest
|
||||||
# worker:
|
replicas: 1
|
||||||
|
port: 9000
|
||||||
|
schemas: api
|
||||||
|
# postgresql:
|
||||||
|
# image: postgres:16
|
||||||
# replicas: 1
|
# replicas: 1
|
||||||
# webapp:
|
# user: futureporn
|
||||||
# replicas: 1
|
# port: 5432
|
||||||
# hostname: trigger.fp.sbtp.xyz
|
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
# Patterns to ignore when building packages.
|
||||||
|
# This supports shell glob matching, relative path matching, and
|
||||||
|
# negation (prefixed with !). Only one pattern per line.
|
||||||
|
.DS_Store
|
||||||
|
# Common VCS dirs
|
||||||
|
.git/
|
||||||
|
.gitignore
|
||||||
|
.bzr/
|
||||||
|
.bzrignore
|
||||||
|
.hg/
|
||||||
|
.hgignore
|
||||||
|
.svn/
|
||||||
|
# Common backup files
|
||||||
|
*.swp
|
||||||
|
*.bak
|
||||||
|
*.tmp
|
||||||
|
*~
|
||||||
|
# Various IDEs
|
||||||
|
.project
|
||||||
|
.idea/
|
||||||
|
*.tmproj
|
||||||
|
# img folder
|
||||||
|
img/
|
||||||
|
# Changelog
|
||||||
|
CHANGELOG.md
|
|
@ -0,0 +1,6 @@
|
||||||
|
dependencies:
|
||||||
|
- name: common
|
||||||
|
repository: oci://registry-1.docker.io/bitnamicharts
|
||||||
|
version: 2.20.5
|
||||||
|
digest: sha256:5b98791747a148b9d4956b81bb8635f49a0ae831869d700d52e514b8fd1a2445
|
||||||
|
generated: "2024-07-16T12:16:35.737563+02:00"
|
|
@ -0,0 +1,37 @@
|
||||||
|
annotations:
|
||||||
|
category: Database
|
||||||
|
images: |
|
||||||
|
- name: os-shell
|
||||||
|
image: docker.io/bitnami/os-shell:12-debian-12-r24
|
||||||
|
- name: postgres-exporter
|
||||||
|
image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r36
|
||||||
|
- name: postgresql
|
||||||
|
image: docker.io/bitnami/postgresql:16.3.0-debian-12-r19
|
||||||
|
licenses: Apache-2.0
|
||||||
|
apiVersion: v2
|
||||||
|
appVersion: 16.3.0
|
||||||
|
dependencies:
|
||||||
|
- name: common
|
||||||
|
repository: oci://registry-1.docker.io/bitnamicharts
|
||||||
|
tags:
|
||||||
|
- bitnami-common
|
||||||
|
version: 2.x.x
|
||||||
|
description: PostgreSQL (Postgres) is an open source object-relational database known
|
||||||
|
for reliability and data integrity. ACID-compliant, it supports foreign keys, joins,
|
||||||
|
views, triggers and stored procedures.
|
||||||
|
home: https://bitnami.com
|
||||||
|
icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-220x234.png
|
||||||
|
keywords:
|
||||||
|
- postgresql
|
||||||
|
- postgres
|
||||||
|
- database
|
||||||
|
- sql
|
||||||
|
- replication
|
||||||
|
- cluster
|
||||||
|
maintainers:
|
||||||
|
- name: Broadcom, Inc. All Rights Reserved.
|
||||||
|
url: https://github.com/bitnami/charts
|
||||||
|
name: postgresql
|
||||||
|
sources:
|
||||||
|
- https://github.com/bitnami/charts/tree/main/bitnami/postgresql
|
||||||
|
version: 15.5.17
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,117 @@
|
||||||
|
CHART NAME: {{ .Chart.Name }}
|
||||||
|
CHART VERSION: {{ .Chart.Version }}
|
||||||
|
APP VERSION: {{ .Chart.AppVersion }}
|
||||||
|
|
||||||
|
** Please be patient while the chart is being deployed **
|
||||||
|
|
||||||
|
{{- if .Values.diagnosticMode.enabled }}
|
||||||
|
The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with:
|
||||||
|
|
||||||
|
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }}
|
||||||
|
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }}
|
||||||
|
|
||||||
|
Get the list of pods by executing:
|
||||||
|
|
||||||
|
kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }}
|
||||||
|
|
||||||
|
Access the pod you want to debug by executing
|
||||||
|
|
||||||
|
kubectl exec --namespace {{ .Release.Namespace }} -ti <NAME OF THE POD> -- /opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash
|
||||||
|
|
||||||
|
In order to replicate the container startup scripts execute this command:
|
||||||
|
|
||||||
|
/opt/bitnami/scripts/postgresql/entrypoint.sh /opt/bitnami/scripts/postgresql/run.sh
|
||||||
|
|
||||||
|
{{- else }}
|
||||||
|
|
||||||
|
{{- $customUser := include "postgresql.v1.username" . }}
|
||||||
|
{{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "common.names.fullname" .) "key" .Values.auth.secretKeys.adminPasswordKey "defaultValue" (ternary .Values.auth.postgresPassword .Values.auth.password (eq $customUser "postgres")) "context" $) -}}
|
||||||
|
{{- $authEnabled := and (not (or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret)) (or $postgresPassword .Values.auth.enablePostgresUser (and (not (empty $customUser)) (ne $customUser "postgres"))) }}
|
||||||
|
{{- if not $authEnabled }}
|
||||||
|
|
||||||
|
WARNING: PostgreSQL has been configured without authentication, this is not recommended for production environments.
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
PostgreSQL can be accessed via port {{ include "postgresql.v1.service.port" . }} on the following DNS names from within your cluster:
|
||||||
|
|
||||||
|
{{ include "postgresql.v1.primary.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read/Write connection
|
||||||
|
|
||||||
|
{{- if eq .Values.architecture "replication" }}
|
||||||
|
|
||||||
|
{{ include "postgresql.v1.readReplica.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read only connection
|
||||||
|
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- if and (not (empty $customUser)) (ne $customUser "postgres") }}
|
||||||
|
{{- if .Values.auth.enablePostgresUser }}
|
||||||
|
|
||||||
|
To get the password for "postgres" run:
|
||||||
|
|
||||||
|
export POSTGRES_ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.v1.secretName" . }} -o jsonpath="{.data.{{include "postgresql.v1.adminPasswordKey" .}}}" | base64 -d)
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
To get the password for "{{ $customUser }}" run:
|
||||||
|
|
||||||
|
export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.v1.secretName" . }} -o jsonpath="{.data.{{include "postgresql.v1.userPasswordKey" .}}}" | base64 -d)
|
||||||
|
{{- else }}
|
||||||
|
{{- if .Values.auth.enablePostgresUser }}
|
||||||
|
|
||||||
|
To get the password for "{{ default "postgres" $customUser }}" run:
|
||||||
|
|
||||||
|
export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.v1.secretName" . }} -o jsonpath="{.data.{{ ternary "password" (include "postgresql.v1.adminPasswordKey" .) (and (not (empty $customUser)) (ne $customUser "postgres")) }}}" | base64 -d)
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
To connect to your database run the following command:
|
||||||
|
{{- if $authEnabled }}
|
||||||
|
|
||||||
|
kubectl run {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ include "postgresql.v1.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" \
|
||||||
|
--command -- psql --host {{ include "postgresql.v1.primary.fullname" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.v1.service.port" . }}
|
||||||
|
{{- else }}
|
||||||
|
|
||||||
|
kubectl run {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ include "postgresql.v1.image" . }} \
|
||||||
|
--command -- psql --host {{ include "postgresql.v1.primary.fullname" . }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.v1.service.port" . }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
> NOTE: If you access the container using bash, make sure that you execute "/opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash" in order to avoid the error "psql: local user with ID {{ .Values.primary.containerSecurityContext.runAsUser }}} does not exist"
|
||||||
|
|
||||||
|
To connect to your database from outside the cluster execute the following commands:
|
||||||
|
|
||||||
|
{{- if contains "NodePort" .Values.primary.service.type }}
|
||||||
|
|
||||||
|
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
|
||||||
|
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "postgresql.v1.primary.fullname" . }})
|
||||||
|
{{- if $authEnabled }}
|
||||||
|
PGPASSWORD="$POSTGRES_PASSWORD" psql --host $NODE_IP --port $NODE_PORT -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }}
|
||||||
|
{{- else }}
|
||||||
|
psql --host $NODE_IP --port $NODE_PORT -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- else if contains "LoadBalancer" .Values.primary.service.type }}
|
||||||
|
|
||||||
|
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
|
||||||
|
Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "postgresql.v1.primary.fullname" . }}'
|
||||||
|
|
||||||
|
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "postgresql.v1.primary.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}")
|
||||||
|
{{- if $authEnabled }}
|
||||||
|
PGPASSWORD="$POSTGRES_PASSWORD" psql --host $SERVICE_IP --port {{ include "postgresql.v1.service.port" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }}
|
||||||
|
{{- else }}
|
||||||
|
psql --host $SERVICE_IP --port {{ include "postgresql.v1.service.port" . }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- else if contains "ClusterIP" .Values.primary.service.type }}
|
||||||
|
|
||||||
|
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "postgresql.v1.primary.fullname" . }} {{ include "postgresql.v1.service.port" . }}:{{ include "postgresql.v1.service.port" . }} &
|
||||||
|
{{- if $authEnabled }}
|
||||||
|
PGPASSWORD="$POSTGRES_PASSWORD" psql --host 127.0.0.1 -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.v1.service.port" . }}
|
||||||
|
{{- else }}
|
||||||
|
psql --host 127.0.0.1 -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.v1.service.port" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
WARNING: The configured password will be ignored on new installation in case when previous PostgreSQL release was deleted through the helm command. In that case, old PVC will have an old password, and setting it through helm won't take effect. Deleting persistent volumes (PVs) will solve the issue.
|
||||||
|
|
||||||
|
{{- include "postgresql.v1.validateValues" . -}}
|
||||||
|
{{- include "common.warnings.rollingTag" .Values.image -}}
|
||||||
|
{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }}
|
||||||
|
{{- include "common.warnings.resources" (dict "sections" (list "metrics" "primary" "readReplicas" "volumePermissions") "context" $) }}
|
||||||
|
{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }}
|
|
@ -0,0 +1,417 @@
|
||||||
|
{{/*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{/* vim: set filetype=mustache: */}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create a default fully qualified app name for PostgreSQL Primary objects
|
||||||
|
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.primary.fullname" -}}
|
||||||
|
{{- if eq .Values.architecture "replication" -}}
|
||||||
|
{{- printf "%s-%s" (include "common.names.fullname" .) .Values.primary.name | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- include "common.names.fullname" . -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create a default fully qualified app name for PostgreSQL read-only replicas objects
|
||||||
|
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.readReplica.fullname" -}}
|
||||||
|
{{- printf "%s-%s" (include "common.names.fullname" .) .Values.readReplicas.name | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create the default FQDN for PostgreSQL primary headless service
|
||||||
|
We truncate at 63 chars because of the DNS naming spec.
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.primary.svc.headless" -}}
|
||||||
|
{{- printf "%s-hl" (include "postgresql.v1.primary.fullname" .) | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create the default FQDN for PostgreSQL read-only replicas headless service
|
||||||
|
We truncate at 63 chars because of the DNS naming spec.
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.readReplica.svc.headless" -}}
|
||||||
|
{{- printf "%s-hl" (include "postgresql.v1.readReplica.fullname" .) | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return the proper PostgreSQL image name
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.image" -}}
|
||||||
|
{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return the proper PostgreSQL metrics image name
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.metrics.image" -}}
|
||||||
|
{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return the proper image name (for the init container volume-permissions image)
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.volumePermissions.image" -}}
|
||||||
|
{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return the proper Docker Image Registry Secret Names
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.imagePullSecrets" -}}
|
||||||
|
{{ include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "context" $) }}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return the name for a custom user to create
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.username" -}}
|
||||||
|
{{- if .Values.global.postgresql.auth.username -}}
|
||||||
|
{{- .Values.global.postgresql.auth.username -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- .Values.auth.username -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return the name for a custom database to create
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.database" -}}
|
||||||
|
{{- if .Values.global.postgresql.auth.database -}}
|
||||||
|
{{- printf "%s" (tpl .Values.global.postgresql.auth.database $) -}}
|
||||||
|
{{- else if .Values.auth.database -}}
|
||||||
|
{{- printf "%s" (tpl .Values.auth.database $) -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Get the password secret.
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.secretName" -}}
|
||||||
|
{{- if .Values.global.postgresql.auth.existingSecret -}}
|
||||||
|
{{- printf "%s" (tpl .Values.global.postgresql.auth.existingSecret $) -}}
|
||||||
|
{{- else if .Values.auth.existingSecret -}}
|
||||||
|
{{- printf "%s" (tpl .Values.auth.existingSecret $) -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- printf "%s" (include "common.names.fullname" .) -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Get the replication-password key.
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.replicationPasswordKey" -}}
|
||||||
|
{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret -}}
|
||||||
|
{{- if .Values.global.postgresql.auth.secretKeys.replicationPasswordKey -}}
|
||||||
|
{{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.replicationPasswordKey $) -}}
|
||||||
|
{{- else if .Values.auth.secretKeys.replicationPasswordKey -}}
|
||||||
|
{{- printf "%s" (tpl .Values.auth.secretKeys.replicationPasswordKey $) -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- "replication-password" -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- "replication-password" -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Get the admin-password key.
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.adminPasswordKey" -}}
|
||||||
|
{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret -}}
|
||||||
|
{{- if .Values.global.postgresql.auth.secretKeys.adminPasswordKey -}}
|
||||||
|
{{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.adminPasswordKey $) -}}
|
||||||
|
{{- else if .Values.auth.secretKeys.adminPasswordKey -}}
|
||||||
|
{{- printf "%s" (tpl .Values.auth.secretKeys.adminPasswordKey $) -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- "postgres-password" -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Get the user-password key.
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.userPasswordKey" -}}
|
||||||
|
{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret -}}
|
||||||
|
{{- if or (empty (include "postgresql.v1.username" .)) (eq (include "postgresql.v1.username" .) "postgres") -}}
|
||||||
|
{{- printf "%s" (include "postgresql.v1.adminPasswordKey" .) -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- if .Values.global.postgresql.auth.secretKeys.userPasswordKey -}}
|
||||||
|
{{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.userPasswordKey $) -}}
|
||||||
|
{{- else if .Values.auth.secretKeys.userPasswordKey -}}
|
||||||
|
{{- printf "%s" (tpl .Values.auth.secretKeys.userPasswordKey $) -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- "password" -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return true if a secret object should be created
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.createSecret" -}}
|
||||||
|
{{- $customUser := include "postgresql.v1.username" . -}}
|
||||||
|
{{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "common.names.fullname" .) "key" .Values.auth.secretKeys.adminPasswordKey "defaultValue" (ternary (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword .Values.global.postgresql.auth.password .Values.auth.password) (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (or (empty $customUser) (eq $customUser "postgres"))) "context" $) -}}
|
||||||
|
{{- if and (not (or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret)) (or $postgresPassword .Values.auth.enablePostgresUser (and (not (empty $customUser)) (ne $customUser "postgres")) (eq .Values.architecture "replication") (and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw))) -}}
|
||||||
|
{{- true -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return PostgreSQL service port
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.service.port" -}}
|
||||||
|
{{- if .Values.global.postgresql.service.ports.postgresql -}}
|
||||||
|
{{- .Values.global.postgresql.service.ports.postgresql -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- .Values.primary.service.ports.postgresql -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return PostgreSQL service port
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.readReplica.service.port" -}}
|
||||||
|
{{- if .Values.global.postgresql.service.ports.postgresql -}}
|
||||||
|
{{- .Values.global.postgresql.service.ports.postgresql -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- .Values.readReplicas.service.ports.postgresql -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Get the PostgreSQL primary configuration ConfigMap name.
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.primary.configmapName" -}}
|
||||||
|
{{- if .Values.primary.existingConfigmap -}}
|
||||||
|
{{- printf "%s" (tpl .Values.primary.existingConfigmap $) -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- printf "%s-configuration" (include "postgresql.v1.primary.fullname" .) -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return true if a configmap object should be created for PostgreSQL primary with the configuration
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.primary.createConfigmap" -}}
|
||||||
|
{{- if and (or .Values.primary.configuration .Values.primary.pgHbaConfiguration) (not .Values.primary.existingConfigmap) -}}
|
||||||
|
{{- true -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Get the PostgreSQL primary extended configuration ConfigMap name.
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.primary.extendedConfigmapName" -}}
|
||||||
|
{{- if .Values.primary.existingExtendedConfigmap -}}
|
||||||
|
{{- printf "%s" (tpl .Values.primary.existingExtendedConfigmap $) -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- printf "%s-extended-configuration" (include "postgresql.v1.primary.fullname" .) -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Get the PostgreSQL read replica extended configuration ConfigMap name.
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.readReplicas.extendedConfigmapName" -}}
|
||||||
|
{{- printf "%s-extended-configuration" (include "postgresql.v1.readReplica.fullname" .) -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return true if a configmap object should be created for PostgreSQL primary with the extended configuration
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.primary.createExtendedConfigmap" -}}
|
||||||
|
{{- if and .Values.primary.extendedConfiguration (not .Values.primary.existingExtendedConfigmap) -}}
|
||||||
|
{{- true -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return true if a configmap object should be created for PostgreSQL read replica with the extended configuration
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.readReplicas.createExtendedConfigmap" -}}
|
||||||
|
{{- if .Values.readReplicas.extendedConfiguration -}}
|
||||||
|
{{- true -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create the name of the service account to use
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.serviceAccountName" -}}
|
||||||
|
{{- if .Values.serviceAccount.create -}}
|
||||||
|
{{ default (include "common.names.fullname" .) .Values.serviceAccount.name }}
|
||||||
|
{{- else -}}
|
||||||
|
{{ default "default" .Values.serviceAccount.name }}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return true if a configmap should be mounted with PostgreSQL configuration
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.mountConfigurationCM" -}}
|
||||||
|
{{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap -}}
|
||||||
|
{{- true -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Get the pre-initialization scripts ConfigMap name.
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.preInitDb.scriptsCM" -}}
|
||||||
|
{{- if .Values.primary.preInitDb.scriptsConfigMap -}}
|
||||||
|
{{- printf "%s" (tpl .Values.primary.preInitDb.scriptsConfigMap $) -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- printf "%s-preinit-scripts" (include "postgresql.v1.primary.fullname" .) -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Get the initialization scripts ConfigMap name.
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.initdb.scriptsCM" -}}
|
||||||
|
{{- if .Values.primary.initdb.scriptsConfigMap -}}
|
||||||
|
{{- printf "%s" (tpl .Values.primary.initdb.scriptsConfigMap $) -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- printf "%s-init-scripts" (include "postgresql.v1.primary.fullname" .) -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return true if TLS is enabled for LDAP connection
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.ldap.tls.enabled" -}}
|
||||||
|
{{- if and (kindIs "string" .Values.ldap.tls) (not (empty .Values.ldap.tls)) -}}
|
||||||
|
{{- true -}}
|
||||||
|
{{- else if and (kindIs "map" .Values.ldap.tls) .Values.ldap.tls.enabled -}}
|
||||||
|
{{- true -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Get the readiness probe command
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.readinessProbeCommand" -}}
|
||||||
|
{{- $customUser := include "postgresql.v1.username" . -}}
|
||||||
|
- |
|
||||||
|
{{- if (include "postgresql.v1.database" .) }}
|
||||||
|
exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if .Values.tls.enabled }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||||
|
{{- else }}
|
||||||
|
exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if .Values.tls.enabled }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if contains "bitnami/" .Values.image.repository }}
|
||||||
|
[ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
|
||||||
|
{{- end }}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Compile all warnings into a single message, and call fail.
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.validateValues" -}}
|
||||||
|
{{- $messages := list -}}
|
||||||
|
{{- $messages := append $messages (include "postgresql.v1.validateValues.ldapConfigurationMethod" .) -}}
|
||||||
|
{{- $messages := append $messages (include "postgresql.v1.validateValues.psp" .) -}}
|
||||||
|
{{- $messages := without $messages "" -}}
|
||||||
|
{{- $message := join "\n" $messages -}}
|
||||||
|
|
||||||
|
{{- if $message -}}
|
||||||
|
{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Validate values of Postgresql - If ldap.url is used then you don't need the other settings for ldap
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.validateValues.ldapConfigurationMethod" -}}
|
||||||
|
{{- if and .Values.ldap.enabled (and (not (empty .Values.ldap.url)) (not (empty .Values.ldap.server))) -}}
|
||||||
|
postgresql: ldap.url, ldap.server
|
||||||
|
You cannot set both `ldap.url` and `ldap.server` at the same time.
|
||||||
|
Please provide a unique way to configure LDAP.
|
||||||
|
More info at https://www.postgresql.org/docs/current/auth-ldap.html
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Validate values of Postgresql - If PSP is enabled RBAC should be enabled too
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.validateValues.psp" -}}
|
||||||
|
{{- if and .Values.psp.create (not .Values.rbac.create) -}}
|
||||||
|
postgresql: psp.create, rbac.create
|
||||||
|
RBAC should be enabled if PSP is enabled in order for PSP to work.
|
||||||
|
More info at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return the path to the cert file.
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.tlsCert" -}}
|
||||||
|
{{- if .Values.tls.autoGenerated -}}
|
||||||
|
{{- printf "/opt/bitnami/postgresql/certs/tls.crt" -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/postgresql/certs/%s" -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return the path to the cert key file.
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.tlsCertKey" -}}
|
||||||
|
{{- if .Values.tls.autoGenerated -}}
|
||||||
|
{{- printf "/opt/bitnami/postgresql/certs/tls.key" -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/postgresql/certs/%s" -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return the path to the CA cert file.
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.tlsCACert" -}}
|
||||||
|
{{- if .Values.tls.autoGenerated -}}
|
||||||
|
{{- printf "/opt/bitnami/postgresql/certs/ca.crt" -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.certCAFilename -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return the path to the CRL file.
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.tlsCRL" -}}
|
||||||
|
{{- if .Values.tls.crlFilename -}}
|
||||||
|
{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.crlFilename -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return true if a TLS credentials secret object should be created
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.createTlsSecret" -}}
|
||||||
|
{{- if and .Values.tls.autoGenerated (not .Values.tls.certificatesSecret) -}}
|
||||||
|
{{- true -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Return the path to the CA cert file.
|
||||||
|
*/}}
|
||||||
|
{{- define "postgresql.v1.tlsSecretName" -}}
|
||||||
|
{{- if .Values.tls.autoGenerated -}}
|
||||||
|
{{- printf "%s-crt" (include "common.names.fullname" .) -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
|
@ -0,0 +1,138 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.backup.enabled }}
|
||||||
|
{{- $customUser := include "postgresql.v1.username" . }}
|
||||||
|
apiVersion: batch/v1
|
||||||
|
kind: CronJob
|
||||||
|
metadata:
|
||||||
|
name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.labels .Values.commonLabels ) "context" . ) }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: pg_dumpall
|
||||||
|
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||||
|
{{- if $annotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
schedule: {{ quote .Values.backup.cronjob.schedule }}
|
||||||
|
{{- if .Values.backup.cronjob.timezone }}
|
||||||
|
timeZone: {{ .Values.backup.cronjob.timezone | quote }}
|
||||||
|
{{- end }}
|
||||||
|
concurrencyPolicy: {{ .Values.backup.cronjob.concurrencyPolicy }}
|
||||||
|
failedJobsHistoryLimit: {{ .Values.backup.cronjob.failedJobsHistoryLimit }}
|
||||||
|
successfulJobsHistoryLimit: {{ .Values.backup.cronjob.successfulJobsHistoryLimit }}
|
||||||
|
{{- if .Values.backup.cronjob.startingDeadlineSeconds }}
|
||||||
|
startingDeadlineSeconds: {{ .Values.backup.cronjob.startingDeadlineSeconds }}
|
||||||
|
{{- end }}
|
||||||
|
jobTemplate:
|
||||||
|
spec:
|
||||||
|
{{- if .Values.backup.cronjob.ttlSecondsAfterFinished }}
|
||||||
|
ttlSecondsAfterFinished: {{ .Values.backup.cronjob.ttlSecondsAfterFinished }}
|
||||||
|
{{- end }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 12 }}
|
||||||
|
app.kubernetes.io/component: pg_dumpall
|
||||||
|
{{- if $annotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- include "postgresql.v1.imagePullSecrets" . | nindent 10 }}
|
||||||
|
{{- if .Values.backup.cronjob.nodeSelector }}
|
||||||
|
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.nodeSelector "context" $) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.backup.cronjob.tolerations }}
|
||||||
|
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.tolerations "context" $) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
containers:
|
||||||
|
- name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall
|
||||||
|
image: {{ include "postgresql.v1.image" . }}
|
||||||
|
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
|
||||||
|
env:
|
||||||
|
- name: PGUSER
|
||||||
|
{{- if .Values.auth.enablePostgresUser }}
|
||||||
|
value: postgres
|
||||||
|
{{- else }}
|
||||||
|
value: {{ $customUser | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.auth.usePasswordFiles }}
|
||||||
|
- name: PGPASSFILE
|
||||||
|
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }}
|
||||||
|
{{- else }}
|
||||||
|
- name: PGPASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ include "postgresql.v1.secretName" . }}
|
||||||
|
key: {{ include "postgresql.v1.adminPasswordKey" . }}
|
||||||
|
{{- end }}
|
||||||
|
- name: PGHOST
|
||||||
|
value: {{ include "postgresql.v1.primary.fullname" . }}
|
||||||
|
- name: PGPORT
|
||||||
|
value: {{ include "postgresql.v1.service.port" . | quote }}
|
||||||
|
- name: PGDUMP_DIR
|
||||||
|
value: {{ .Values.backup.cronjob.storage.mountPath }}
|
||||||
|
{{- if .Values.tls.enabled }}
|
||||||
|
- name: PGSSLROOTCERT
|
||||||
|
{{- if .Values.tls.autoGenerated }}
|
||||||
|
value: /tmp/certs/ca.crt
|
||||||
|
{{- else }}
|
||||||
|
value: {{ printf "/tmp/certs/%s" .Values.tls.certCAFilename }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
command: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.command "context" $) | nindent 14 }}
|
||||||
|
volumeMounts:
|
||||||
|
{{- if .Values.tls.enabled }}
|
||||||
|
- name: raw-certificates
|
||||||
|
mountPath: /tmp/certs
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.backup.cronjob.storage.enabled }}
|
||||||
|
- name: datadir
|
||||||
|
mountPath: {{ .Values.backup.cronjob.storage.mountPath }}
|
||||||
|
subPath: {{ .Values.backup.cronjob.storage.subPath }}
|
||||||
|
{{- end }}
|
||||||
|
- name: empty-dir
|
||||||
|
mountPath: /tmp
|
||||||
|
subPath: tmp-dir
|
||||||
|
{{- if .Values.backup.cronjob.extraVolumeMounts }}
|
||||||
|
{{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.extraVolumeMounts "context" $) | nindent 14 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.backup.cronjob.containerSecurityContext.enabled }}
|
||||||
|
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.backup.cronjob.containerSecurityContext "context" $) | nindent 14 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.backup.cronjob.resources }}
|
||||||
|
resources: {{- toYaml .Values.backup.cronjob.resources | nindent 14 }}
|
||||||
|
{{- else if ne .Values.backup.cronjob.resourcesPreset "none" }}
|
||||||
|
resources: {{- include "common.resources.preset" (dict "type" .Values.backup.cronjob.resourcesPreset) | nindent 14 }}
|
||||||
|
{{- end }}
|
||||||
|
restartPolicy: {{ .Values.backup.cronjob.restartPolicy }}
|
||||||
|
{{- if .Values.backup.cronjob.podSecurityContext.enabled }}
|
||||||
|
securityContext:
|
||||||
|
fsGroup: {{ .Values.backup.cronjob.podSecurityContext.fsGroup }}
|
||||||
|
{{- end }}
|
||||||
|
volumes:
|
||||||
|
{{- if .Values.tls.enabled }}
|
||||||
|
- name: raw-certificates
|
||||||
|
secret:
|
||||||
|
secretName: {{ include "postgresql.v1.tlsSecretName" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.backup.cronjob.storage.enabled }}
|
||||||
|
{{- if .Values.backup.cronjob.storage.existingClaim }}
|
||||||
|
- name: datadir
|
||||||
|
persistentVolumeClaim:
|
||||||
|
claimName: {{ printf "%s" (tpl .Values.backup.cronjob.storage.existingClaim .) }}
|
||||||
|
{{- else }}
|
||||||
|
- name: datadir
|
||||||
|
persistentVolumeClaim:
|
||||||
|
claimName: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
- name: empty-dir
|
||||||
|
emptyDir: {}
|
||||||
|
{{- if .Values.backup.cronjob.extraVolumes }}
|
||||||
|
{{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.extraVolumes "context" $ ) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,32 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if and .Values.backup.enabled .Values.backup.cronjob.networkPolicy.enabled }}
|
||||||
|
kind: NetworkPolicy
|
||||||
|
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
|
||||||
|
metadata:
|
||||||
|
name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall
|
||||||
|
namespace: {{ include "common.names.namespace" . | quote }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: pg_dumpall
|
||||||
|
{{- if .Values.commonAnnotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.podLabels .Values.commonLabels ) "context" . ) }}
|
||||||
|
podSelector:
|
||||||
|
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||||
|
app.kubernetes.io/component: pg_dumpall
|
||||||
|
policyTypes:
|
||||||
|
- Egress
|
||||||
|
egress:
|
||||||
|
- ports:
|
||||||
|
- port: 5432
|
||||||
|
protocol: TCP
|
||||||
|
- port: 53
|
||||||
|
protocol: TCP
|
||||||
|
- port: 53
|
||||||
|
protocol: UDP
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,34 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if and .Values.backup.enabled .Values.backup.cronjob.storage.enabled (not .Values.backup.cronjob.storage.existingClaim) -}}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: PersistentVolumeClaim
|
||||||
|
metadata:
|
||||||
|
name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.labels .Values.commonLabels ) "context" . ) }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: pg_dumpall
|
||||||
|
{{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations .Values.backup.cronjob.storage.resourcePolicy }}
|
||||||
|
annotations:
|
||||||
|
{{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations }}
|
||||||
|
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||||
|
{{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.backup.cronjob.storage.resourcePolicy }}
|
||||||
|
helm.sh/resource-policy: {{ .Values.backup.cronjob.storage.resourcePolicy | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
accessModes:
|
||||||
|
{{- range .Values.backup.cronjob.storage.accessModes }}
|
||||||
|
- {{ . | quote }}
|
||||||
|
{{- end }}
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: {{ .Values.backup.cronjob.storage.size | quote }}
|
||||||
|
{{ include "common.storage.class" (dict "persistence" .Values.backup.cronjob.storage "global" .Values.global) }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,9 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- range .Values.extraDeploy }}
|
||||||
|
---
|
||||||
|
{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,26 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if (include "postgresql.v1.primary.createConfigmap" .) }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: {{ printf "%s-configuration" (include "postgresql.v1.primary.fullname" .) }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: primary
|
||||||
|
{{- if .Values.commonAnnotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
data:
|
||||||
|
{{- if .Values.primary.configuration }}
|
||||||
|
postgresql.conf: |
|
||||||
|
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.configuration "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.pgHbaConfiguration }}
|
||||||
|
pg_hba.conf: |
|
||||||
|
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.pgHbaConfiguration "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,20 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if (include "postgresql.v1.primary.createExtendedConfigmap" .) }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: {{ printf "%s-extended-configuration" (include "postgresql.v1.primary.fullname" .) }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: primary
|
||||||
|
{{- if .Values.commonAnnotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
data:
|
||||||
|
override.conf: |-
|
||||||
|
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.extendedConfiguration "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,17 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if and .Values.primary.initdb.scripts (not .Values.primary.initdb.scriptsConfigMap) }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: {{ printf "%s-init-scripts" (include "postgresql.v1.primary.fullname" .) }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||||
|
{{- if .Values.commonAnnotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
data: {{- include "common.tplvalues.render" (dict "value" .Values.primary.initdb.scripts "context" .) | nindent 2 }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,18 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: {{ printf "%s-metrics" (include "postgresql.v1.primary.fullname" .) }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||||
|
{{- if .Values.commonAnnotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
data:
|
||||||
|
custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,31 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.metrics.enabled }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ printf "%s-metrics" (include "postgresql.v1.primary.fullname" .) }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: metrics
|
||||||
|
{{- if or .Values.commonAnnotations .Values.metrics.service.annotations }}
|
||||||
|
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
type: ClusterIP
|
||||||
|
sessionAffinity: {{ .Values.metrics.service.sessionAffinity }}
|
||||||
|
{{- if .Values.metrics.service.clusterIP }}
|
||||||
|
clusterIP: {{ .Values.metrics.service.clusterIP }}
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
- name: http-metrics
|
||||||
|
port: {{ .Values.metrics.service.ports.metrics }}
|
||||||
|
targetPort: http-metrics
|
||||||
|
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
|
||||||
|
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: primary
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,78 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.primary.networkPolicy.enabled }}
|
||||||
|
kind: NetworkPolicy
|
||||||
|
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
|
||||||
|
metadata:
|
||||||
|
name: {{ include "postgresql.v1.primary.fullname" . }}
|
||||||
|
namespace: {{ include "common.names.namespace" . | quote }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: primary
|
||||||
|
{{- if .Values.commonAnnotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
|
||||||
|
podSelector:
|
||||||
|
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||||
|
app.kubernetes.io/component: primary
|
||||||
|
policyTypes:
|
||||||
|
- Ingress
|
||||||
|
- Egress
|
||||||
|
{{- if .Values.primary.networkPolicy.allowExternalEgress }}
|
||||||
|
egress:
|
||||||
|
- {}
|
||||||
|
{{- else }}
|
||||||
|
egress:
|
||||||
|
# Allow dns resolution
|
||||||
|
- ports:
|
||||||
|
- port: 53
|
||||||
|
protocol: UDP
|
||||||
|
- port: 53
|
||||||
|
protocol: TCP
|
||||||
|
# Allow outbound connections to read-replicas
|
||||||
|
- ports:
|
||||||
|
- port: {{ .Values.containerPorts.postgresql }}
|
||||||
|
to:
|
||||||
|
- podSelector:
|
||||||
|
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
|
||||||
|
app.kubernetes.io/component: read
|
||||||
|
{{- if .Values.primary.networkPolicy.extraEgress }}
|
||||||
|
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
ingress:
|
||||||
|
- ports:
|
||||||
|
- port: {{ .Values.containerPorts.postgresql }}
|
||||||
|
{{- if .Values.metrics.enabled }}
|
||||||
|
- port: {{ .Values.metrics.containerPorts.metrics }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if not .Values.primary.networkPolicy.allowExternal }}
|
||||||
|
from:
|
||||||
|
- podSelector:
|
||||||
|
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
{{ template "postgresql.v1.primary.fullname" . }}-client: "true"
|
||||||
|
{{- if .Values.primary.networkPolicy.ingressNSMatchLabels }}
|
||||||
|
- namespaceSelector:
|
||||||
|
matchLabels:
|
||||||
|
{{- range $key, $value := .Values.primary.networkPolicy.ingressNSMatchLabels }}
|
||||||
|
{{ $key | quote }}: {{ $value | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.networkPolicy.ingressNSPodMatchLabels }}
|
||||||
|
podSelector:
|
||||||
|
matchLabels:
|
||||||
|
{{- range $key, $value := .Values.primary.networkPolicy.ingressNSPodMatchLabels }}
|
||||||
|
{{ $key | quote }}: {{ $value | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.networkPolicy.extraIngress }}
|
||||||
|
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,29 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.primary.pdb.create }}
|
||||||
|
apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
|
||||||
|
kind: PodDisruptionBudget
|
||||||
|
metadata:
|
||||||
|
name: {{ include "postgresql.v1.primary.fullname" . }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.labels .Values.commonLabels ) "context" . ) }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: primary
|
||||||
|
{{- if .Values.commonAnnotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- if .Values.primary.pdb.minAvailable }}
|
||||||
|
minAvailable: {{ .Values.primary.pdb.minAvailable }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if or .Values.primary.pdb.maxUnavailable ( not .Values.primary.pdb.minAvailable ) }}
|
||||||
|
maxUnavailable: {{ .Values.primary.pdb.maxUnavailable | default 1 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
|
||||||
|
selector:
|
||||||
|
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||||
|
app.kubernetes.io/component: primary
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,17 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if and .Values.primary.preInitDb.scripts (not .Values.primary.preInitDb.scriptsConfigMap) }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: {{ printf "%s-preinit-scripts" (include "postgresql.v1.primary.fullname" .) }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||||
|
{{- if .Values.commonAnnotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
data: {{- include "common.tplvalues.render" (dict "value" .Values.primary.preInitDb.scripts "context" .) | nindent 2 }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,46 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
|
||||||
|
apiVersion: monitoring.coreos.com/v1
|
||||||
|
kind: ServiceMonitor
|
||||||
|
metadata:
|
||||||
|
name: {{ include "postgresql.v1.primary.fullname" . }}
|
||||||
|
namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }}
|
||||||
|
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: metrics
|
||||||
|
{{- if .Values.commonAnnotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- if .Values.metrics.serviceMonitor.jobLabel }}
|
||||||
|
jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }}
|
||||||
|
{{- end }}
|
||||||
|
selector:
|
||||||
|
{{- $svcLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.selector .Values.commonLabels ) "context" . ) }}
|
||||||
|
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $svcLabels "context" $ ) | nindent 6 }}
|
||||||
|
app.kubernetes.io/component: metrics
|
||||||
|
endpoints:
|
||||||
|
- port: http-metrics
|
||||||
|
{{- if .Values.metrics.serviceMonitor.interval }}
|
||||||
|
interval: {{ .Values.metrics.serviceMonitor.interval }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
|
||||||
|
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.metrics.serviceMonitor.relabelings }}
|
||||||
|
relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.metrics.serviceMonitor.metricRelabelings }}
|
||||||
|
metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.metrics.serviceMonitor.honorLabels }}
|
||||||
|
honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }}
|
||||||
|
{{- end }}
|
||||||
|
namespaceSelector:
|
||||||
|
matchNames:
|
||||||
|
- {{ .Release.Namespace | quote }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,703 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- $customUser := include "postgresql.v1.username" . }}
|
||||||
|
apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
|
||||||
|
kind: StatefulSet
|
||||||
|
metadata:
|
||||||
|
name: {{ include "postgresql.v1.primary.fullname" . }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.labels .Values.commonLabels ) "context" . ) }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: primary
|
||||||
|
{{- if or .Values.commonAnnotations .Values.primary.annotations }}
|
||||||
|
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
serviceName: {{ include "postgresql.v1.primary.svc.headless" . }}
|
||||||
|
{{- if .Values.primary.updateStrategy }}
|
||||||
|
updateStrategy: {{- toYaml .Values.primary.updateStrategy | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
|
||||||
|
selector:
|
||||||
|
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||||
|
app.kubernetes.io/component: primary
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
name: {{ include "postgresql.v1.primary.fullname" . }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
|
||||||
|
app.kubernetes.io/component: primary
|
||||||
|
{{- if or (include "postgresql.v1.primary.createConfigmap" .) (include "postgresql.v1.primary.createExtendedConfigmap" .) .Values.primary.podAnnotations }}
|
||||||
|
annotations:
|
||||||
|
{{- if (include "postgresql.v1.primary.createConfigmap" .) }}
|
||||||
|
checksum/configuration: {{ pick (include (print $.Template.BasePath "/primary/configmap.yaml") . | fromYaml) "data" | toYaml | sha256sum }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if (include "postgresql.v1.primary.createExtendedConfigmap" .) }}
|
||||||
|
checksum/extended-configuration: {{ pick (include (print $.Template.BasePath "/primary/extended-configmap.yaml") . | fromYaml) "data" | toYaml | sha256sum }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.podAnnotations }}
|
||||||
|
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.podAnnotations "context" $ ) | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- if .Values.primary.extraPodSpec }}
|
||||||
|
{{- include "common.tplvalues.render" (dict "value" .Values.primary.extraPodSpec "context" $) | nindent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
serviceAccountName: {{ include "postgresql.v1.serviceAccountName" . }}
|
||||||
|
{{- include "postgresql.v1.imagePullSecrets" . | nindent 6 }}
|
||||||
|
automountServiceAccountToken: {{ .Values.primary.automountServiceAccountToken }}
|
||||||
|
{{- if .Values.primary.hostAliases }}
|
||||||
|
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.primary.hostAliases "context" $) | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.affinity }}
|
||||||
|
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.primary.affinity "context" $) | nindent 8 }}
|
||||||
|
{{- else }}
|
||||||
|
affinity:
|
||||||
|
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAffinityPreset "component" "primary" "customLabels" $podLabels "context" $) | nindent 10 }}
|
||||||
|
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAntiAffinityPreset "component" "primary" "customLabels" $podLabels "context" $) | nindent 10 }}
|
||||||
|
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.primary.nodeAffinityPreset.type "key" .Values.primary.nodeAffinityPreset.key "values" .Values.primary.nodeAffinityPreset.values) | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.nodeSelector }}
|
||||||
|
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.nodeSelector "context" $) | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.tolerations }}
|
||||||
|
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.tolerations "context" $) | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.topologySpreadConstraints }}
|
||||||
|
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.primary.topologySpreadConstraints "context" .) | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.priorityClassName }}
|
||||||
|
priorityClassName: {{ .Values.primary.priorityClassName }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.schedulerName }}
|
||||||
|
schedulerName: {{ .Values.primary.schedulerName | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.terminationGracePeriodSeconds }}
|
||||||
|
terminationGracePeriodSeconds: {{ .Values.primary.terminationGracePeriodSeconds }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.podSecurityContext.enabled }}
|
||||||
|
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.podSecurityContext "context" $) | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
hostNetwork: {{ .Values.primary.hostNetwork }}
|
||||||
|
hostIPC: {{ .Values.primary.hostIPC }}
|
||||||
|
{{- if or (and .Values.tls.enabled (not .Values.volumePermissions.enabled)) (and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled)) .Values.primary.initContainers }}
|
||||||
|
initContainers:
|
||||||
|
{{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }}
|
||||||
|
- name: copy-certs
|
||||||
|
image: {{ include "postgresql.v1.volumePermissions.image" . }}
|
||||||
|
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
|
||||||
|
{{- if .Values.primary.resources }}
|
||||||
|
resources: {{- toYaml .Values.primary.resources | nindent 12 }}
|
||||||
|
{{- else if ne .Values.primary.resourcesPreset "none" }}
|
||||||
|
resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
# We don't require a privileged container in this case
|
||||||
|
{{- if .Values.primary.containerSecurityContext.enabled }}
|
||||||
|
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
- -ec
|
||||||
|
- |
|
||||||
|
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
|
||||||
|
chmod 600 {{ include "postgresql.v1.tlsCertKey" . }}
|
||||||
|
volumeMounts:
|
||||||
|
- name: empty-dir
|
||||||
|
mountPath: /tmp
|
||||||
|
subPath: tmp-dir
|
||||||
|
- name: raw-certificates
|
||||||
|
mountPath: /tmp/certs
|
||||||
|
- name: postgresql-certificates
|
||||||
|
mountPath: /opt/bitnami/postgresql/certs
|
||||||
|
{{- else if and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled) }}
|
||||||
|
- name: init-chmod-data
|
||||||
|
image: {{ include "postgresql.v1.volumePermissions.image" . }}
|
||||||
|
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
|
||||||
|
{{- if .Values.volumePermissions.resources }}
|
||||||
|
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
|
||||||
|
{{- else if ne .Values.volumePermissions.resourcesPreset "none" }}
|
||||||
|
resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
- -ec
|
||||||
|
- |
|
||||||
|
{{- if .Values.primary.persistence.enabled }}
|
||||||
|
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||||
|
chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.primary.persistence.mountPath }}
|
||||||
|
{{- else }}
|
||||||
|
chown {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} {{ .Values.primary.persistence.mountPath }}
|
||||||
|
{{- end }}
|
||||||
|
mkdir -p {{ .Values.primary.persistence.mountPath }}/data {{- if (include "postgresql.v1.mountConfigurationCM" .) }} {{ .Values.primary.persistence.mountPath }}/conf {{- end }}
|
||||||
|
chmod 700 {{ .Values.primary.persistence.mountPath }}/data {{- if (include "postgresql.v1.mountConfigurationCM" .) }} {{ .Values.primary.persistence.mountPath }}/conf {{- end }}
|
||||||
|
find {{ .Values.primary.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.v1.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \
|
||||||
|
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||||
|
xargs -r chown -R `id -u`:`id -G | cut -d " " -f2`
|
||||||
|
{{- else }}
|
||||||
|
xargs -r chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.shmVolume.enabled }}
|
||||||
|
chmod -R 777 /dev/shm
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.tls.enabled }}
|
||||||
|
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
|
||||||
|
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||||
|
chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/
|
||||||
|
{{- else }}
|
||||||
|
chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} /opt/bitnami/postgresql/certs/
|
||||||
|
{{- end }}
|
||||||
|
chmod 600 {{ include "postgresql.v1.tlsCertKey" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||||
|
securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }}
|
||||||
|
{{- else }}
|
||||||
|
securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
volumeMounts:
|
||||||
|
- name: empty-dir
|
||||||
|
mountPath: /tmp
|
||||||
|
subPath: tmp-dir
|
||||||
|
- name: {{ .Values.primary.persistence.volumeName }}
|
||||||
|
mountPath: {{ .Values.primary.persistence.mountPath }}
|
||||||
|
{{- if .Values.primary.persistence.subPath }}
|
||||||
|
subPath: {{ .Values.primary.persistence.subPath }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.shmVolume.enabled }}
|
||||||
|
- name: dshm
|
||||||
|
mountPath: /dev/shm
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.tls.enabled }}
|
||||||
|
- name: raw-certificates
|
||||||
|
mountPath: /tmp/certs
|
||||||
|
- name: postgresql-certificates
|
||||||
|
mountPath: /opt/bitnami/postgresql/certs
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.initContainers }}
|
||||||
|
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.initContainers "context" $ ) | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
containers:
|
||||||
|
- name: postgresql
|
||||||
|
image: {{ include "postgresql.v1.image" . }}
|
||||||
|
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
|
||||||
|
{{- if .Values.primary.containerSecurityContext.enabled }}
|
||||||
|
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.diagnosticMode.enabled }}
|
||||||
|
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
|
||||||
|
{{- else if .Values.primary.command }}
|
||||||
|
command: {{- include "common.tplvalues.render" (dict "value" .Values.primary.command "context" $) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.diagnosticMode.enabled }}
|
||||||
|
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
|
||||||
|
{{- else if .Values.primary.args }}
|
||||||
|
args: {{- include "common.tplvalues.render" (dict "value" .Values.primary.args "context" $) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
env:
|
||||||
|
- name: BITNAMI_DEBUG
|
||||||
|
value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }}
|
||||||
|
- name: POSTGRESQL_PORT_NUMBER
|
||||||
|
value: {{ .Values.containerPorts.postgresql | quote }}
|
||||||
|
- name: POSTGRESQL_VOLUME_DIR
|
||||||
|
value: {{ .Values.primary.persistence.mountPath | quote }}
|
||||||
|
{{- if .Values.primary.persistence.mountPath }}
|
||||||
|
- name: PGDATA
|
||||||
|
value: {{ .Values.postgresqlDataDir | quote }}
|
||||||
|
{{- end }}
|
||||||
|
# Authentication
|
||||||
|
{{- if or (eq $customUser "postgres") (empty $customUser) }}
|
||||||
|
{{- if .Values.auth.enablePostgresUser }}
|
||||||
|
{{- if .Values.auth.usePasswordFiles }}
|
||||||
|
- name: POSTGRES_PASSWORD_FILE
|
||||||
|
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }}
|
||||||
|
{{- else }}
|
||||||
|
- name: POSTGRES_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ include "postgresql.v1.secretName" . }}
|
||||||
|
key: {{ include "postgresql.v1.adminPasswordKey" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- else }}
|
||||||
|
- name: ALLOW_EMPTY_PASSWORD
|
||||||
|
value: "true"
|
||||||
|
{{- end }}
|
||||||
|
{{- else }}
|
||||||
|
- name: POSTGRES_USER
|
||||||
|
value: {{ $customUser | quote }}
|
||||||
|
{{- if .Values.auth.usePasswordFiles }}
|
||||||
|
- name: POSTGRES_PASSWORD_FILE
|
||||||
|
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.userPasswordKey" .) }}
|
||||||
|
{{- else }}
|
||||||
|
- name: POSTGRES_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ include "postgresql.v1.secretName" . }}
|
||||||
|
key: {{ include "postgresql.v1.userPasswordKey" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.auth.enablePostgresUser }}
|
||||||
|
{{- if .Values.auth.usePasswordFiles }}
|
||||||
|
- name: POSTGRES_POSTGRES_PASSWORD_FILE
|
||||||
|
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }}
|
||||||
|
{{- else }}
|
||||||
|
- name: POSTGRES_POSTGRES_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ include "postgresql.v1.secretName" . }}
|
||||||
|
key: {{ include "postgresql.v1.adminPasswordKey" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if (include "postgresql.v1.database" .) }}
|
||||||
|
- name: POSTGRES_DATABASE
|
||||||
|
value: {{ (include "postgresql.v1.database" .) | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if or (eq .Values.architecture "replication") .Values.primary.standby.enabled }}
|
||||||
|
# Replication
|
||||||
|
- name: POSTGRES_REPLICATION_MODE
|
||||||
|
value: {{ ternary "slave" "master" .Values.primary.standby.enabled | quote }}
|
||||||
|
- name: POSTGRES_REPLICATION_USER
|
||||||
|
value: {{ .Values.auth.replicationUsername | quote }}
|
||||||
|
{{- if .Values.auth.usePasswordFiles }}
|
||||||
|
- name: POSTGRES_REPLICATION_PASSWORD_FILE
|
||||||
|
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.replicationPasswordKey" .) }}
|
||||||
|
{{- else }}
|
||||||
|
- name: POSTGRES_REPLICATION_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ include "postgresql.v1.secretName" . }}
|
||||||
|
key: {{ include "postgresql.v1.replicationPasswordKey" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if ne .Values.replication.synchronousCommit "off" }}
|
||||||
|
- name: POSTGRES_SYNCHRONOUS_COMMIT_MODE
|
||||||
|
value: {{ .Values.replication.synchronousCommit | quote }}
|
||||||
|
- name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS
|
||||||
|
value: {{ .Values.replication.numSynchronousReplicas | quote }}
|
||||||
|
{{- end }}
|
||||||
|
- name: POSTGRES_CLUSTER_APP_NAME
|
||||||
|
value: {{ .Values.replication.applicationName }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.initdb.args }}
|
||||||
|
# Initdb
|
||||||
|
- name: POSTGRES_INITDB_ARGS
|
||||||
|
value: {{ .Values.primary.initdb.args | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.initdb.postgresqlWalDir }}
|
||||||
|
- name: POSTGRES_INITDB_WALDIR
|
||||||
|
value: {{ .Values.primary.initdb.postgresqlWalDir | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.initdb.user }}
|
||||||
|
- name: POSTGRES_INITSCRIPTS_USERNAME
|
||||||
|
value: {{ .Values.primary.initdb.user }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.initdb.password }}
|
||||||
|
- name: POSTGRES_INITSCRIPTS_PASSWORD
|
||||||
|
value: {{ .Values.primary.initdb.password | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.standby.enabled }}
|
||||||
|
# Standby
|
||||||
|
- name: POSTGRES_MASTER_HOST
|
||||||
|
value: {{ .Values.primary.standby.primaryHost }}
|
||||||
|
- name: POSTGRES_MASTER_PORT_NUMBER
|
||||||
|
value: {{ .Values.primary.standby.primaryPort | quote }}
|
||||||
|
{{- end }}
|
||||||
|
# LDAP
|
||||||
|
- name: POSTGRESQL_ENABLE_LDAP
|
||||||
|
value: {{ ternary "yes" "no" .Values.ldap.enabled | quote }}
|
||||||
|
{{- if .Values.ldap.enabled }}
|
||||||
|
{{- if or .Values.ldap.url .Values.ldap.uri }}
|
||||||
|
- name: POSTGRESQL_LDAP_URL
|
||||||
|
value: {{ coalesce .Values.ldap.url .Values.ldap.uri }}
|
||||||
|
{{- else }}
|
||||||
|
- name: POSTGRESQL_LDAP_SERVER
|
||||||
|
value: {{ .Values.ldap.server }}
|
||||||
|
- name: POSTGRESQL_LDAP_PORT
|
||||||
|
value: {{ .Values.ldap.port | quote }}
|
||||||
|
- name: POSTGRESQL_LDAP_SCHEME
|
||||||
|
value: {{ .Values.ldap.scheme }}
|
||||||
|
{{- if (include "postgresql.v1.ldap.tls.enabled" .) }}
|
||||||
|
- name: POSTGRESQL_LDAP_TLS
|
||||||
|
value: "1"
|
||||||
|
{{- end }}
|
||||||
|
- name: POSTGRESQL_LDAP_PREFIX
|
||||||
|
value: {{ .Values.ldap.prefix | quote }}
|
||||||
|
- name: POSTGRESQL_LDAP_SUFFIX
|
||||||
|
value: {{ .Values.ldap.suffix | quote }}
|
||||||
|
- name: POSTGRESQL_LDAP_BASE_DN
|
||||||
|
value: {{ coalesce .Values.ldap.baseDN .Values.ldap.basedn }}
|
||||||
|
- name: POSTGRESQL_LDAP_BIND_DN
|
||||||
|
value: {{ coalesce .Values.ldap.bindDN .Values.ldap.binddn}}
|
||||||
|
{{- if or (not (empty .Values.ldap.bind_password)) (not (empty .Values.ldap.bindpw)) }}
|
||||||
|
- name: POSTGRESQL_LDAP_BIND_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ include "postgresql.v1.secretName" . }}
|
||||||
|
key: ldap-password
|
||||||
|
{{- end }}
|
||||||
|
- name: POSTGRESQL_LDAP_SEARCH_ATTR
|
||||||
|
value: {{ coalesce .Values.ldap.search_attr .Values.ldap.searchAttribute }}
|
||||||
|
- name: POSTGRESQL_LDAP_SEARCH_FILTER
|
||||||
|
value: {{ coalesce .Values.ldap.search_filter .Values.ldap.searchFilter }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
# TLS
|
||||||
|
- name: POSTGRESQL_ENABLE_TLS
|
||||||
|
value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
|
||||||
|
{{- if .Values.tls.enabled }}
|
||||||
|
- name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS
|
||||||
|
value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }}
|
||||||
|
- name: POSTGRESQL_TLS_CERT_FILE
|
||||||
|
value: {{ include "postgresql.v1.tlsCert" . }}
|
||||||
|
- name: POSTGRESQL_TLS_KEY_FILE
|
||||||
|
value: {{ include "postgresql.v1.tlsCertKey" . }}
|
||||||
|
{{- if .Values.tls.certCAFilename }}
|
||||||
|
- name: POSTGRESQL_TLS_CA_FILE
|
||||||
|
value: {{ include "postgresql.v1.tlsCACert" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.tls.crlFilename }}
|
||||||
|
- name: POSTGRESQL_TLS_CRL_FILE
|
||||||
|
value: {{ include "postgresql.v1.tlsCRL" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
# Audit
|
||||||
|
- name: POSTGRESQL_LOG_HOSTNAME
|
||||||
|
value: {{ .Values.audit.logHostname | quote }}
|
||||||
|
- name: POSTGRESQL_LOG_CONNECTIONS
|
||||||
|
value: {{ .Values.audit.logConnections | quote }}
|
||||||
|
- name: POSTGRESQL_LOG_DISCONNECTIONS
|
||||||
|
value: {{ .Values.audit.logDisconnections | quote }}
|
||||||
|
{{- if .Values.audit.logLinePrefix }}
|
||||||
|
- name: POSTGRESQL_LOG_LINE_PREFIX
|
||||||
|
value: {{ .Values.audit.logLinePrefix | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.audit.logTimezone }}
|
||||||
|
- name: POSTGRESQL_LOG_TIMEZONE
|
||||||
|
value: {{ .Values.audit.logTimezone | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.audit.pgAuditLog }}
|
||||||
|
- name: POSTGRESQL_PGAUDIT_LOG
|
||||||
|
value: {{ .Values.audit.pgAuditLog | quote }}
|
||||||
|
{{- end }}
|
||||||
|
- name: POSTGRESQL_PGAUDIT_LOG_CATALOG
|
||||||
|
value: {{ .Values.audit.pgAuditLogCatalog | quote }}
|
||||||
|
# Others
|
||||||
|
- name: POSTGRESQL_CLIENT_MIN_MESSAGES
|
||||||
|
value: {{ .Values.audit.clientMinMessages | quote }}
|
||||||
|
- name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES
|
||||||
|
value: {{ .Values.postgresqlSharedPreloadLibraries | quote }}
|
||||||
|
{{- if .Values.primary.extraEnvVars }}
|
||||||
|
{{- include "common.tplvalues.render" (dict "value" .Values.primary.extraEnvVars "context" $) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if or .Values.primary.extraEnvVarsCM .Values.primary.extraEnvVarsSecret }}
|
||||||
|
envFrom:
|
||||||
|
{{- if .Values.primary.extraEnvVarsCM }}
|
||||||
|
- configMapRef:
|
||||||
|
name: {{ .Values.primary.extraEnvVarsCM }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.extraEnvVarsSecret }}
|
||||||
|
- secretRef:
|
||||||
|
name: {{ .Values.primary.extraEnvVarsSecret }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
- name: tcp-postgresql
|
||||||
|
containerPort: {{ .Values.containerPorts.postgresql }}
|
||||||
|
{{- if not .Values.diagnosticMode.enabled }}
|
||||||
|
{{- if .Values.primary.customStartupProbe }}
|
||||||
|
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customStartupProbe "context" $) | nindent 12 }}
|
||||||
|
{{- else if .Values.primary.startupProbe.enabled }}
|
||||||
|
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.startupProbe "enabled") "context" $) | nindent 12 }}
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
- -c
|
||||||
|
{{- if (include "postgresql.v1.database" .) }}
|
||||||
|
- exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||||
|
{{- else }}
|
||||||
|
- exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.customLivenessProbe }}
|
||||||
|
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customLivenessProbe "context" $) | nindent 12 }}
|
||||||
|
{{- else if .Values.primary.livenessProbe.enabled }}
|
||||||
|
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.livenessProbe "enabled") "context" $) | nindent 12 }}
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
- -c
|
||||||
|
{{- if (include "postgresql.v1.database" .) }}
|
||||||
|
- exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||||
|
{{- else }}
|
||||||
|
- exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.customReadinessProbe }}
|
||||||
|
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customReadinessProbe "context" $) | nindent 12 }}
|
||||||
|
{{- else if .Values.primary.readinessProbe.enabled }}
|
||||||
|
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.readinessProbe "enabled") "context" $) | nindent 12 }}
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
- -c
|
||||||
|
- -e
|
||||||
|
{{- include "postgresql.v1.readinessProbeCommand" . | nindent 16 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.resources }}
|
||||||
|
resources: {{- toYaml .Values.primary.resources | nindent 12 }}
|
||||||
|
{{- else if ne .Values.primary.resourcesPreset "none" }}
|
||||||
|
resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.lifecycleHooks }}
|
||||||
|
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.primary.lifecycleHooks "context" $) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
volumeMounts:
|
||||||
|
- name: empty-dir
|
||||||
|
mountPath: /tmp
|
||||||
|
subPath: tmp-dir
|
||||||
|
- name: empty-dir
|
||||||
|
mountPath: /opt/bitnami/postgresql/conf
|
||||||
|
subPath: app-conf-dir
|
||||||
|
- name: empty-dir
|
||||||
|
mountPath: /opt/bitnami/postgresql/tmp
|
||||||
|
subPath: app-tmp-dir
|
||||||
|
{{- if or .Values.primary.preInitDb.scriptsConfigMap .Values.primary.preInitDb.scripts }}
|
||||||
|
- name: custom-preinit-scripts
|
||||||
|
mountPath: /docker-entrypoint-preinitdb.d/
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.preInitDb.scriptsSecret }}
|
||||||
|
- name: custom-preinit-scripts-secret
|
||||||
|
mountPath: /docker-entrypoint-preinitdb.d/secret
|
||||||
|
{{- end }}
|
||||||
|
{{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }}
|
||||||
|
- name: custom-init-scripts
|
||||||
|
mountPath: /docker-entrypoint-initdb.d/
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.initdb.scriptsSecret }}
|
||||||
|
- name: custom-init-scripts-secret
|
||||||
|
mountPath: /docker-entrypoint-initdb.d/secret
|
||||||
|
{{- end }}
|
||||||
|
{{- if or .Values.primary.extendedConfiguration .Values.primary.existingExtendedConfigmap }}
|
||||||
|
- name: postgresql-extended-config
|
||||||
|
mountPath: {{ .Values.primary.persistence.mountPath }}/conf/conf.d/
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.auth.usePasswordFiles }}
|
||||||
|
- name: postgresql-password
|
||||||
|
mountPath: /opt/bitnami/postgresql/secrets/
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.tls.enabled }}
|
||||||
|
- name: postgresql-certificates
|
||||||
|
mountPath: /opt/bitnami/postgresql/certs
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.shmVolume.enabled }}
|
||||||
|
- name: dshm
|
||||||
|
mountPath: /dev/shm
|
||||||
|
{{- end }}
|
||||||
|
- name: {{ .Values.primary.persistence.volumeName }}
|
||||||
|
mountPath: {{ .Values.primary.persistence.mountPath }}
|
||||||
|
{{- if .Values.primary.persistence.subPath }}
|
||||||
|
subPath: {{ .Values.primary.persistence.subPath }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }}
|
||||||
|
- name: postgresql-config
|
||||||
|
mountPath: {{ .Values.primary.persistence.mountPath }}/conf
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.extraVolumeMounts }}
|
||||||
|
{{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumeMounts "context" $) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.metrics.enabled }}
|
||||||
|
- name: metrics
|
||||||
|
image: {{ include "postgresql.v1.metrics.image" . }}
|
||||||
|
imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
|
||||||
|
{{- if .Values.metrics.containerSecurityContext.enabled }}
|
||||||
|
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.diagnosticMode.enabled }}
|
||||||
|
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
|
||||||
|
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
|
||||||
|
{{- else if or .Values.metrics.customMetrics .Values.metrics.collectors }}
|
||||||
|
args:
|
||||||
|
{{- if .Values.metrics.customMetrics }}
|
||||||
|
- --extend.query-path
|
||||||
|
- /conf/custom-metrics.yaml
|
||||||
|
{{- end }}
|
||||||
|
{{- range $name, $enabled := .Values.metrics.collectors }}
|
||||||
|
- --{{ if not $enabled }}no-{{ end }}collector.{{ $name }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
env:
|
||||||
|
- name: DATA_SOURCE_URI
|
||||||
|
value: {{ printf "127.0.0.1:%d/postgres?sslmode=disable" (int (include "postgresql.v1.service.port" .)) }}
|
||||||
|
{{- $pwdKey := ternary (include "postgresql.v1.adminPasswordKey" .) (include "postgresql.v1.userPasswordKey" .) (or (eq $customUser "postgres") (empty $customUser)) }}
|
||||||
|
{{- if .Values.auth.usePasswordFiles }}
|
||||||
|
- name: DATA_SOURCE_PASS_FILE
|
||||||
|
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" $pwdKey }}
|
||||||
|
{{- else }}
|
||||||
|
- name: DATA_SOURCE_PASS
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ include "postgresql.v1.secretName" . }}
|
||||||
|
key: {{ $pwdKey }}
|
||||||
|
{{- end }}
|
||||||
|
- name: DATA_SOURCE_USER
|
||||||
|
value: {{ default "postgres" $customUser | quote }}
|
||||||
|
{{- if .Values.metrics.extraEnvVars }}
|
||||||
|
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
- name: http-metrics
|
||||||
|
containerPort: {{ .Values.metrics.containerPorts.metrics }}
|
||||||
|
{{- if not .Values.diagnosticMode.enabled }}
|
||||||
|
{{- if .Values.metrics.customStartupProbe }}
|
||||||
|
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }}
|
||||||
|
{{- else if .Values.metrics.startupProbe.enabled }}
|
||||||
|
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }}
|
||||||
|
tcpSocket:
|
||||||
|
port: http-metrics
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.metrics.customLivenessProbe }}
|
||||||
|
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }}
|
||||||
|
{{- else if .Values.metrics.livenessProbe.enabled }}
|
||||||
|
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }}
|
||||||
|
httpGet:
|
||||||
|
path: /
|
||||||
|
port: http-metrics
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.metrics.customReadinessProbe }}
|
||||||
|
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }}
|
||||||
|
{{- else if .Values.metrics.readinessProbe.enabled }}
|
||||||
|
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }}
|
||||||
|
httpGet:
|
||||||
|
path: /
|
||||||
|
port: http-metrics
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
volumeMounts:
|
||||||
|
- name: empty-dir
|
||||||
|
mountPath: /tmp
|
||||||
|
subPath: tmp-dir
|
||||||
|
{{- if .Values.auth.usePasswordFiles }}
|
||||||
|
- name: postgresql-password
|
||||||
|
mountPath: /opt/bitnami/postgresql/secrets/
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.metrics.customMetrics }}
|
||||||
|
- name: custom-metrics
|
||||||
|
mountPath: /conf
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.metrics.resources }}
|
||||||
|
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
|
||||||
|
{{- else if ne .Values.metrics.resourcesPreset "none" }}
|
||||||
|
resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.sidecars }}
|
||||||
|
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.sidecars "context" $ ) | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
volumes:
|
||||||
|
- name: empty-dir
|
||||||
|
emptyDir: {}
|
||||||
|
{{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }}
|
||||||
|
- name: postgresql-config
|
||||||
|
configMap:
|
||||||
|
name: {{ include "postgresql.v1.primary.configmapName" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if or .Values.primary.extendedConfiguration .Values.primary.existingExtendedConfigmap }}
|
||||||
|
- name: postgresql-extended-config
|
||||||
|
configMap:
|
||||||
|
name: {{ include "postgresql.v1.primary.extendedConfigmapName" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.auth.usePasswordFiles }}
|
||||||
|
- name: postgresql-password
|
||||||
|
secret:
|
||||||
|
secretName: {{ include "postgresql.v1.secretName" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if or .Values.primary.preInitDb.scriptsConfigMap .Values.primary.preInitDb.scripts }}
|
||||||
|
- name: custom-preinit-scripts
|
||||||
|
configMap:
|
||||||
|
name: {{ include "postgresql.v1.preInitDb.scriptsCM" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.preInitDb.scriptsSecret }}
|
||||||
|
- name: custom-preinit-scripts-secret
|
||||||
|
secret:
|
||||||
|
secretName: {{ tpl .Values.primary.preInitDb.scriptsSecret $ }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }}
|
||||||
|
- name: custom-init-scripts
|
||||||
|
configMap:
|
||||||
|
name: {{ include "postgresql.v1.initdb.scriptsCM" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.initdb.scriptsSecret }}
|
||||||
|
- name: custom-init-scripts-secret
|
||||||
|
secret:
|
||||||
|
secretName: {{ tpl .Values.primary.initdb.scriptsSecret $ }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.tls.enabled }}
|
||||||
|
- name: raw-certificates
|
||||||
|
secret:
|
||||||
|
secretName: {{ include "postgresql.v1.tlsSecretName" . }}
|
||||||
|
- name: postgresql-certificates
|
||||||
|
emptyDir: {}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.extraVolumes }}
|
||||||
|
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.extraVolumes "context" $ ) | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
|
||||||
|
- name: custom-metrics
|
||||||
|
configMap:
|
||||||
|
name: {{ printf "%s-metrics" (include "postgresql.v1.primary.fullname" .) }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.shmVolume.enabled }}
|
||||||
|
- name: dshm
|
||||||
|
emptyDir:
|
||||||
|
medium: Memory
|
||||||
|
{{- if .Values.shmVolume.sizeLimit }}
|
||||||
|
sizeLimit: {{ .Values.shmVolume.sizeLimit }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if and .Values.primary.persistence.enabled .Values.primary.persistence.existingClaim }}
|
||||||
|
- name: {{ .Values.primary.persistence.volumeName }}
|
||||||
|
persistentVolumeClaim:
|
||||||
|
claimName: {{ tpl .Values.primary.persistence.existingClaim $ }}
|
||||||
|
{{- else if not .Values.primary.persistence.enabled }}
|
||||||
|
- name: {{ .Values.primary.persistence.volumeName }}
|
||||||
|
emptyDir: {}
|
||||||
|
{{- else }}
|
||||||
|
{{- if .Values.primary.persistentVolumeClaimRetentionPolicy.enabled }}
|
||||||
|
persistentVolumeClaimRetentionPolicy:
|
||||||
|
whenDeleted: {{ .Values.primary.persistentVolumeClaimRetentionPolicy.whenDeleted }}
|
||||||
|
whenScaled: {{ .Values.primary.persistentVolumeClaimRetentionPolicy.whenScaled }}
|
||||||
|
{{- end }}
|
||||||
|
volumeClaimTemplates:
|
||||||
|
- apiVersion: v1
|
||||||
|
kind: PersistentVolumeClaim
|
||||||
|
metadata:
|
||||||
|
name: {{ .Values.primary.persistence.volumeName }}
|
||||||
|
{{- if .Values.primary.persistence.annotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.annotations "context" $) | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.persistence.labels }}
|
||||||
|
labels: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.labels "context" $) | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
accessModes:
|
||||||
|
{{- range .Values.primary.persistence.accessModes }}
|
||||||
|
- {{ . | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.persistence.dataSource }}
|
||||||
|
dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.dataSource "context" $) | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: {{ .Values.primary.persistence.size | quote }}
|
||||||
|
{{- if .Values.primary.persistence.selector }}
|
||||||
|
selector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.selector "context" $) | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- include "common.storage.class" (dict "persistence" .Values.primary.persistence "global" .Values.global) | nindent 8 }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,31 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ include "postgresql.v1.primary.svc.headless" . }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: primary
|
||||||
|
annotations:
|
||||||
|
{{- if or .Values.primary.service.headless.annotations .Values.commonAnnotations }}
|
||||||
|
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.service.headless.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||||
|
{{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
type: ClusterIP
|
||||||
|
clusterIP: None
|
||||||
|
# We want all pods in the StatefulSet to have their addresses published for
|
||||||
|
# the sake of the other Postgresql pods even before they're ready, since they
|
||||||
|
# have to be able to talk to each other in order to become ready.
|
||||||
|
publishNotReadyAddresses: true
|
||||||
|
ports:
|
||||||
|
- name: tcp-postgresql
|
||||||
|
port: {{ template "postgresql.v1.service.port" . }}
|
||||||
|
targetPort: tcp-postgresql
|
||||||
|
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
|
||||||
|
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: primary
|
|
@ -0,0 +1,54 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ include "postgresql.v1.primary.fullname" . }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: primary
|
||||||
|
{{- if or .Values.commonAnnotations .Values.primary.service.annotations }}
|
||||||
|
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.service.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
type: {{ .Values.primary.service.type }}
|
||||||
|
{{- if or (eq .Values.primary.service.type "LoadBalancer") (eq .Values.primary.service.type "NodePort") }}
|
||||||
|
externalTrafficPolicy: {{ .Values.primary.service.externalTrafficPolicy | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerSourceRanges)) }}
|
||||||
|
loadBalancerSourceRanges: {{ .Values.primary.service.loadBalancerSourceRanges | toJson}}
|
||||||
|
{{- end }}
|
||||||
|
{{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerClass)) }}
|
||||||
|
loadBalancerClass: {{ .Values.primary.service.loadBalancerClass }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerIP)) }}
|
||||||
|
loadBalancerIP: {{ .Values.primary.service.loadBalancerIP }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if and .Values.primary.service.clusterIP (eq .Values.primary.service.type "ClusterIP") }}
|
||||||
|
clusterIP: {{ .Values.primary.service.clusterIP }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.service.sessionAffinity }}
|
||||||
|
sessionAffinity: {{ .Values.primary.service.sessionAffinity }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.service.sessionAffinityConfig }}
|
||||||
|
sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.sessionAffinityConfig "context" $) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
- name: tcp-postgresql
|
||||||
|
port: {{ template "postgresql.v1.service.port" . }}
|
||||||
|
targetPort: tcp-postgresql
|
||||||
|
{{- if and (or (eq .Values.primary.service.type "NodePort") (eq .Values.primary.service.type "LoadBalancer")) (not (empty .Values.primary.service.nodePorts.postgresql)) }}
|
||||||
|
nodePort: {{ .Values.primary.service.nodePorts.postgresql }}
|
||||||
|
{{- else if eq .Values.primary.service.type "ClusterIP" }}
|
||||||
|
nodePort: null
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.primary.service.extraPorts }}
|
||||||
|
{{- include "common.tplvalues.render" (dict "value" .Values.primary.service.extraPorts "context" $) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
|
||||||
|
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: primary
|
|
@ -0,0 +1,22 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }}
|
||||||
|
apiVersion: monitoring.coreos.com/v1
|
||||||
|
kind: PrometheusRule
|
||||||
|
metadata:
|
||||||
|
name: {{ include "common.names.fullname" . }}
|
||||||
|
namespace: {{ default .Release.Namespace .Values.metrics.prometheusRule.namespace | quote }}
|
||||||
|
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.prometheusRule.labels .Values.commonLabels ) "context" . ) }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: metrics
|
||||||
|
{{- if .Values.commonAnnotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
groups:
|
||||||
|
- name: {{ include "common.names.fullname" . }}
|
||||||
|
rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 8 }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,42 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if and (include "common.capabilities.psp.supported" .) .Values.psp.create }}
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodSecurityPolicy
|
||||||
|
metadata:
|
||||||
|
name: {{ include "common.names.fullname" . }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||||
|
{{- if .Values.commonAnnotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
privileged: false
|
||||||
|
volumes:
|
||||||
|
- 'configMap'
|
||||||
|
- 'secret'
|
||||||
|
- 'persistentVolumeClaim'
|
||||||
|
- 'emptyDir'
|
||||||
|
- 'projected'
|
||||||
|
hostNetwork: false
|
||||||
|
hostIPC: false
|
||||||
|
hostPID: false
|
||||||
|
runAsUser:
|
||||||
|
rule: 'RunAsAny'
|
||||||
|
seLinux:
|
||||||
|
rule: 'RunAsAny'
|
||||||
|
supplementalGroups:
|
||||||
|
rule: 'MustRunAs'
|
||||||
|
ranges:
|
||||||
|
- min: 1
|
||||||
|
max: 65535
|
||||||
|
fsGroup:
|
||||||
|
rule: 'MustRunAs'
|
||||||
|
ranges:
|
||||||
|
- min: 1
|
||||||
|
max: 65535
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,20 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if (include "postgresql.v1.readReplicas.createExtendedConfigmap" .) }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: {{ printf "%s-extended-configuration" (include "postgresql.v1.readReplica.fullname" .) }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: read
|
||||||
|
{{- if .Values.commonAnnotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
data:
|
||||||
|
override.conf: |-
|
||||||
|
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extendedConfiguration "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,18 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if and .Values.metrics.enabled .Values.metrics.customMetrics (eq .Values.architecture "replication") }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: {{ printf "%s-metrics" (include "postgresql.v1.readReplica.fullname" .) }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||||
|
{{- if .Values.commonAnnotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
data:
|
||||||
|
custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,31 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if and .Values.metrics.enabled (eq .Values.architecture "replication") }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ printf "%s-metrics" (include "postgresql.v1.readReplica.fullname" .) }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: metrics-read
|
||||||
|
{{- if or .Values.commonAnnotations .Values.metrics.service.annotations }}
|
||||||
|
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
type: ClusterIP
|
||||||
|
sessionAffinity: {{ .Values.metrics.service.sessionAffinity }}
|
||||||
|
{{- if .Values.metrics.service.clusterIP }}
|
||||||
|
clusterIP: {{ .Values.metrics.service.clusterIP }}
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
- name: http-metrics
|
||||||
|
port: {{ .Values.metrics.service.ports.metrics }}
|
||||||
|
targetPort: http-metrics
|
||||||
|
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
|
||||||
|
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: read
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,80 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if eq .Values.architecture "replication" }}
|
||||||
|
{{- if .Values.readReplicas.networkPolicy.enabled }}
|
||||||
|
kind: NetworkPolicy
|
||||||
|
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
|
||||||
|
metadata:
|
||||||
|
name: {{ include "postgresql.v1.readReplica.fullname" . }}
|
||||||
|
namespace: {{ include "common.names.namespace" . | quote }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: read
|
||||||
|
{{- if .Values.commonAnnotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
|
||||||
|
podSelector:
|
||||||
|
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||||
|
app.kubernetes.io/component: read
|
||||||
|
policyTypes:
|
||||||
|
- Ingress
|
||||||
|
- Egress
|
||||||
|
{{- if .Values.readReplicas.networkPolicy.allowExternalEgress }}
|
||||||
|
egress:
|
||||||
|
- {}
|
||||||
|
{{- else }}
|
||||||
|
egress:
|
||||||
|
# Allow dns resolution
|
||||||
|
- ports:
|
||||||
|
- port: 53
|
||||||
|
protocol: UDP
|
||||||
|
- port: 53
|
||||||
|
protocol: TCP
|
||||||
|
# Allow outbound connections to primary
|
||||||
|
- ports:
|
||||||
|
- port: {{ .Values.containerPorts.postgresql }}
|
||||||
|
to:
|
||||||
|
- podSelector:
|
||||||
|
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
|
||||||
|
app.kubernetes.io/component: primary
|
||||||
|
{{- if .Values.readReplicas.networkPolicy.extraEgress }}
|
||||||
|
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
ingress:
|
||||||
|
- ports:
|
||||||
|
- port: {{ .Values.containerPorts.postgresql }}
|
||||||
|
{{- if .Values.metrics.enabled }}
|
||||||
|
- port: {{ .Values.metrics.containerPorts.metrics }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if not .Values.readReplicas.networkPolicy.allowExternal }}
|
||||||
|
from:
|
||||||
|
- podSelector:
|
||||||
|
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
{{ template "postgresql.v1.readReplica.fullname" . }}-client: "true"
|
||||||
|
{{- if .Values.readReplicas.networkPolicy.ingressNSMatchLabels }}
|
||||||
|
- namespaceSelector:
|
||||||
|
matchLabels:
|
||||||
|
{{- range $key, $value := .Values.readReplicas.networkPolicy.ingressNSMatchLabels }}
|
||||||
|
{{ $key | quote }}: {{ $value | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.networkPolicy.ingressNSPodMatchLabels }}
|
||||||
|
podSelector:
|
||||||
|
matchLabels:
|
||||||
|
{{- range $key, $value := .Values.readReplicas.networkPolicy.ingressNSPodMatchLabels }}
|
||||||
|
{{ $key | quote }}: {{ $value | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.networkPolicy.extraIngress }}
|
||||||
|
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,29 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if and ( eq .Values.architecture "replication" ) .Values.readReplicas.pdb.create }}
|
||||||
|
apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
|
||||||
|
kind: PodDisruptionBudget
|
||||||
|
metadata:
|
||||||
|
name: {{ include "postgresql.v1.readReplica.fullname" . }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.labels .Values.commonLabels ) "context" . ) }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: read
|
||||||
|
{{- if .Values.commonAnnotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- if .Values.readReplicas.pdb.minAvailable }}
|
||||||
|
minAvailable: {{ .Values.readReplicas.pdb.minAvailable }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if or .Values.readReplicas.pdb.maxUnavailable ( not .Values.readReplicas.pdb.minAvailable ) }}
|
||||||
|
maxUnavailable: {{ .Values.readReplicas.pdb.maxUnavailable | default 1 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
|
||||||
|
selector:
|
||||||
|
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||||
|
app.kubernetes.io/component: read
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,46 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled (eq .Values.architecture "replication") }}
|
||||||
|
apiVersion: monitoring.coreos.com/v1
|
||||||
|
kind: ServiceMonitor
|
||||||
|
metadata:
|
||||||
|
name: {{ include "postgresql.v1.readReplica.fullname" . }}
|
||||||
|
namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }}
|
||||||
|
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: metrics-read
|
||||||
|
{{- if .Values.commonAnnotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- if .Values.metrics.serviceMonitor.jobLabel }}
|
||||||
|
jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }}
|
||||||
|
{{- end }}
|
||||||
|
selector:
|
||||||
|
{{- $svcLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.selector .Values.commonLabels ) "context" . ) }}
|
||||||
|
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $svcLabels "context" $ ) | nindent 6 }}
|
||||||
|
app.kubernetes.io/component: metrics-read
|
||||||
|
endpoints:
|
||||||
|
- port: http-metrics
|
||||||
|
{{- if .Values.metrics.serviceMonitor.interval }}
|
||||||
|
interval: {{ .Values.metrics.serviceMonitor.interval }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
|
||||||
|
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.metrics.serviceMonitor.relabelings }}
|
||||||
|
relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.metrics.serviceMonitor.metricRelabelings }}
|
||||||
|
metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.metrics.serviceMonitor.honorLabels }}
|
||||||
|
honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }}
|
||||||
|
{{- end }}
|
||||||
|
namespaceSelector:
|
||||||
|
matchNames:
|
||||||
|
- {{ .Release.Namespace | quote }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,578 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if eq .Values.architecture "replication" }}
|
||||||
|
{{- $customUser := include "postgresql.v1.username" . }}
|
||||||
|
apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
|
||||||
|
kind: StatefulSet
|
||||||
|
metadata:
|
||||||
|
name: {{ include "postgresql.v1.readReplica.fullname" . }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.labels .Values.commonLabels ) "context" . ) }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: read
|
||||||
|
{{- if or .Values.commonAnnotations .Values.readReplicas.annotations }}
|
||||||
|
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
replicas: {{ .Values.readReplicas.replicaCount }}
|
||||||
|
serviceName: {{ include "postgresql.v1.readReplica.svc.headless" . }}
|
||||||
|
{{- if .Values.readReplicas.updateStrategy }}
|
||||||
|
updateStrategy: {{- toYaml .Values.readReplicas.updateStrategy | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
|
||||||
|
selector:
|
||||||
|
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||||
|
app.kubernetes.io/component: read
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
name: {{ include "postgresql.v1.readReplica.fullname" . }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
|
||||||
|
app.kubernetes.io/component: read
|
||||||
|
{{- if or (include "postgresql.v1.readReplicas.createExtendedConfigmap" .) .Values.readReplicas.podAnnotations }}
|
||||||
|
annotations:
|
||||||
|
{{- if (include "postgresql.v1.readReplicas.createExtendedConfigmap" .) }}
|
||||||
|
checksum/extended-configuration: {{ pick (include (print $.Template.BasePath "/primary/extended-configmap.yaml") . | fromYaml) "data" | toYaml | sha256sum }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.podAnnotations }}
|
||||||
|
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.podAnnotations "context" $ ) | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- if .Values.readReplicas.extraPodSpec }}
|
||||||
|
{{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraPodSpec "context" $) | nindent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
serviceAccountName: {{ include "postgresql.v1.serviceAccountName" . }}
|
||||||
|
{{- include "postgresql.v1.imagePullSecrets" . | nindent 6 }}
|
||||||
|
automountServiceAccountToken: {{ .Values.readReplicas.automountServiceAccountToken }}
|
||||||
|
{{- if .Values.readReplicas.hostAliases }}
|
||||||
|
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.hostAliases "context" $) | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.affinity }}
|
||||||
|
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.affinity "context" $) | nindent 8 }}
|
||||||
|
{{- else }}
|
||||||
|
affinity:
|
||||||
|
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAffinityPreset "component" "read" "customLabels" $podLabels "context" $) | nindent 10 }}
|
||||||
|
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAntiAffinityPreset "component" "read" "customLabels" $podLabels "context" $) | nindent 10 }}
|
||||||
|
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.readReplicas.nodeAffinityPreset.type "key" .Values.readReplicas.nodeAffinityPreset.key "values" .Values.readReplicas.nodeAffinityPreset.values) | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.nodeSelector }}
|
||||||
|
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.nodeSelector "context" $) | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.tolerations }}
|
||||||
|
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.tolerations "context" $) | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.topologySpreadConstraints }}
|
||||||
|
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.topologySpreadConstraints "context" $) | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.priorityClassName }}
|
||||||
|
priorityClassName: {{ .Values.readReplicas.priorityClassName }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.schedulerName }}
|
||||||
|
schedulerName: {{ .Values.readReplicas.schedulerName | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.terminationGracePeriodSeconds }}
|
||||||
|
terminationGracePeriodSeconds: {{ .Values.readReplicas.terminationGracePeriodSeconds }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.podSecurityContext.enabled }}
|
||||||
|
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.podSecurityContext "context" $) | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
hostNetwork: {{ .Values.readReplicas.hostNetwork }}
|
||||||
|
hostIPC: {{ .Values.readReplicas.hostIPC }}
|
||||||
|
{{- if or (and .Values.tls.enabled (not .Values.volumePermissions.enabled)) (and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled)) .Values.readReplicas.initContainers }}
|
||||||
|
initContainers:
|
||||||
|
{{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }}
|
||||||
|
- name: copy-certs
|
||||||
|
image: {{ include "postgresql.v1.volumePermissions.image" . }}
|
||||||
|
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
|
||||||
|
{{- if .Values.readReplicas.resources }}
|
||||||
|
resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
|
||||||
|
{{- else if ne .Values.readReplicas.resourcesPreset "none" }}
|
||||||
|
resources: {{- include "common.resources.preset" (dict "type" .Values.readReplicas.resourcesPreset) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
# We don't require a privileged container in this case
|
||||||
|
{{- if .Values.readReplicas.containerSecurityContext.enabled }}
|
||||||
|
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.containerSecurityContext "context" $) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
- -ec
|
||||||
|
- |
|
||||||
|
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
|
||||||
|
chmod 600 {{ include "postgresql.v1.tlsCertKey" . }}
|
||||||
|
volumeMounts:
|
||||||
|
- name: empty-dir
|
||||||
|
mountPath: /tmp
|
||||||
|
subPath: tmp-dir
|
||||||
|
- name: raw-certificates
|
||||||
|
mountPath: /tmp/certs
|
||||||
|
- name: postgresql-certificates
|
||||||
|
mountPath: /opt/bitnami/postgresql/certs
|
||||||
|
{{- else if and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled) }}
|
||||||
|
- name: init-chmod-data
|
||||||
|
image: {{ include "postgresql.v1.volumePermissions.image" . }}
|
||||||
|
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
|
||||||
|
{{- if .Values.readReplicas.resources }}
|
||||||
|
resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
|
||||||
|
{{- else if ne .Values.readReplicas.resourcesPreset "none" }}
|
||||||
|
resources: {{- include "common.resources.preset" (dict "type" .Values.readReplicas.resourcesPreset) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
- -ec
|
||||||
|
- |
|
||||||
|
{{- if .Values.readReplicas.persistence.enabled }}
|
||||||
|
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||||
|
chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.readReplicas.persistence.mountPath }}
|
||||||
|
{{- else }}
|
||||||
|
chown {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} {{ .Values.readReplicas.persistence.mountPath }}
|
||||||
|
{{- end }}
|
||||||
|
mkdir -p {{ .Values.readReplicas.persistence.mountPath }}/data {{- if (include "postgresql.v1.mountConfigurationCM" .) }} {{ .Values.readReplicas.persistence.mountPath }}/conf {{- end }}
|
||||||
|
chmod 700 {{ .Values.readReplicas.persistence.mountPath }}/data {{- if (include "postgresql.v1.mountConfigurationCM" .) }} {{ .Values.readReplicas.persistence.mountPath }}/conf {{- end }}
|
||||||
|
find {{ .Values.readReplicas.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.v1.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \
|
||||||
|
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||||
|
xargs -r chown -R `id -u`:`id -G | cut -d " " -f2`
|
||||||
|
{{- else }}
|
||||||
|
xargs -r chown -R {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.shmVolume.enabled }}
|
||||||
|
chmod -R 777 /dev/shm
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.tls.enabled }}
|
||||||
|
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
|
||||||
|
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||||
|
chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/
|
||||||
|
{{- else }}
|
||||||
|
chown -R {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} /opt/bitnami/postgresql/certs/
|
||||||
|
{{- end }}
|
||||||
|
chmod 600 {{ include "postgresql.v1.tlsCertKey" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||||
|
securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }}
|
||||||
|
{{- else }}
|
||||||
|
securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
volumeMounts:
|
||||||
|
- name: empty-dir
|
||||||
|
mountPath: /tmp
|
||||||
|
subPath: tmp-dir
|
||||||
|
- name: data
|
||||||
|
mountPath: {{ .Values.readReplicas.persistence.mountPath }}
|
||||||
|
{{- if .Values.readReplicas.persistence.subPath }}
|
||||||
|
subPath: {{ .Values.readReplicas.persistence.subPath }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.shmVolume.enabled }}
|
||||||
|
- name: dshm
|
||||||
|
mountPath: /dev/shm
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.tls.enabled }}
|
||||||
|
- name: raw-certificates
|
||||||
|
mountPath: /tmp/certs
|
||||||
|
- name: postgresql-certificates
|
||||||
|
mountPath: /opt/bitnami/postgresql/certs
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.initContainers }}
|
||||||
|
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.initContainers "context" $ ) | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
containers:
|
||||||
|
- name: postgresql
|
||||||
|
image: {{ include "postgresql.v1.image" . }}
|
||||||
|
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
|
||||||
|
{{- if .Values.readReplicas.containerSecurityContext.enabled }}
|
||||||
|
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.containerSecurityContext "context" $) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.diagnosticMode.enabled }}
|
||||||
|
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
|
||||||
|
{{- else if .Values.readReplicas.command }}
|
||||||
|
command: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.command "context" $) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.diagnosticMode.enabled }}
|
||||||
|
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
|
||||||
|
{{- else if .Values.readReplicas.args }}
|
||||||
|
args: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.args "context" $) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
env:
|
||||||
|
- name: BITNAMI_DEBUG
|
||||||
|
value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }}
|
||||||
|
- name: POSTGRESQL_PORT_NUMBER
|
||||||
|
value: {{ .Values.containerPorts.postgresql | quote }}
|
||||||
|
- name: POSTGRESQL_VOLUME_DIR
|
||||||
|
value: {{ .Values.readReplicas.persistence.mountPath | quote }}
|
||||||
|
{{- if .Values.readReplicas.persistence.mountPath }}
|
||||||
|
- name: PGDATA
|
||||||
|
value: {{ .Values.postgresqlDataDir | quote }}
|
||||||
|
{{- end }}
|
||||||
|
# Authentication
|
||||||
|
{{- if or (eq $customUser "postgres") (empty $customUser) }}
|
||||||
|
{{- if .Values.auth.enablePostgresUser }}
|
||||||
|
{{- if .Values.auth.usePasswordFiles }}
|
||||||
|
- name: POSTGRES_PASSWORD_FILE
|
||||||
|
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }}
|
||||||
|
{{- else }}
|
||||||
|
- name: POSTGRES_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ include "postgresql.v1.secretName" . }}
|
||||||
|
key: {{ include "postgresql.v1.adminPasswordKey" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- else }}
|
||||||
|
- name: ALLOW_EMPTY_PASSWORD
|
||||||
|
value: "true"
|
||||||
|
{{- end }}
|
||||||
|
{{- else }}
|
||||||
|
- name: POSTGRES_USER
|
||||||
|
value: {{ $customUser | quote }}
|
||||||
|
{{- if .Values.auth.usePasswordFiles }}
|
||||||
|
- name: POSTGRES_PASSWORD_FILE
|
||||||
|
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.userPasswordKey" .) }}
|
||||||
|
{{- else }}
|
||||||
|
- name: POSTGRES_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ include "postgresql.v1.secretName" . }}
|
||||||
|
key: {{ include "postgresql.v1.userPasswordKey" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.auth.enablePostgresUser }}
|
||||||
|
{{- if .Values.auth.usePasswordFiles }}
|
||||||
|
- name: POSTGRES_POSTGRES_PASSWORD_FILE
|
||||||
|
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }}
|
||||||
|
{{- else }}
|
||||||
|
- name: POSTGRES_POSTGRES_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ include "postgresql.v1.secretName" . }}
|
||||||
|
key: {{ include "postgresql.v1.adminPasswordKey" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
# Replication
|
||||||
|
- name: POSTGRES_REPLICATION_MODE
|
||||||
|
value: "slave"
|
||||||
|
- name: POSTGRES_REPLICATION_USER
|
||||||
|
value: {{ .Values.auth.replicationUsername | quote }}
|
||||||
|
{{- if .Values.auth.usePasswordFiles }}
|
||||||
|
- name: POSTGRES_REPLICATION_PASSWORD_FILE
|
||||||
|
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.replicationPasswordKey" .) }}
|
||||||
|
{{- else }}
|
||||||
|
- name: POSTGRES_REPLICATION_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ include "postgresql.v1.secretName" . }}
|
||||||
|
key: {{ include "postgresql.v1.replicationPasswordKey" . }}
|
||||||
|
{{- end }}
|
||||||
|
- name: POSTGRES_CLUSTER_APP_NAME
|
||||||
|
value: {{ .Values.replication.applicationName }}
|
||||||
|
- name: POSTGRES_MASTER_HOST
|
||||||
|
value: {{ include "postgresql.v1.primary.fullname" . }}
|
||||||
|
- name: POSTGRES_MASTER_PORT_NUMBER
|
||||||
|
value: {{ include "postgresql.v1.service.port" . | quote }}
|
||||||
|
# TLS
|
||||||
|
- name: POSTGRESQL_ENABLE_TLS
|
||||||
|
value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
|
||||||
|
{{- if .Values.tls.enabled }}
|
||||||
|
- name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS
|
||||||
|
value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }}
|
||||||
|
- name: POSTGRESQL_TLS_CERT_FILE
|
||||||
|
value: {{ include "postgresql.v1.tlsCert" . }}
|
||||||
|
- name: POSTGRESQL_TLS_KEY_FILE
|
||||||
|
value: {{ include "postgresql.v1.tlsCertKey" . }}
|
||||||
|
{{- if .Values.tls.certCAFilename }}
|
||||||
|
- name: POSTGRESQL_TLS_CA_FILE
|
||||||
|
value: {{ include "postgresql.v1.tlsCACert" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.tls.crlFilename }}
|
||||||
|
- name: POSTGRESQL_TLS_CRL_FILE
|
||||||
|
value: {{ include "postgresql.v1.tlsCRL" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
# Audit
|
||||||
|
- name: POSTGRESQL_LOG_HOSTNAME
|
||||||
|
value: {{ .Values.audit.logHostname | quote }}
|
||||||
|
- name: POSTGRESQL_LOG_CONNECTIONS
|
||||||
|
value: {{ .Values.audit.logConnections | quote }}
|
||||||
|
- name: POSTGRESQL_LOG_DISCONNECTIONS
|
||||||
|
value: {{ .Values.audit.logDisconnections | quote }}
|
||||||
|
{{- if .Values.audit.logLinePrefix }}
|
||||||
|
- name: POSTGRESQL_LOG_LINE_PREFIX
|
||||||
|
value: {{ .Values.audit.logLinePrefix | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.audit.logTimezone }}
|
||||||
|
- name: POSTGRESQL_LOG_TIMEZONE
|
||||||
|
value: {{ .Values.audit.logTimezone | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.audit.pgAuditLog }}
|
||||||
|
- name: POSTGRESQL_PGAUDIT_LOG
|
||||||
|
value: {{ .Values.audit.pgAuditLog | quote }}
|
||||||
|
{{- end }}
|
||||||
|
- name: POSTGRESQL_PGAUDIT_LOG_CATALOG
|
||||||
|
value: {{ .Values.audit.pgAuditLogCatalog | quote }}
|
||||||
|
# Others
|
||||||
|
- name: POSTGRESQL_CLIENT_MIN_MESSAGES
|
||||||
|
value: {{ .Values.audit.clientMinMessages | quote }}
|
||||||
|
- name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES
|
||||||
|
value: {{ .Values.postgresqlSharedPreloadLibraries | quote }}
|
||||||
|
{{- if .Values.readReplicas.extraEnvVars }}
|
||||||
|
{{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraEnvVars "context" $) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if or .Values.readReplicas.extraEnvVarsCM .Values.readReplicas.extraEnvVarsSecret }}
|
||||||
|
envFrom:
|
||||||
|
{{- if .Values.readReplicas.extraEnvVarsCM }}
|
||||||
|
- configMapRef:
|
||||||
|
name: {{ .Values.readReplicas.extraEnvVarsCM }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.extraEnvVarsSecret }}
|
||||||
|
- secretRef:
|
||||||
|
name: {{ .Values.readReplicas.extraEnvVarsSecret }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
- name: tcp-postgresql
|
||||||
|
containerPort: {{ .Values.containerPorts.postgresql }}
|
||||||
|
{{- if not .Values.diagnosticMode.enabled }}
|
||||||
|
{{- if .Values.readReplicas.customStartupProbe }}
|
||||||
|
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customStartupProbe "context" $) | nindent 12 }}
|
||||||
|
{{- else if .Values.readReplicas.startupProbe.enabled }}
|
||||||
|
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.startupProbe "enabled") "context" $) | nindent 12 }}
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
- -c
|
||||||
|
{{- if (include "postgresql.v1.database" .) }}
|
||||||
|
- exec pg_isready -U {{ default "postgres" $customUser| quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||||
|
{{- else }}
|
||||||
|
- exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.customLivenessProbe }}
|
||||||
|
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customLivenessProbe "context" $) | nindent 12 }}
|
||||||
|
{{- else if .Values.readReplicas.livenessProbe.enabled }}
|
||||||
|
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.livenessProbe "enabled") "context" $) | nindent 12 }}
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
- -c
|
||||||
|
{{- if (include "postgresql.v1.database" .) }}
|
||||||
|
- exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||||
|
{{- else }}
|
||||||
|
- exec pg_isready -U {{default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.customReadinessProbe }}
|
||||||
|
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customReadinessProbe "context" $) | nindent 12 }}
|
||||||
|
{{- else if .Values.readReplicas.readinessProbe.enabled }}
|
||||||
|
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.readinessProbe "enabled") "context" $) | nindent 12 }}
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
- -c
|
||||||
|
- -e
|
||||||
|
{{- include "postgresql.v1.readinessProbeCommand" . | nindent 16 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.resources }}
|
||||||
|
resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
|
||||||
|
{{- else if ne .Values.readReplicas.resourcesPreset "none" }}
|
||||||
|
resources: {{- include "common.resources.preset" (dict "type" .Values.readReplicas.resourcesPreset) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.lifecycleHooks }}
|
||||||
|
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.lifecycleHooks "context" $) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
volumeMounts:
|
||||||
|
- name: empty-dir
|
||||||
|
mountPath: /tmp
|
||||||
|
subPath: tmp-dir
|
||||||
|
- name: empty-dir
|
||||||
|
mountPath: /opt/bitnami/postgresql/conf
|
||||||
|
subPath: app-conf-dir
|
||||||
|
- name: empty-dir
|
||||||
|
mountPath: /opt/bitnami/postgresql/tmp
|
||||||
|
subPath: app-tmp-dir
|
||||||
|
{{- if .Values.auth.usePasswordFiles }}
|
||||||
|
- name: postgresql-password
|
||||||
|
mountPath: /opt/bitnami/postgresql/secrets/
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.extendedConfiguration }}
|
||||||
|
- name: postgresql-extended-config
|
||||||
|
mountPath: {{ .Values.readReplicas.persistence.mountPath }}/conf/conf.d/
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.tls.enabled }}
|
||||||
|
- name: postgresql-certificates
|
||||||
|
mountPath: /opt/bitnami/postgresql/certs
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.shmVolume.enabled }}
|
||||||
|
- name: dshm
|
||||||
|
mountPath: /dev/shm
|
||||||
|
{{- end }}
|
||||||
|
- name: data
|
||||||
|
mountPath: {{ .Values.readReplicas.persistence.mountPath }}
|
||||||
|
{{- if .Values.readReplicas.persistence.subPath }}
|
||||||
|
subPath: {{ .Values.readReplicas.persistence.subPath }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.extraVolumeMounts }}
|
||||||
|
{{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraVolumeMounts "context" $) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.metrics.enabled }}
|
||||||
|
- name: metrics
|
||||||
|
image: {{ include "postgresql.v1.metrics.image" . }}
|
||||||
|
imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
|
||||||
|
{{- if .Values.metrics.containerSecurityContext.enabled }}
|
||||||
|
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.diagnosticMode.enabled }}
|
||||||
|
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
|
||||||
|
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
|
||||||
|
{{- else if .Values.metrics.customMetrics }}
|
||||||
|
args: [ "--extend.query-path", "/conf/custom-metrics.yaml" ]
|
||||||
|
{{- end }}
|
||||||
|
env:
|
||||||
|
- name: DATA_SOURCE_URI
|
||||||
|
value: {{ printf "127.0.0.1:%d/postgres?sslmode=disable" (int (include "postgresql.v1.service.port" .)) }}
|
||||||
|
{{- if .Values.auth.usePasswordFiles }}
|
||||||
|
- name: DATA_SOURCE_PASS_FILE
|
||||||
|
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.userPasswordKey" .) }}
|
||||||
|
{{- else }}
|
||||||
|
- name: DATA_SOURCE_PASS
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ include "postgresql.v1.secretName" . }}
|
||||||
|
key: {{ include "postgresql.v1.userPasswordKey" . }}
|
||||||
|
{{- end }}
|
||||||
|
- name: DATA_SOURCE_USER
|
||||||
|
value: {{ default "postgres" $customUser | quote }}
|
||||||
|
{{- if .Values.metrics.extraEnvVars }}
|
||||||
|
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
- name: http-metrics
|
||||||
|
containerPort: {{ .Values.metrics.containerPorts.metrics }}
|
||||||
|
{{- if not .Values.diagnosticMode.enabled }}
|
||||||
|
{{- if .Values.metrics.customStartupProbe }}
|
||||||
|
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }}
|
||||||
|
{{- else if .Values.metrics.startupProbe.enabled }}
|
||||||
|
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }}
|
||||||
|
tcpSocket:
|
||||||
|
port: http-metrics
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.metrics.customLivenessProbe }}
|
||||||
|
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }}
|
||||||
|
{{- else if .Values.metrics.livenessProbe.enabled }}
|
||||||
|
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }}
|
||||||
|
httpGet:
|
||||||
|
path: /
|
||||||
|
port: http-metrics
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.metrics.customReadinessProbe }}
|
||||||
|
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }}
|
||||||
|
{{- else if .Values.metrics.readinessProbe.enabled }}
|
||||||
|
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }}
|
||||||
|
httpGet:
|
||||||
|
path: /
|
||||||
|
port: http-metrics
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
volumeMounts:
|
||||||
|
- name: empty-dir
|
||||||
|
mountPath: /tmp
|
||||||
|
subPath: tmp-dir
|
||||||
|
{{- if .Values.auth.usePasswordFiles }}
|
||||||
|
- name: postgresql-password
|
||||||
|
mountPath: /opt/bitnami/postgresql/secrets/
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.metrics.customMetrics }}
|
||||||
|
- name: custom-metrics
|
||||||
|
mountPath: /conf
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.metrics.resources }}
|
||||||
|
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
|
||||||
|
{{- else if ne .Values.metrics.resourcesPreset "none" }}
|
||||||
|
resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.sidecars }}
|
||||||
|
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.sidecars "context" $ ) | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
volumes:
|
||||||
|
{{- if .Values.readReplicas.extendedConfiguration }}
|
||||||
|
- name: postgresql-extended-config
|
||||||
|
configMap:
|
||||||
|
name: {{ include "postgresql.v1.readReplicas.extendedConfigmapName" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.auth.usePasswordFiles }}
|
||||||
|
- name: postgresql-password
|
||||||
|
secret:
|
||||||
|
secretName: {{ include "postgresql.v1.secretName" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.tls.enabled }}
|
||||||
|
- name: raw-certificates
|
||||||
|
secret:
|
||||||
|
secretName: {{ include "postgresql.v1.tlsSecretName" . }}
|
||||||
|
- name: postgresql-certificates
|
||||||
|
emptyDir: {}
|
||||||
|
{{- end }}
|
||||||
|
{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
|
||||||
|
- name: custom-metrics
|
||||||
|
configMap:
|
||||||
|
name: {{ printf "%s-metrics" (include "postgresql.v1.readReplica.fullname" .) }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.shmVolume.enabled }}
|
||||||
|
- name: dshm
|
||||||
|
emptyDir:
|
||||||
|
medium: Memory
|
||||||
|
{{- if .Values.shmVolume.sizeLimit }}
|
||||||
|
sizeLimit: {{ .Values.shmVolume.sizeLimit }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
- name: empty-dir
|
||||||
|
emptyDir: {}
|
||||||
|
{{- if .Values.readReplicas.extraVolumes }}
|
||||||
|
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extraVolumes "context" $ ) | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if and .Values.readReplicas.persistence.enabled .Values.readReplicas.persistence.existingClaim }}
|
||||||
|
- name: data
|
||||||
|
persistentVolumeClaim:
|
||||||
|
claimName: {{ tpl .Values.readReplicas.persistence.existingClaim $ }}
|
||||||
|
{{- else if not .Values.readReplicas.persistence.enabled }}
|
||||||
|
- name: data
|
||||||
|
emptyDir: {}
|
||||||
|
{{- else }}
|
||||||
|
{{- if .Values.readReplicas.persistentVolumeClaimRetentionPolicy.enabled }}
|
||||||
|
persistentVolumeClaimRetentionPolicy:
|
||||||
|
whenDeleted: {{ .Values.readReplicas.persistentVolumeClaimRetentionPolicy.whenDeleted }}
|
||||||
|
whenScaled: {{ .Values.readReplicas.persistentVolumeClaimRetentionPolicy.whenScaled }}
|
||||||
|
{{- end }}
|
||||||
|
volumeClaimTemplates:
|
||||||
|
- apiVersion: v1
|
||||||
|
kind: PersistentVolumeClaim
|
||||||
|
metadata:
|
||||||
|
name: data
|
||||||
|
{{- if .Values.readReplicas.persistence.annotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.annotations "context" $) | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.persistence.labels }}
|
||||||
|
labels: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.labels "context" $) | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
accessModes:
|
||||||
|
{{- range .Values.readReplicas.persistence.accessModes }}
|
||||||
|
- {{ . | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.persistence.dataSource }}
|
||||||
|
dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.dataSource "context" $) | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: {{ .Values.readReplicas.persistence.size | quote }}
|
||||||
|
{{- if .Values.readReplicas.persistence.selector }}
|
||||||
|
selector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.selector "context" $) | nindent 10 }}
|
||||||
|
{{- end -}}
|
||||||
|
{{- include "common.storage.class" (dict "persistence" .Values.readReplicas.persistence "global" .Values.global) | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,33 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if eq .Values.architecture "replication" }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ include "postgresql.v1.readReplica.svc.headless" . }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: read
|
||||||
|
annotations:
|
||||||
|
{{- if or .Values.readReplicas.service.headless.annotations .Values.commonAnnotations }}
|
||||||
|
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.service.headless.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||||
|
{{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
type: ClusterIP
|
||||||
|
clusterIP: None
|
||||||
|
# We want all pods in the StatefulSet to have their addresses published for
|
||||||
|
# the sake of the other Postgresql pods even before they're ready, since they
|
||||||
|
# have to be able to talk to each other in order to become ready.
|
||||||
|
publishNotReadyAddresses: true
|
||||||
|
ports:
|
||||||
|
- name: tcp-postgresql
|
||||||
|
port: {{ include "postgresql.v1.readReplica.service.port" . }}
|
||||||
|
targetPort: tcp-postgresql
|
||||||
|
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
|
||||||
|
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: read
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,56 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if eq .Values.architecture "replication" }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ include "postgresql.v1.readReplica.fullname" . }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: read
|
||||||
|
{{- if or .Values.commonAnnotations .Values.readReplicas.service.annotations }}
|
||||||
|
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.service.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
type: {{ .Values.readReplicas.service.type }}
|
||||||
|
{{- if or (eq .Values.readReplicas.service.type "LoadBalancer") (eq .Values.readReplicas.service.type "NodePort") }}
|
||||||
|
externalTrafficPolicy: {{ .Values.readReplicas.service.externalTrafficPolicy | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerSourceRanges)) }}
|
||||||
|
loadBalancerSourceRanges: {{ .Values.readReplicas.service.loadBalancerSourceRanges }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerClass)) }}
|
||||||
|
loadBalancerClass: {{ .Values.readReplicas.service.loadBalancerClass }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerIP)) }}
|
||||||
|
loadBalancerIP: {{ .Values.readReplicas.service.loadBalancerIP }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if and .Values.readReplicas.service.clusterIP (eq .Values.readReplicas.service.type "ClusterIP") }}
|
||||||
|
clusterIP: {{ .Values.readReplicas.service.clusterIP }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.service.sessionAffinity }}
|
||||||
|
sessionAffinity: {{ .Values.readReplicas.service.sessionAffinity }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.service.sessionAffinityConfig }}
|
||||||
|
sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.sessionAffinityConfig "context" $) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
- name: tcp-postgresql
|
||||||
|
port: {{ include "postgresql.v1.readReplica.service.port" . }}
|
||||||
|
targetPort: tcp-postgresql
|
||||||
|
{{- if and (or (eq .Values.readReplicas.service.type "NodePort") (eq .Values.readReplicas.service.type "LoadBalancer")) (not (empty .Values.readReplicas.service.nodePorts.postgresql)) }}
|
||||||
|
nodePort: {{ .Values.readReplicas.service.nodePorts.postgresql }}
|
||||||
|
{{- else if eq .Values.readReplicas.service.type "ClusterIP" }}
|
||||||
|
nodePort: null
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.readReplicas.service.extraPorts }}
|
||||||
|
{{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.extraPorts "context" $) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
|
||||||
|
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: read
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,32 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.rbac.create }}
|
||||||
|
kind: Role
|
||||||
|
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
|
||||||
|
metadata:
|
||||||
|
name: {{ include "common.names.fullname" . }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||||
|
{{- if .Values.commonAnnotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
# yamllint disable rule:indentation
|
||||||
|
rules:
|
||||||
|
{{- if and (include "common.capabilities.psp.supported" .) .Values.psp.create }}
|
||||||
|
- apiGroups:
|
||||||
|
- 'policy'
|
||||||
|
resources:
|
||||||
|
- 'podsecuritypolicies'
|
||||||
|
verbs:
|
||||||
|
- 'use'
|
||||||
|
resourceNames:
|
||||||
|
- {{ include "common.names.fullname" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.rbac.rules }}
|
||||||
|
{{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
# yamllint enable rule:indentation
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,24 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.rbac.create }}
|
||||||
|
kind: RoleBinding
|
||||||
|
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
|
||||||
|
metadata:
|
||||||
|
name: {{ include "common.names.fullname" . }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||||
|
{{- if .Values.commonAnnotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
roleRef:
|
||||||
|
kind: Role
|
||||||
|
name: {{ include "common.names.fullname" . }}
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ include "postgresql.v1.serviceAccountName" . }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,99 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- $host := include "postgresql.v1.primary.fullname" . }}
|
||||||
|
{{- $port := include "postgresql.v1.service.port" . }}
|
||||||
|
{{- $customUser := include "postgresql.v1.username" . }}
|
||||||
|
{{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "postgresql.v1.secretName" .) "key" (coalesce .Values.global.postgresql.auth.secretKeys.adminPasswordKey .Values.auth.secretKeys.adminPasswordKey) "defaultValue" (ternary (coalesce .Values.global.postgresql.auth.password .Values.auth.password .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (or (empty $customUser) (eq $customUser "postgres"))) "context" $) | trimAll "\"" | b64dec }}
|
||||||
|
{{- if and (not $postgresPassword) .Values.auth.enablePostgresUser }}
|
||||||
|
{{- $postgresPassword = randAlphaNum 10 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- $replicationPassword := "" }}
|
||||||
|
{{- if eq .Values.architecture "replication" }}
|
||||||
|
{{- $replicationPassword = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.v1.secretName" .) "key" (coalesce .Values.global.postgresql.auth.secretKeys.replicationPasswordKey .Values.auth.secretKeys.replicationPasswordKey) "providedValues" (list "auth.replicationPassword") "context" $) | trimAll "\"" | b64dec }}
|
||||||
|
{{- end }}
|
||||||
|
{{- $ldapPassword := "" }}
|
||||||
|
{{- if and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw) }}
|
||||||
|
{{- $ldapPassword = coalesce .Values.ldap.bind_password .Values.ldap.bindpw }}
|
||||||
|
{{- end }}
|
||||||
|
{{- $password := "" }}
|
||||||
|
{{- if and (not (empty $customUser)) (ne $customUser "postgres") }}
|
||||||
|
{{- $password = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.v1.secretName" .) "key" (coalesce .Values.global.postgresql.auth.secretKeys.userPasswordKey .Values.auth.secretKeys.userPasswordKey) "providedValues" (list "global.postgresql.auth.password" "auth.password") "context" $) | trimAll "\"" | b64dec }}
|
||||||
|
{{- end }}
|
||||||
|
{{- $database := include "postgresql.v1.database" . }}
|
||||||
|
{{- if (include "postgresql.v1.createSecret" .) }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: {{ include "common.names.fullname" . }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||||
|
{{- if .Values.commonAnnotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
{{- if $postgresPassword }}
|
||||||
|
postgres-password: {{ $postgresPassword | b64enc | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $password }}
|
||||||
|
password: {{ $password | b64enc | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $replicationPassword }}
|
||||||
|
replication-password: {{ $replicationPassword | b64enc | quote }}
|
||||||
|
{{- end }}
|
||||||
|
# We don't auto-generate LDAP password when it's not provided as we do for other passwords
|
||||||
|
{{- if and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw) }}
|
||||||
|
ldap-password: {{ $ldapPassword | b64enc | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.serviceBindings.enabled }}
|
||||||
|
{{- if $postgresPassword }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: {{ include "common.names.fullname" . }}-svcbind-postgres
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||||
|
{{- if .Values.commonAnnotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
type: servicebinding.io/postgresql
|
||||||
|
data:
|
||||||
|
provider: {{ print "bitnami" | b64enc | quote }}
|
||||||
|
type: {{ print "postgresql" | b64enc | quote }}
|
||||||
|
host: {{ $host | b64enc | quote }}
|
||||||
|
port: {{ $port | b64enc | quote }}
|
||||||
|
username: {{ print "postgres" | b64enc | quote }}
|
||||||
|
database: {{ print "postgres" | b64enc | quote }}
|
||||||
|
password: {{ $postgresPassword | b64enc | quote }}
|
||||||
|
uri: {{ printf "postgresql://postgres:%s@%s:%s/postgres" $postgresPassword $host $port | b64enc | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $password }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: {{ include "common.names.fullname" . }}-svcbind-custom-user
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||||
|
{{- if .Values.commonAnnotations }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
type: servicebinding.io/postgresql
|
||||||
|
data:
|
||||||
|
provider: {{ print "bitnami" | b64enc | quote }}
|
||||||
|
type: {{ print "postgresql" | b64enc | quote }}
|
||||||
|
host: {{ $host | b64enc | quote }}
|
||||||
|
port: {{ $port | b64enc | quote }}
|
||||||
|
username: {{ $customUser | b64enc | quote }}
|
||||||
|
password: {{ $password | b64enc | quote }}
|
||||||
|
{{- if $database }}
|
||||||
|
database: {{ $database | b64enc | quote }}
|
||||||
|
{{- end }}
|
||||||
|
uri: {{ printf "postgresql://%s:%s@%s:%s/%s" $customUser $password $host $port $database | b64enc | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,18 @@
|
||||||
|
{{- /*
|
||||||
|
Copyright Broadcom, Inc. All Rights Reserved.
|
||||||
|
SPDX-License-Identifier: APACHE-2.0
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.serviceAccount.create }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: {{ include "postgresql.v1.serviceAccountName" . }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||||
|
{{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }}
|
||||||
|
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||||
|
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
|
||||||
|
{{- end }}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue