progress
ci / build (push) Failing after 7m5s
Details
ci / build (push) Failing after 7m5s
Details
This commit is contained in:
parent
287321bb1e
commit
ebe65e067d
|
@ -13,6 +13,15 @@ jobs:
|
|||
- uses: actions/checkout@v3
|
||||
name: Check out code
|
||||
|
||||
- uses: mr-smithers-excellent/docker-build-push@v6
|
||||
name: Build futureporn/migrations
|
||||
with:
|
||||
image: futureporn/migrations
|
||||
tags: latest
|
||||
registry: gitea.futureporn.net
|
||||
dockerfile: d.migrations.dockerfile
|
||||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_PASSWORD }}
|
||||
|
||||
- uses: mr-smithers-excellent/docker-build-push@v6
|
||||
name: Build futureporn/worker
|
||||
|
@ -24,17 +33,6 @@ jobs:
|
|||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_PASSWORD }}
|
||||
|
||||
- uses: mr-smithers-excellent/docker-build-push@v6
|
||||
name: Build futureporn/scout
|
||||
with:
|
||||
image: futureporn/scout
|
||||
tags: latest
|
||||
target: scout
|
||||
registry: gitea.futureporn.net
|
||||
dockerfile: d.scout.dockerfile
|
||||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_PASSWORD }}
|
||||
|
||||
- uses: mr-smithers-excellent/docker-build-push@v6
|
||||
name: Build futureporn/next
|
||||
with:
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
git monorepo.
|
||||
|
||||
TypeScript
|
||||
|
||||
pnpm for workspaces.
|
||||
|
||||
Kubernetes for Development using Tiltfile
|
||||
|
@ -10,7 +12,7 @@ Tested on VKE v1.30.0+1 (PVCs on other versions may not be fulfilled)
|
|||
|
||||
direnv for loading .envrc
|
||||
|
||||
Temporal for work queue, cron
|
||||
pg-boss for work queue, cron
|
||||
|
||||
Postgres for data storage
|
||||
|
||||
|
|
10
Makefile
10
Makefile
|
@ -13,7 +13,7 @@ secrets:
|
|||
flux:
|
||||
./scripts/flux-bootstrap.sh
|
||||
|
||||
cluster: echoenv kind namespaces secrets velero chisel flux metrics
|
||||
cluster: echoenv kind namespaces secrets velero flux metrics
|
||||
|
||||
metrics:
|
||||
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
|
||||
|
@ -21,7 +21,7 @@ metrics:
|
|||
echoenv:
|
||||
echo "[echoenv] Using ${ENV} environment. If this is not what you want, export ENV=development|staging|production"
|
||||
|
||||
scrap: namespaces secrets velero chisel flux
|
||||
scrap: namespaces secrets velero flux
|
||||
|
||||
velero:
|
||||
./scripts/velero-create.sh
|
||||
|
@ -30,6 +30,9 @@ tilt:
|
|||
kind get kubeconfig > ~/.kube/futureporn.yaml
|
||||
KUBECONFIG=~/.kube/futureporn.yaml tilt up -f ./Tiltfile
|
||||
|
||||
cert-manager:
|
||||
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.1/cert-manager.yaml
|
||||
|
||||
exoscale:
|
||||
kubectl apply -f https://raw.githubusercontent.com/exoscale/cert-manager-webhook-exoscale/master/deploy/exoscale-webhook-kustomize/deploy.yaml
|
||||
|
||||
|
@ -39,9 +42,6 @@ kind:
|
|||
kindload:
|
||||
./scripts/kind-load.sh
|
||||
|
||||
chisel:
|
||||
./scripts/k8s-chisel-operator.sh
|
||||
|
||||
clean:
|
||||
kind delete cluster
|
||||
dotenvx run -f .env.${ENV} -- node ./packages/infra/vultr-delete-orphaned-resources.js
|
||||
|
|
225
Tiltfile
225
Tiltfile
|
@ -9,6 +9,8 @@ secret_settings(
|
|||
disable_scrub=True
|
||||
)
|
||||
|
||||
## helm_remote and deploy_cert_manager are BANNED because they use too much bandwidth and crash my computer
|
||||
##
|
||||
## cert-manager slows down Tilt updates so I prefer to keep it commented unless I specifically need to test certs
|
||||
## cert-manager loaded using this extension is PAINFULLY SLOW, and it must re-install and re-test every time the Tiltfile changes.
|
||||
## additionally, it is SYNCRHONOUS, which means nothing else can update until cert-manager is updated. @see https://github.com/tilt-dev/tilt-extensions/pull/90#issuecomment-704381205
|
||||
|
@ -18,8 +20,7 @@ secret_settings(
|
|||
# load_to_kind=True,
|
||||
# version='v1.15.1',
|
||||
# )
|
||||
|
||||
load('ext://helm_remote', 'helm_remote')
|
||||
# load('ext://helm_remote', 'helm_remote')
|
||||
|
||||
load('ext://dotenv', 'dotenv')
|
||||
dotenv(fn='.env.development')
|
||||
|
@ -56,24 +57,6 @@ dotenv(fn='.env.development')
|
|||
|
||||
|
||||
|
||||
helm_remote(
|
||||
'traefik',
|
||||
repo_name='traefik',
|
||||
repo_url='https://traefik.github.io/charts',
|
||||
namespace='futureporn',
|
||||
version='28.3.0',
|
||||
set=[
|
||||
'globalArguments[0]=--global.sendanonymoususage=false',
|
||||
'service.enabled=true',
|
||||
'logs.access.enabled=true',
|
||||
'logs.access.format=json',
|
||||
'logs.general.level=DEBUG',
|
||||
'logs.general.format=json',
|
||||
'providers.kubernetesIngress.publishedService.enabled=true',
|
||||
]
|
||||
)
|
||||
|
||||
|
||||
# helm_remote(
|
||||
# 'nitter',
|
||||
# repo_name='truecharts',
|
||||
|
@ -111,8 +94,25 @@ k8s_yaml(helm(
|
|||
'./charts/fp',
|
||||
values=['./charts/fp/values.yaml'],
|
||||
))
|
||||
## we are using a local helm chart instead of using helm_remote because that command makes the tilt builds Hella slow.
|
||||
## to download this chart, we used the following commands.
|
||||
## future re-pulling is needed to keep things up-to-date.
|
||||
##
|
||||
## helm repo add bitnami https://charts.bitnami.com/bitnami
|
||||
## helm pull bitnami/postgresql --untar --destination ./charts/postgresql
|
||||
k8s_yaml(helm(
|
||||
'./charts/postgresql/postgresql',
|
||||
namespace='futureporn',
|
||||
values=[
|
||||
'./charts/postgresql/values-overrides.yaml'
|
||||
]
|
||||
))
|
||||
|
||||
|
||||
k8s_yaml(helm(
|
||||
'./charts/cert-manager/cert-manager',
|
||||
namespace='cert-manager',
|
||||
values=['./charts/cert-manager/values-overrides.yaml']
|
||||
))
|
||||
|
||||
|
||||
# docker_build('fp/link2cid', './packages/link2cid')
|
||||
|
@ -126,13 +126,14 @@ docker_build(
|
|||
'./package.json',
|
||||
'./pnpm-lock.yaml',
|
||||
'./pnpm-workspace.yaml',
|
||||
'./packages/strapi',
|
||||
'./services/strapi',
|
||||
'./packages/types',
|
||||
],
|
||||
live_update=[
|
||||
sync('./packages/strapi', '/app'),
|
||||
run('cd /app && pnpm i', trigger=['./packages/strapi/package.json', './packages/strapi/pnpm-lock.yaml'])
|
||||
]
|
||||
sync('./services/strapi', '/app'),
|
||||
run('cd /app && pnpm i', trigger=['./services/strapi/package.json', './services/strapi/pnpm-lock.yaml'])
|
||||
],
|
||||
pull=False,
|
||||
)
|
||||
|
||||
# docker_build(
|
||||
|
@ -172,7 +173,7 @@ cmd_button('postgres:create',
|
|||
text='create (empty) databases',
|
||||
)
|
||||
cmd_button('postgres:restore',
|
||||
argv=['dotenvx', 'run', '-f', '.env.development', '--', './scripts/postgres-restore.sh'],
|
||||
argv=['./scripts/postgres-restore.sh'],
|
||||
resource='postgresql-primary',
|
||||
icon_name='upload',
|
||||
text='restore db from backup',
|
||||
|
@ -191,13 +192,26 @@ cmd_button('capture-api:create',
|
|||
text='Start Recording'
|
||||
)
|
||||
|
||||
cmd_button('postgres:graphile',
|
||||
argv=['sh', './scripts/postgres-test-graphile.sh'],
|
||||
resource='postgresql-primary',
|
||||
icon_name='graph',
|
||||
text='create graphile test job',
|
||||
cmd_button('postgrest:restore',
|
||||
argv=['./scripts/postgrest.sh'],
|
||||
resource='postgrest',
|
||||
icon_name='start',
|
||||
text='initialize',
|
||||
)
|
||||
|
||||
cmd_button('postgrest:migrate',
|
||||
argv=[''],
|
||||
resource='postgrest',
|
||||
icon_name='directions_run',
|
||||
text='Run migrations',
|
||||
)
|
||||
|
||||
cmd_button('pgadmin4:restore',
|
||||
argv=['./scripts/pgadmin-import-connection.sh'],
|
||||
resource='pgadmin4',
|
||||
icon_name='hub',
|
||||
text='import connection',
|
||||
)
|
||||
|
||||
## Uncomment the following for fp/next in dev mode
|
||||
## this is useful for changing the UI and seeing results
|
||||
|
@ -210,8 +224,9 @@ docker_build(
|
|||
'NEXT_PUBLIC_STRAPI_URL': 'https://strapi.fp.sbtp.xyz'
|
||||
},
|
||||
live_update=[
|
||||
sync('./packages/next', '/app')
|
||||
]
|
||||
sync('./services/next', '/app')
|
||||
],
|
||||
pull=False,
|
||||
)
|
||||
|
||||
|
||||
|
@ -240,16 +255,17 @@ docker_build(
|
|||
'./pnpm-workspace.yaml',
|
||||
'./packages/image',
|
||||
'./packages/scout',
|
||||
'./packages/mailbox',
|
||||
'./services/mailbox',
|
||||
'./packages/types',
|
||||
'./packages/utils',
|
||||
'./packages/video',
|
||||
'./packages/storage',
|
||||
],
|
||||
live_update=[
|
||||
sync('./packages/mailbox', '/app'),
|
||||
run('cd /app && pnpm i', trigger=['./packages/mailbox/package.json', './packages/mailbox/pnpm-lock.yaml']),
|
||||
sync('./services/mailbox', '/app'),
|
||||
run('cd /app && pnpm i', trigger=['./services/mailbox/package.json', './services/mailbox/pnpm-lock.yaml']),
|
||||
],
|
||||
pull=False,
|
||||
# entrypoint='pnpm nodemon --ext js,ts,json,yaml --exec node --no-warnings=ExperimentalWarning --loader ts-node/esm ./src/index.ts'
|
||||
)
|
||||
|
||||
|
@ -293,7 +309,8 @@ docker_build(
|
|||
],
|
||||
live_update=[
|
||||
sync('./packages/capture/dist', '/app/dist'),
|
||||
]
|
||||
],
|
||||
pull=False,
|
||||
)
|
||||
|
||||
|
||||
|
@ -321,14 +338,14 @@ docker_build(
|
|||
# )
|
||||
|
||||
|
||||
k8s_resource(
|
||||
workload='uppy',
|
||||
links=[
|
||||
link('https://uppy.fp.sbtp.xyz'),
|
||||
],
|
||||
resource_deps=['redis-master'],
|
||||
labels=['backend'],
|
||||
)
|
||||
# k8s_resource(
|
||||
# workload='uppy',
|
||||
# links=[
|
||||
# link('https://uppy.fp.sbtp.xyz'),
|
||||
# ],
|
||||
# resource_deps=['redis-master'],
|
||||
# labels=['backend'],
|
||||
# )
|
||||
k8s_resource(
|
||||
workload='next',
|
||||
port_forwards=['3000'],
|
||||
|
@ -352,36 +369,19 @@ k8s_resource(
|
|||
k8s_resource(
|
||||
workload='postgresql-primary',
|
||||
port_forwards=['5432'],
|
||||
labels=['backend'],
|
||||
labels=['database'],
|
||||
)
|
||||
|
||||
k8s_resource(
|
||||
workload='traefik',
|
||||
port_forwards=['9000:9000'],
|
||||
links=[
|
||||
link('http://localhost:9000/dashboard')
|
||||
],
|
||||
labels=['networking'],
|
||||
workload='postgresql-read',
|
||||
labels=['database']
|
||||
)
|
||||
|
||||
|
||||
|
||||
k8s_resource(
|
||||
workload='mailbox',
|
||||
resource_deps=['postgresql-primary', 'strapi'],
|
||||
labels=['backend'],
|
||||
)
|
||||
|
||||
# k8s_resource(
|
||||
# workload='',
|
||||
|
||||
# )
|
||||
|
||||
# k8s_resource(
|
||||
# workload='pgadmin',
|
||||
# port_forwards=['5050'],
|
||||
# resource_deps=['postgresql-primary']
|
||||
# )
|
||||
|
||||
# k8s_resource(
|
||||
# workload='nitter',
|
||||
|
@ -406,41 +406,23 @@ k8s_resource(
|
|||
# 'grafana.sidecar.dashboards.provider.foldersFromFileStructure=true'
|
||||
# ]
|
||||
# )
|
||||
helm_remote(
|
||||
'postgresql',
|
||||
repo_name='postgresql',
|
||||
repo_url='https://charts.bitnami.com/bitnami',
|
||||
namespace='futureporn',
|
||||
version='15.5.17',
|
||||
set=[
|
||||
'auth.enablePostgresUser=true',
|
||||
'auth.existingSecret=postgresql',
|
||||
# 'architecture=standalone',
|
||||
'architecture=replication',
|
||||
'readReplicas.replicaCount=3',
|
||||
'replication.syncronousCommit=on',
|
||||
'replication.numSyncronousReplicas=1',
|
||||
'replication.applicationName=futureporn',
|
||||
'image.debug=true',
|
||||
'auth.usePasswordFiles=true',
|
||||
]
|
||||
)
|
||||
|
||||
|
||||
## redis is only here for uppy's usage.
|
||||
## If we can engineer a way to delete redis, let's do it
|
||||
helm_remote(
|
||||
'redis',
|
||||
repo_name='redis',
|
||||
repo_url='https://charts.bitnami.com/bitnami',
|
||||
namespace='futureporn',
|
||||
version='19.6.1',
|
||||
set=[
|
||||
'auth.existingSecret=redis',
|
||||
'auth.existingSecretPasswordKey=password',
|
||||
'replica.persistence.enabled=false',
|
||||
'architecture=standalone'
|
||||
]
|
||||
)
|
||||
# helm_remote(
|
||||
# 'redis',
|
||||
# repo_name='redis',
|
||||
# repo_url='https://charts.bitnami.com/bitnami',
|
||||
# namespace='futureporn',
|
||||
# version='19.6.1',
|
||||
# set=[
|
||||
# 'auth.existingSecret=redis',
|
||||
# 'auth.existingSecretPasswordKey=password',
|
||||
# 'replica.persistence.enabled=false',
|
||||
# 'architecture=standalone'
|
||||
# ]
|
||||
# )
|
||||
|
||||
k8s_resource(
|
||||
workload='external-dns',
|
||||
|
@ -453,15 +435,12 @@ k8s_resource(
|
|||
)
|
||||
|
||||
|
||||
k8s_resource(
|
||||
workload='redis-master',
|
||||
labels=['backend']
|
||||
)
|
||||
# k8s_resource(
|
||||
# workload='redis-master',
|
||||
# labels=['backend']
|
||||
# )
|
||||
|
||||
|
||||
k8s_resource(
|
||||
workload='postgresql-read',
|
||||
labels=['backend']
|
||||
)
|
||||
# k8s_resource(
|
||||
# workload='bot',
|
||||
# labels=['backend'],
|
||||
|
@ -471,9 +450,41 @@ k8s_resource(
|
|||
workload='capture-api',
|
||||
port_forwards=['5003'],
|
||||
labels=['backend'],
|
||||
resource_deps=['postgrest', 'postgresql-primary'],
|
||||
)
|
||||
|
||||
k8s_resource(
|
||||
workload='capture-worker',
|
||||
labels=['backend'],
|
||||
)
|
||||
resource_deps=['postgrest', 'postgresql-primary'],
|
||||
)
|
||||
k8s_resource(
|
||||
workload='postgrest',
|
||||
port_forwards=['9000'],
|
||||
labels=['database'],
|
||||
resource_deps=['postgresql-primary'],
|
||||
)
|
||||
|
||||
k8s_resource(
|
||||
workload='pgadmin4',
|
||||
port_forwards=['5050:80'],
|
||||
labels=['database'],
|
||||
)
|
||||
|
||||
|
||||
k8s_resource(
|
||||
workload='cert-manager',
|
||||
labels=['certificates'],
|
||||
)
|
||||
k8s_resource(
|
||||
workload='cert-manager-cainjector',
|
||||
labels=['certificates'],
|
||||
)
|
||||
k8s_resource(
|
||||
workload='cert-manager-webhook',
|
||||
labels=['certificates'],
|
||||
)
|
||||
k8s_resource(
|
||||
workload='cert-manager-startupapicheck',
|
||||
labels=['certificates'],
|
||||
)
|
||||
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
# Futureporn Helm charts
|
||||
|
||||
These charts define the bulk of Futureporn's Kubernetes (k8s) payload. (Some of the infrastrucutre-specific payload is at `<PROJECT_ROOT>/flux/`)
|
||||
In production, Flux CD deploys these charts into the k8s cluster.
|
||||
|
||||
|
||||
## development
|
||||
|
||||
We are using a local Helm charts instead of using Tilt's `helm_remote` because that command makes the Tilt builds Hella slow.
|
||||
|
||||
We override default values in the parent folder.
|
||||
|
||||
/charts/postgresql/postgresql/values.yaml
|
||||
/charts/postgresql/values-overrides.yaml
|
||||
|
||||
### postgresql
|
||||
|
||||
helm repo add bitnami https://charts.bitnami.com/bitnami --force-update
|
||||
helm pull bitnami/postgresql --untar --destination ./charts/postgresql
|
||||
|
||||
### cert-manager
|
||||
|
||||
helm repo add jetstack https://charts.jetstack.io --force-update
|
||||
helm pull jetstack/cert-manager --untar --destination ./charts/cert-manager
|
|
@ -0,0 +1,26 @@
|
|||
annotations:
|
||||
artifacthub.io/category: security
|
||||
artifacthub.io/license: Apache-2.0
|
||||
artifacthub.io/prerelease: "false"
|
||||
artifacthub.io/signKey: |
|
||||
fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
|
||||
url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
|
||||
apiVersion: v2
|
||||
appVersion: v1.15.1
|
||||
description: A Helm chart for cert-manager
|
||||
home: https://cert-manager.io
|
||||
icon: https://raw.githubusercontent.com/cert-manager/community/4d35a69437d21b76322157e6284be4cd64e6d2b7/logo/logo-small.png
|
||||
keywords:
|
||||
- cert-manager
|
||||
- kube-lego
|
||||
- letsencrypt
|
||||
- tls
|
||||
kubeVersion: '>= 1.22.0-0'
|
||||
maintainers:
|
||||
- email: cert-manager-maintainers@googlegroups.com
|
||||
name: cert-manager-maintainers
|
||||
url: https://cert-manager.io
|
||||
name: cert-manager
|
||||
sources:
|
||||
- https://github.com/cert-manager/cert-manager
|
||||
version: v1.15.1
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,18 @@
|
|||
{{- if .Values.installCRDs }}
|
||||
⚠️ WARNING: `installCRDs` is deprecated, use `crds.enabled` instead.
|
||||
{{- end }}
|
||||
cert-manager {{ .Chart.AppVersion }} has been deployed successfully!
|
||||
|
||||
In order to begin issuing certificates, you will need to set up a ClusterIssuer
|
||||
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
|
||||
|
||||
More information on the different types of issuers and how to configure them
|
||||
can be found in our documentation:
|
||||
|
||||
https://cert-manager.io/docs/configuration/
|
||||
|
||||
For information on how to configure cert-manager to automatically provision
|
||||
Certificates for Ingress resources, take a look at the `ingress-shim`
|
||||
documentation:
|
||||
|
||||
https://cert-manager.io/docs/usage/ingress/
|
|
@ -0,0 +1,202 @@
|
|||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "cert-manager.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
*/}}
|
||||
{{- define "cert-manager.fullname" -}}
|
||||
{{- if .Values.fullnameOverride -}}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||
{{- if contains $name .Release.Name -}}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "cert-manager.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create -}}
|
||||
{{ default (include "cert-manager.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Webhook templates
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
Manually fix the 'app' and 'name' labels to 'webhook' to maintain
|
||||
compatibility with the v0.9 deployment selector.
|
||||
*/}}
|
||||
{{- define "webhook.name" -}}
|
||||
{{- printf "webhook" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "webhook.fullname" -}}
|
||||
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 55 | trimSuffix "-" -}}
|
||||
{{- printf "%s-webhook" $trimmedName | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "webhook.caRef" -}}
|
||||
{{- template "cert-manager.namespace" }}/{{ template "webhook.fullname" . }}-ca
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "webhook.serviceAccountName" -}}
|
||||
{{- if .Values.webhook.serviceAccount.create -}}
|
||||
{{ default (include "webhook.fullname" .) .Values.webhook.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.webhook.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
cainjector templates
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
Manually fix the 'app' and 'name' labels to 'cainjector' to maintain
|
||||
compatibility with the v0.9 deployment selector.
|
||||
*/}}
|
||||
{{- define "cainjector.name" -}}
|
||||
{{- printf "cainjector" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "cainjector.fullname" -}}
|
||||
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}}
|
||||
{{- printf "%s-cainjector" $trimmedName | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "cainjector.serviceAccountName" -}}
|
||||
{{- if .Values.cainjector.serviceAccount.create -}}
|
||||
{{ default (include "cainjector.fullname" .) .Values.cainjector.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.cainjector.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
startupapicheck templates
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
Manually fix the 'app' and 'name' labels to 'startupapicheck' to maintain
|
||||
compatibility with the v0.9 deployment selector.
|
||||
*/}}
|
||||
{{- define "startupapicheck.name" -}}
|
||||
{{- printf "startupapicheck" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "startupapicheck.fullname" -}}
|
||||
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}}
|
||||
{{- printf "%s-startupapicheck" $trimmedName | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "startupapicheck.serviceAccountName" -}}
|
||||
{{- if .Values.startupapicheck.serviceAccount.create -}}
|
||||
{{ default (include "startupapicheck.fullname" .) .Values.startupapicheck.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.startupapicheck.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "chartName" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Labels that should be added on each resource
|
||||
*/}}
|
||||
{{- define "labels" -}}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
{{- if eq (default "helm" .Values.creator) "helm" }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
helm.sh/chart: {{ include "chartName" . }}
|
||||
{{- end -}}
|
||||
{{- if .Values.global.commonLabels}}
|
||||
{{ toYaml .Values.global.commonLabels }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Namespace for all resources to be installed into
|
||||
If not defined in values file then the helm release namespace is used
|
||||
By default this is not set so the helm release namespace will be used
|
||||
|
||||
This gets around an problem within helm discussed here
|
||||
https://github.com/helm/helm/issues/5358
|
||||
*/}}
|
||||
{{- define "cert-manager.namespace" -}}
|
||||
{{ .Values.namespace | default .Release.Namespace }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Util function for generating the image URL based on the provided options.
|
||||
IMPORTANT: This function is standarized across all charts in the cert-manager GH organization.
|
||||
Any changes to this function should also be made in cert-manager, trust-manager, approver-policy, ...
|
||||
See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linked PRs.
|
||||
*/}}
|
||||
{{- define "image" -}}
|
||||
{{- $defaultTag := index . 1 -}}
|
||||
{{- with index . 0 -}}
|
||||
{{- if .registry -}}{{ printf "%s/%s" .registry .repository }}{{- else -}}{{- .repository -}}{{- end -}}
|
||||
{{- if .digest -}}{{ printf "@%s" .digest }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Check that the user has not set both .installCRDs and .crds.enabled or
|
||||
set .installCRDs and disabled .crds.keep.
|
||||
.installCRDs is deprecated and users should use .crds.enabled and .crds.keep instead.
|
||||
*/}}
|
||||
{{- define "cert-manager.crd-check" -}}
|
||||
{{- if and (.Values.installCRDs) (.Values.crds.enabled) }}
|
||||
{{- fail "ERROR: the deprecated .installCRDs option cannot be enabled at the same time as its replacement .crds.enabled" }}
|
||||
{{- end }}
|
||||
{{- if and (.Values.installCRDs) (not .Values.crds.keep) }}
|
||||
{{- fail "ERROR: .crds.keep is not compatible with .installCRDs, please use .crds.enabled and .crds.keep instead" }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,18 @@
|
|||
{{- if .Values.cainjector.config -}}
|
||||
{{- $_ := .Values.cainjector.config.apiVersion | required ".Values.cainjector.config.apiVersion must be set !" -}}
|
||||
{{- $_ := .Values.cainjector.config.kind | required ".Values.cainjector.config.kind must be set !" -}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ include "cainjector.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
data:
|
||||
config.yaml: |
|
||||
{{- .Values.cainjector.config | toYaml | nindent 4 }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,140 @@
|
|||
{{- if .Values.cainjector.enabled }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "cainjector.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.cainjector.deploymentAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
replicas: {{ .Values.cainjector.replicaCount }}
|
||||
{{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
|
||||
{{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
|
||||
revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- with .Values.cainjector.strategy }}
|
||||
strategy:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 8 }}
|
||||
{{- with .Values.cainjector.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ template "cainjector.serviceAccountName" . }}
|
||||
{{- if hasKey .Values.cainjector "automountServiceAccountToken" }}
|
||||
automountServiceAccountToken: {{ .Values.cainjector.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
enableServiceLinks: {{ .Values.cainjector.enableServiceLinks }}
|
||||
{{- with .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.securityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}-cainjector
|
||||
image: "{{ template "image" (tuple .Values.cainjector.image $.Chart.AppVersion) }}"
|
||||
imagePullPolicy: {{ .Values.cainjector.image.pullPolicy }}
|
||||
args:
|
||||
{{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
|
||||
{{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
|
||||
- --v={{ .Values.global.logLevel }}
|
||||
{{- end }}
|
||||
{{- if .Values.cainjector.config }}
|
||||
- --config=/var/cert-manager/config/config.yaml
|
||||
{{- end }}
|
||||
{{- with .Values.global.leaderElection }}
|
||||
- --leader-election-namespace={{ .namespace }}
|
||||
{{- if .leaseDuration }}
|
||||
- --leader-election-lease-duration={{ .leaseDuration }}
|
||||
{{- end }}
|
||||
{{- if .renewDeadline }}
|
||||
- --leader-election-renew-deadline={{ .renewDeadline }}
|
||||
{{- end }}
|
||||
{{- if .retryPeriod }}
|
||||
- --leader-election-retry-period={{ .retryPeriod }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.featureGates}}
|
||||
- --feature-gates={{ . }}
|
||||
{{- end}}
|
||||
{{- with .Values.cainjector.extraArgs }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
{{- with .Values.cainjector.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.cainjector.config .Values.cainjector.volumeMounts }}
|
||||
volumeMounts:
|
||||
{{- if .Values.cainjector.config }}
|
||||
- name: config
|
||||
mountPath: /var/cert-manager/config
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.volumeMounts }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.topologySpreadConstraints }}
|
||||
topologySpreadConstraints:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.cainjector.volumes .Values.cainjector.config }}
|
||||
volumes:
|
||||
{{- if .Values.cainjector.config }}
|
||||
- name: config
|
||||
configMap:
|
||||
name: {{ include "cainjector.fullname" . }}
|
||||
{{- end }}
|
||||
{{ with .Values.cainjector.volumes }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,29 @@
|
|||
{{- if .Values.cainjector.podDisruptionBudget.enabled }}
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ include "cainjector.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
|
||||
{{- if not (or (hasKey .Values.cainjector.podDisruptionBudget "minAvailable") (hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable")) }}
|
||||
minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
|
||||
{{- end }}
|
||||
{{- if hasKey .Values.cainjector.podDisruptionBudget "minAvailable" }}
|
||||
minAvailable: {{ .Values.cainjector.podDisruptionBudget.minAvailable }}
|
||||
{{- end }}
|
||||
{{- if hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable" }}
|
||||
maxUnavailable: {{ .Values.cainjector.podDisruptionBudget.maxUnavailable }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,20 @@
|
|||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
- {{ template "cainjector.fullname" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,22 @@
|
|||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cainjector.fullname" . }}-psp
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "cainjector.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,51 @@
|
|||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
|
||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
{{- end }}
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
allowedCapabilities: [] # default set of capabilities are implicitly allowed
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
hostNetwork: false
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,103 @@
|
|||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.global.rbac.create }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["get", "create", "update", "patch"]
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
- apiGroups: ["apiregistration.k8s.io"]
|
||||
resources: ["apiservices"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
- apiGroups: ["apiextensions.k8s.io"]
|
||||
resources: ["customresourcedefinitions"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cainjector.fullname" . }}
|
||||
subjects:
|
||||
- name: {{ template "cainjector.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
# leader election rules
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}:leaderelection
|
||||
namespace: {{ .Values.global.leaderElection.namespace }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
# Used for leader election by the controller
|
||||
# cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
|
||||
# see cmd/cainjector/start.go#L113
|
||||
# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
|
||||
# see cmd/cainjector/start.go#L137
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
|
||||
verbs: ["get", "update", "patch"]
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
verbs: ["create"]
|
||||
|
||||
---
|
||||
|
||||
# grant cert-manager permission to manage the leaderelection configmap in the
|
||||
# leader election namespace
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "cainjector.fullname" . }}:leaderelection
|
||||
namespace: {{ .Values.global.leaderElection.namespace }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ template "cainjector.fullname" . }}:leaderelection
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "cainjector.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,27 @@
|
|||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.cainjector.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
automountServiceAccountToken: {{ .Values.cainjector.serviceAccount.automountServiceAccountToken }}
|
||||
metadata:
|
||||
name: {{ template "cainjector.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.cainjector.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.cainjector.serviceAccount.labels }}
|
||||
{{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,18 @@
|
|||
{{- if .Values.config -}}
|
||||
{{- $_ := .Values.config.apiVersion | required ".Values.config.apiVersion must be set !" -}}
|
||||
{{- $_ := .Values.config.kind | required ".Values.config.kind must be set !" -}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ include "cert-manager.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
data:
|
||||
config.yaml: |
|
||||
{{- .Values.config | toYaml | nindent 4 }}
|
||||
{{- end -}}
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,231 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.deploymentAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicaCount }}
|
||||
{{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
|
||||
{{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
|
||||
revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- with .Values.strategy }}
|
||||
strategy:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 8 }}
|
||||
{{- with .Values.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if and .Values.prometheus.enabled (not (or .Values.prometheus.servicemonitor.enabled .Values.prometheus.podmonitor.enabled)) }}
|
||||
{{- if not .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- end }}
|
||||
prometheus.io/path: "/metrics"
|
||||
prometheus.io/scrape: 'true'
|
||||
prometheus.io/port: '9402'
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ template "cert-manager.serviceAccountName" . }}
|
||||
{{- if hasKey .Values "automountServiceAccountToken" }}
|
||||
automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
enableServiceLinks: {{ .Values.enableServiceLinks }}
|
||||
{{- with .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.securityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.volumes .Values.config}}
|
||||
volumes:
|
||||
{{- if .Values.config }}
|
||||
- name: config
|
||||
configMap:
|
||||
name: {{ include "cert-manager.fullname" . }}
|
||||
{{- end }}
|
||||
{{ with .Values.volumes }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}-controller
|
||||
image: "{{ template "image" (tuple .Values.image $.Chart.AppVersion) }}"
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
args:
|
||||
{{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
|
||||
{{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
|
||||
- --v={{ .Values.global.logLevel }}
|
||||
{{- end }}
|
||||
{{- if .Values.config }}
|
||||
- --config=/var/cert-manager/config/config.yaml
|
||||
{{- end }}
|
||||
{{- $config := default .Values.config "" }}
|
||||
{{- if .Values.clusterResourceNamespace }}
|
||||
- --cluster-resource-namespace={{ .Values.clusterResourceNamespace }}
|
||||
{{- else }}
|
||||
- --cluster-resource-namespace=$(POD_NAMESPACE)
|
||||
{{- end }}
|
||||
{{- with .Values.global.leaderElection }}
|
||||
- --leader-election-namespace={{ .namespace }}
|
||||
{{- if .leaseDuration }}
|
||||
- --leader-election-lease-duration={{ .leaseDuration }}
|
||||
{{- end }}
|
||||
{{- if .renewDeadline }}
|
||||
- --leader-election-renew-deadline={{ .renewDeadline }}
|
||||
{{- end }}
|
||||
{{- if .retryPeriod }}
|
||||
- --leader-election-retry-period={{ .retryPeriod }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.acmesolver.image }}
|
||||
- --acme-http01-solver-image={{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}
|
||||
{{- end }}
|
||||
{{- with .Values.extraArgs }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.ingressShim }}
|
||||
{{- if .defaultIssuerName }}
|
||||
- --default-issuer-name={{ .defaultIssuerName }}
|
||||
{{- end }}
|
||||
{{- if .defaultIssuerKind }}
|
||||
- --default-issuer-kind={{ .defaultIssuerKind }}
|
||||
{{- end }}
|
||||
{{- if .defaultIssuerGroup }}
|
||||
- --default-issuer-group={{ .defaultIssuerGroup }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.featureGates }}
|
||||
- --feature-gates={{ .Values.featureGates }}
|
||||
{{- end }}
|
||||
{{- if .Values.maxConcurrentChallenges }}
|
||||
- --max-concurrent-challenges={{ .Values.maxConcurrentChallenges }}
|
||||
{{- end }}
|
||||
{{- if .Values.enableCertificateOwnerRef }}
|
||||
- --enable-certificate-owner-ref=true
|
||||
{{- end }}
|
||||
{{- if .Values.dns01RecursiveNameserversOnly }}
|
||||
- --dns01-recursive-nameservers-only=true
|
||||
{{- end }}
|
||||
{{- with .Values.dns01RecursiveNameservers }}
|
||||
- --dns01-recursive-nameservers={{ . }}
|
||||
{{- end }}
|
||||
{{- if .Values.disableAutoApproval }}
|
||||
- --controllers=-certificaterequests-approver
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: 9402
|
||||
name: http-metrics
|
||||
protocol: TCP
|
||||
- containerPort: 9403
|
||||
name: http-healthz
|
||||
protocol: TCP
|
||||
{{- with .Values.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.config .Values.volumeMounts }}
|
||||
volumeMounts:
|
||||
{{- if .Values.config }}
|
||||
- name: config
|
||||
mountPath: /var/cert-manager/config
|
||||
{{- end }}
|
||||
{{- with .Values.volumeMounts }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
{{- with .Values.extraEnv }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.http_proxy }}
|
||||
- name: HTTP_PROXY
|
||||
value: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.https_proxy }}
|
||||
- name: HTTPS_PROXY
|
||||
value: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.no_proxy }}
|
||||
- name: NO_PROXY
|
||||
value: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
|
||||
{{- with .Values.livenessProbe }}
|
||||
{{- if .enabled }}
|
||||
# LivenessProbe settings are based on those used for the Kubernetes
|
||||
# controller-manager. See:
|
||||
# https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
port: http-healthz
|
||||
path: /livez
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: {{ .initialDelaySeconds }}
|
||||
periodSeconds: {{ .periodSeconds }}
|
||||
timeoutSeconds: {{ .timeoutSeconds }}
|
||||
successThreshold: {{ .successThreshold }}
|
||||
failureThreshold: {{ .failureThreshold }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.topologySpreadConstraints }}
|
||||
topologySpreadConstraints:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.podDnsPolicy }}
|
||||
dnsPolicy: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.podDnsConfig }}
|
||||
dnsConfig:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.hostAliases }}
|
||||
hostAliases: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
|
@ -0,0 +1,4 @@
|
|||
{{ range .Values.extraObjects }}
|
||||
---
|
||||
{{ tpl . $ }}
|
||||
{{ end }}
|
|
@ -0,0 +1,19 @@
|
|||
{{- if .Values.webhook.networkPolicy.enabled }}
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}-allow-egress
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
spec:
|
||||
egress:
|
||||
{{- with .Values.webhook.networkPolicy.egress }}
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
policyTypes:
|
||||
- Egress
|
||||
{{- end }}
|
|
@ -0,0 +1,21 @@
|
|||
{{- if .Values.webhook.networkPolicy.enabled }}
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}-allow-ingress
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
spec:
|
||||
ingress:
|
||||
{{- with .Values.webhook.networkPolicy.ingress }}
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
policyTypes:
|
||||
- Ingress
|
||||
|
||||
{{- end }}
|
|
@ -0,0 +1,29 @@
|
|||
{{- if .Values.podDisruptionBudget.enabled }}
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ include "cert-manager.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
|
||||
{{- if not (or (hasKey .Values.podDisruptionBudget "minAvailable") (hasKey .Values.podDisruptionBudget "maxUnavailable")) }}
|
||||
minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
|
||||
{{- end }}
|
||||
{{- if hasKey .Values.podDisruptionBudget "minAvailable" }}
|
||||
minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
|
||||
{{- end }}
|
||||
{{- if hasKey .Values.podDisruptionBudget "maxUnavailable" }}
|
||||
maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,50 @@
|
|||
{{- if and .Values.prometheus.enabled (and .Values.prometheus.podmonitor.enabled .Values.prometheus.servicemonitor.enabled) }}
|
||||
{{- fail "Either .Values.prometheus.podmonitor.enabled or .Values.prometheus.servicemonitor.enabled can be enabled at a time, but not both." }}
|
||||
{{- else if and .Values.prometheus.enabled .Values.prometheus.podmonitor.enabled }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: PodMonitor
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}
|
||||
{{- if .Values.prometheus.podmonitor.namespace }}
|
||||
namespace: {{ .Values.prometheus.podmonitor.namespace }}
|
||||
{{- else }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
prometheus: {{ .Values.prometheus.podmonitor.prometheusInstance }}
|
||||
{{- with .Values.prometheus.podmonitor.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.prometheus.podmonitor.annotations }}
|
||||
annotations:
|
||||
{{- with .Values.prometheus.podmonitor.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
jobLabel: {{ template "cert-manager.fullname" . }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- if .Values.prometheus.podmonitor.namespace }}
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
podMetricsEndpoints:
|
||||
- port: http-metrics
|
||||
path: {{ .Values.prometheus.podmonitor.path }}
|
||||
interval: {{ .Values.prometheus.podmonitor.interval }}
|
||||
scrapeTimeout: {{ .Values.prometheus.podmonitor.scrapeTimeout }}
|
||||
honorLabels: {{ .Values.prometheus.podmonitor.honorLabels }}
|
||||
{{- with .Values.prometheus.servicemonitor.endpointAdditionalProperties }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,18 @@
|
|||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
- {{ template "cert-manager.fullname" . }}
|
||||
{{- end }}
|
|
@ -0,0 +1,20 @@
|
|||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-psp
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
|
@ -0,0 +1,49 @@
|
|||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
|
||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
{{- end }}
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
allowedCapabilities: [] # default set of capabilities are implicitly allowed
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
hostNetwork: false
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
{{- end }}
|
|
@ -0,0 +1,574 @@
|
|||
{{- if .Values.global.rbac.create }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}:leaderelection
|
||||
namespace: {{ .Values.global.leaderElection.namespace }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
resourceNames: ["cert-manager-controller"]
|
||||
verbs: ["get", "update", "patch"]
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
verbs: ["create"]
|
||||
|
||||
---
|
||||
|
||||
# grant cert-manager permission to manage the leaderelection configmap in the
|
||||
# leader election namespace
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "cert-manager.fullname" . }}:leaderelection
|
||||
namespace: {{ .Values.global.leaderElection.namespace }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ template "cert-manager.fullname" . }}:leaderelection
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
|
||||
---
|
||||
|
||||
# Issuer controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-issuers
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["issuers", "issuers/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
---
|
||||
|
||||
# ClusterIssuer controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["clusterissuers", "clusterissuers/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["clusterissuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
|
||||
---
|
||||
|
||||
# Certificates controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-certificates
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates/finalizers", "certificaterequests/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders"]
|
||||
verbs: ["create", "delete", "get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
|
||||
---
|
||||
|
||||
# Orders controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-orders
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders", "orders/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders", "challenges"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["clusterissuers", "issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges"]
|
||||
verbs: ["create", "delete"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
|
||||
---
|
||||
|
||||
# Challenges controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-challenges
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
# Use to update challenge resource status
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges", "challenges/status"]
|
||||
verbs: ["update", "patch"]
|
||||
# Used to watch challenge resources
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# Used to watch challenges, issuer and clusterissuer resources
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["issuers", "clusterissuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# Need to be able to retrieve ACME account private key to complete challenges
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# Used to create events
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
# HTTP01 rules
|
||||
- apiGroups: [""]
|
||||
resources: ["pods", "services"]
|
||||
verbs: ["get", "list", "watch", "create", "delete"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
||||
- apiGroups: [ "gateway.networking.k8s.io" ]
|
||||
resources: [ "httproutes" ]
|
||||
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
||||
# We require the ability to specify a custom hostname when we are creating
|
||||
# new ingress resources.
|
||||
# See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
|
||||
- apiGroups: ["route.openshift.io"]
|
||||
resources: ["routes/custom-host"]
|
||||
verbs: ["create"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges/finalizers"]
|
||||
verbs: ["update"]
|
||||
# DNS01 rules (duplicated above)
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
---
|
||||
|
||||
# ingress-shim controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests"]
|
||||
verbs: ["create", "update", "delete"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["gateway.networking.k8s.io"]
|
||||
resources: ["gateways", "httproutes"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["gateway.networking.k8s.io"]
|
||||
resources: ["gateways/finalizers", "httproutes/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-issuers
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-issuers
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-certificates
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-certificates
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-orders
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-orders
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-challenges
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-challenges
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
{{- if .Values.global.rbac.aggregateClusterRoles }}
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-cluster-view
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["clusterissuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
{{- end }}
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-view
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- if .Values.global.rbac.aggregateClusterRoles }}
|
||||
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges", "orders"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-edit
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- if .Values.global.rbac.aggregateClusterRoles }}
|
||||
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "issuers"]
|
||||
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates/status"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges", "orders"]
|
||||
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
||||
|
||||
---
|
||||
|
||||
{{- if not .Values.disableAutoApproval -}}
|
||||
|
||||
# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cert-manager"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["signers"]
|
||||
verbs: ["approve"]
|
||||
{{- with .Values.approveSignerNames }}
|
||||
resourceNames:
|
||||
{{- range . }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cert-manager"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
{{- end -}}
|
||||
|
||||
# Permission to:
|
||||
# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
|
||||
# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cert-manager"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources: ["certificatesigningrequests"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources: ["certificatesigningrequests/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources: ["signers"]
|
||||
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
|
||||
verbs: ["sign"]
|
||||
- apiGroups: ["authorization.k8s.io"]
|
||||
resources: ["subjectaccessreviews"]
|
||||
verbs: ["create"]
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cert-manager"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
{{- end }}
|
|
@ -0,0 +1,37 @@
|
|||
{{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.serviceAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml . | indent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceLabels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
{{- if .Values.serviceIPFamilyPolicy }}
|
||||
ipFamilyPolicy: {{ .Values.serviceIPFamilyPolicy }}
|
||||
{{- end }}
|
||||
{{- if .Values.serviceIPFamilies }}
|
||||
ipFamilies: {{ .Values.serviceIPFamilies | toYaml | nindent 2 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 9402
|
||||
name: tcp-prometheus-servicemonitor
|
||||
targetPort: {{ .Values.prometheus.servicemonitor.targetPort }}
|
||||
selector:
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- end }}
|
|
@ -0,0 +1,25 @@
|
|||
{{- if .Values.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
|
||||
metadata:
|
||||
name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,50 @@
|
|||
{{- if and .Values.prometheus.enabled (and .Values.prometheus.podmonitor.enabled .Values.prometheus.servicemonitor.enabled) }}
|
||||
{{- fail "Either .Values.prometheus.podmonitor.enabled or .Values.prometheus.servicemonitor.enabled can be enabled at a time, but not both." }}
|
||||
{{- else if and .Values.prometheus.enabled .Values.prometheus.servicemonitor.enabled }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}
|
||||
{{- if .Values.prometheus.servicemonitor.namespace }}
|
||||
namespace: {{ .Values.prometheus.servicemonitor.namespace }}
|
||||
{{- else }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
prometheus: {{ .Values.prometheus.servicemonitor.prometheusInstance }}
|
||||
{{- with .Values.prometheus.servicemonitor.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.prometheus.servicemonitor.annotations }}
|
||||
annotations:
|
||||
{{- with .Values.prometheus.servicemonitor.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
jobLabel: {{ template "cert-manager.fullname" . }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- if .Values.prometheus.servicemonitor.namespace }}
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
endpoints:
|
||||
- targetPort: {{ .Values.prometheus.servicemonitor.targetPort }}
|
||||
path: {{ .Values.prometheus.servicemonitor.path }}
|
||||
interval: {{ .Values.prometheus.servicemonitor.interval }}
|
||||
scrapeTimeout: {{ .Values.prometheus.servicemonitor.scrapeTimeout }}
|
||||
honorLabels: {{ .Values.prometheus.servicemonitor.honorLabels }}
|
||||
{{- with .Values.prometheus.servicemonitor.endpointAdditionalProperties }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,87 @@
|
|||
{{- if .Values.startupapicheck.enabled }}
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ include "startupapicheck.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.jobAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
backoffLimit: {{ .Values.startupapicheck.backoffLimit }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 8 }}
|
||||
{{- with .Values.startupapicheck.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
restartPolicy: OnFailure
|
||||
serviceAccountName: {{ template "startupapicheck.serviceAccountName" . }}
|
||||
{{- if hasKey .Values.startupapicheck "automountServiceAccountToken" }}
|
||||
automountServiceAccountToken: {{ .Values.startupapicheck.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
enableServiceLinks: {{ .Values.startupapicheck.enableServiceLinks }}
|
||||
{{- with .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.securityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}-startupapicheck
|
||||
image: "{{ template "image" (tuple .Values.startupapicheck.image $.Chart.AppVersion) }}"
|
||||
imagePullPolicy: {{ .Values.startupapicheck.image.pullPolicy }}
|
||||
args:
|
||||
- check
|
||||
- api
|
||||
- --wait={{ .Values.startupapicheck.timeout }}
|
||||
{{- with .Values.startupapicheck.extraArgs }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.volumeMounts }}
|
||||
volumeMounts:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.volumes }}
|
||||
volumes:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,24 @@
|
|||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ template "startupapicheck.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
- {{ template "startupapicheck.fullname" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,26 @@
|
|||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "startupapicheck.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "startupapicheck.fullname" . }}-psp
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "startupapicheck.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,51 @@
|
|||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ template "startupapicheck.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
|
||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
allowedCapabilities: [] # default set of capabilities are implicitly allowed
|
||||
volumes:
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
hostNetwork: false
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,48 @@
|
|||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.global.rbac.create }}
|
||||
# create certificate role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "startupapicheck.fullname" . }}:create-cert
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates"]
|
||||
verbs: ["create"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "startupapicheck.fullname" . }}:create-cert
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ template "startupapicheck.fullname" . }}:create-cert
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "startupapicheck.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,27 @@
|
|||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.startupapicheck.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
automountServiceAccountToken: {{ .Values.startupapicheck.serviceAccount.automountServiceAccountToken }}
|
||||
metadata:
|
||||
name: {{ template "startupapicheck.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.startupapicheck.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.serviceAccount.labels }}
|
||||
{{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,18 @@
|
|||
{{- if .Values.webhook.config -}}
|
||||
{{- $_ := .Values.webhook.config.apiVersion | required ".Values.webhook.config.apiVersion must be set !" -}}
|
||||
{{- $_ := .Values.webhook.config.kind | required ".Values.webhook.config.kind must be set !" -}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
data:
|
||||
config.yaml: |
|
||||
{{- .Values.webhook.config | toYaml | nindent 4 }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,192 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.webhook.deploymentAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
replicas: {{ .Values.webhook.replicaCount }}
|
||||
{{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
|
||||
{{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
|
||||
revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- with .Values.webhook.strategy }}
|
||||
strategy:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 8 }}
|
||||
{{- with .Values.webhook.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ template "webhook.serviceAccountName" . }}
|
||||
{{- if hasKey .Values.webhook "automountServiceAccountToken" }}
|
||||
automountServiceAccountToken: {{ .Values.webhook.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
enableServiceLinks: {{ .Values.webhook.enableServiceLinks }}
|
||||
{{- with .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.securityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.hostNetwork }}
|
||||
hostNetwork: true
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.hostNetwork }}
|
||||
dnsPolicy: ClusterFirstWithHostNet
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}-webhook
|
||||
image: "{{ template "image" (tuple .Values.webhook.image $.Chart.AppVersion) }}"
|
||||
imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
|
||||
args:
|
||||
{{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
|
||||
{{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
|
||||
- --v={{ .Values.global.logLevel }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.config }}
|
||||
- --config=/var/cert-manager/config/config.yaml
|
||||
{{- end }}
|
||||
{{- $config := default .Values.webhook.config "" }}
|
||||
{{ if not $config.securePort -}}
|
||||
- --secure-port={{ .Values.webhook.securePort }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.featureGates }}
|
||||
- --feature-gates={{ .Values.webhook.featureGates }}
|
||||
{{- end }}
|
||||
{{- $tlsConfig := default $config.tlsConfig "" }}
|
||||
{{ if or (not $config.tlsConfig) (and (not $tlsConfig.dynamic) (not $tlsConfig.filesystem) ) -}}
|
||||
- --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
|
||||
- --dynamic-serving-ca-secret-name={{ template "webhook.fullname" . }}-ca
|
||||
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }}
|
||||
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE)
|
||||
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE).svc
|
||||
{{ if .Values.webhook.url.host }}
|
||||
- --dynamic-serving-dns-names={{ .Values.webhook.url.host }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.extraArgs }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: https
|
||||
protocol: TCP
|
||||
{{- if $config.securePort }}
|
||||
containerPort: {{ $config.securePort }}
|
||||
{{- else if .Values.webhook.securePort }}
|
||||
containerPort: {{ .Values.webhook.securePort }}
|
||||
{{- else }}
|
||||
containerPort: 6443
|
||||
{{- end }}
|
||||
- name: healthcheck
|
||||
protocol: TCP
|
||||
{{- if $config.healthzPort }}
|
||||
containerPort: {{ $config.healthzPort }}
|
||||
{{- else }}
|
||||
containerPort: 6080
|
||||
{{- end }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /livez
|
||||
{{- if $config.healthzPort }}
|
||||
port: {{ $config.healthzPort }}
|
||||
{{- else }}
|
||||
port: 6080
|
||||
{{- end }}
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: {{ .Values.webhook.livenessProbe.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.webhook.livenessProbe.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.webhook.livenessProbe.timeoutSeconds }}
|
||||
successThreshold: {{ .Values.webhook.livenessProbe.successThreshold }}
|
||||
failureThreshold: {{ .Values.webhook.livenessProbe.failureThreshold }}
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
{{- if $config.healthzPort }}
|
||||
port: {{ $config.healthzPort }}
|
||||
{{- else }}
|
||||
port: 6080
|
||||
{{- end }}
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: {{ .Values.webhook.readinessProbe.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.webhook.readinessProbe.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.webhook.readinessProbe.timeoutSeconds }}
|
||||
successThreshold: {{ .Values.webhook.readinessProbe.successThreshold }}
|
||||
failureThreshold: {{ .Values.webhook.readinessProbe.failureThreshold }}
|
||||
{{- with .Values.webhook.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
{{- with .Values.webhook.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.webhook.config .Values.webhook.volumeMounts }}
|
||||
volumeMounts:
|
||||
{{- if .Values.webhook.config }}
|
||||
- name: config
|
||||
mountPath: /var/cert-manager/config
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.volumeMounts }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.topologySpreadConstraints }}
|
||||
topologySpreadConstraints:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.webhook.config .Values.webhook.volumes }}
|
||||
volumes:
|
||||
{{- if .Values.webhook.config }}
|
||||
- name: config
|
||||
configMap:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.volumes }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,48 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: MutatingWebhookConfiguration
|
||||
metadata:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from-secret: {{ printf "%s/%s-ca" (include "cert-manager.namespace" .) (include "webhook.fullname" .) | quote }}
|
||||
{{- with .Values.webhook.mutatingWebhookConfigurationAnnotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
webhooks:
|
||||
- name: webhook.cert-manager.io
|
||||
{{- with .Values.webhook.mutatingWebhookConfiguration.namespaceSelector }}
|
||||
namespaceSelector:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "cert-manager.io"
|
||||
apiVersions:
|
||||
- "v1"
|
||||
operations:
|
||||
- CREATE
|
||||
resources:
|
||||
- "certificaterequests"
|
||||
admissionReviewVersions: ["v1"]
|
||||
# This webhook only accepts v1 cert-manager resources.
|
||||
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
|
||||
# this webhook (after the resources have been converted to v1).
|
||||
matchPolicy: Equivalent
|
||||
timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
|
||||
failurePolicy: Fail
|
||||
# Only include 'sideEffects' field in Kubernetes 1.12+
|
||||
sideEffects: None
|
||||
clientConfig:
|
||||
{{- if .Values.webhook.url.host }}
|
||||
url: https://{{ .Values.webhook.url.host }}/mutate
|
||||
{{- else }}
|
||||
service:
|
||||
name: {{ template "webhook.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
path: /mutate
|
||||
{{- end }}
|
|
@ -0,0 +1,29 @@
|
|||
{{- if .Values.webhook.podDisruptionBudget.enabled }}
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
|
||||
{{- if not (or (hasKey .Values.webhook.podDisruptionBudget "minAvailable") (hasKey .Values.webhook.podDisruptionBudget "maxUnavailable")) }}
|
||||
minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
|
||||
{{- end }}
|
||||
{{- if hasKey .Values.webhook.podDisruptionBudget "minAvailable" }}
|
||||
minAvailable: {{ .Values.webhook.podDisruptionBudget.minAvailable }}
|
||||
{{- end }}
|
||||
{{- if hasKey .Values.webhook.podDisruptionBudget "maxUnavailable" }}
|
||||
maxUnavailable: {{ .Values.webhook.podDisruptionBudget.maxUnavailable }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,18 @@
|
|||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
- {{ template "webhook.fullname" . }}
|
||||
{{- end }}
|
|
@ -0,0 +1,20 @@
|
|||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "webhook.fullname" . }}-psp
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "webhook.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
|
@ -0,0 +1,54 @@
|
|||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
|
||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
{{- end }}
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
allowedCapabilities: [] # default set of capabilities are implicitly allowed
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
hostNetwork: {{ .Values.webhook.hostNetwork }}
|
||||
{{- if .Values.webhook.hostNetwork }}
|
||||
hostPorts:
|
||||
- max: {{ .Values.webhook.securePort }}
|
||||
min: {{ .Values.webhook.securePort }}
|
||||
{{- end }}
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
{{- end }}
|
|
@ -0,0 +1,83 @@
|
|||
{{- if .Values.global.rbac.create }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}:dynamic-serving
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
resourceNames:
|
||||
- '{{ template "webhook.fullname" . }}-ca'
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
# It's not possible to grant CREATE permission on a single resourceName.
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["create"]
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}:dynamic-serving
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ template "webhook.fullname" . }}:dynamic-serving
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: {{ template "webhook.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}:subjectaccessreviews
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["authorization.k8s.io"]
|
||||
resources: ["subjectaccessreviews"]
|
||||
verbs: ["create"]
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}:subjectaccessreviews
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "webhook.fullname" . }}:subjectaccessreviews
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: {{ template "webhook.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
|
@ -0,0 +1,38 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.webhook.serviceAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml . | indent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.webhook.serviceLabels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: {{ .Values.webhook.serviceType }}
|
||||
{{- if .Values.webhook.serviceIPFamilyPolicy }}
|
||||
ipFamilyPolicy: {{ .Values.webhook.serviceIPFamilyPolicy }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.serviceIPFamilies }}
|
||||
ipFamilies: {{ .Values.webhook.serviceIPFamilies | toYaml | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.loadBalancerIP }}
|
||||
loadBalancerIP: {{ . }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: https
|
||||
port: 443
|
||||
protocol: TCP
|
||||
targetPort: "https"
|
||||
selector:
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
|
@ -0,0 +1,25 @@
|
|||
{{- if .Values.webhook.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automountServiceAccountToken }}
|
||||
metadata:
|
||||
name: {{ template "webhook.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.webhook.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.webhook.serviceAccount.labels }}
|
||||
{{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,49 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: ValidatingWebhookConfiguration
|
||||
metadata:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from-secret: {{ printf "%s/%s-ca" (include "cert-manager.namespace" .) (include "webhook.fullname" .) | quote}}
|
||||
{{- with .Values.webhook.validatingWebhookConfigurationAnnotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
webhooks:
|
||||
- name: webhook.cert-manager.io
|
||||
{{- with .Values.webhook.validatingWebhookConfiguration.namespaceSelector }}
|
||||
namespaceSelector:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "cert-manager.io"
|
||||
- "acme.cert-manager.io"
|
||||
apiVersions:
|
||||
- "v1"
|
||||
operations:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
resources:
|
||||
- "*/*"
|
||||
admissionReviewVersions: ["v1"]
|
||||
# This webhook only accepts v1 cert-manager resources.
|
||||
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
|
||||
# this webhook (after the resources have been converted to v1).
|
||||
matchPolicy: Equivalent
|
||||
timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
|
||||
failurePolicy: Fail
|
||||
sideEffects: None
|
||||
clientConfig:
|
||||
{{- if .Values.webhook.url.host }}
|
||||
url: https://{{ .Values.webhook.url.host }}/validate
|
||||
{{- else }}
|
||||
service:
|
||||
name: {{ template "webhook.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
path: /validate
|
||||
{{- end }}
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,2 @@
|
|||
fullnameOverride: cert-manager
|
||||
installCRDs: true
|
|
@ -0,0 +1,3 @@
|
|||
templates that I may or may not use soon.
|
||||
|
||||
(@todo probably delete this entire dir)
|
|
@ -0,0 +1,53 @@
|
|||
|
||||
|
||||
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: postgresql
|
||||
namespace: futureporn
|
||||
labels:
|
||||
app: postgresql
|
||||
spec:
|
||||
replicas: {{ .Values.postgresql.replicas }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app: postgresql
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: postgresql
|
||||
spec:
|
||||
containers:
|
||||
- name: postgresql
|
||||
image: "{{ .Values.postgresql.image }}"
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: {{ .Values.postgresql.port }}
|
||||
env:
|
||||
- name: POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: postgresql
|
||||
key: password
|
||||
- name: POSTGRES_USER
|
||||
value: futureporn
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: postgresql
|
||||
namespace: futureporn
|
||||
annotations:
|
||||
external-dns.alpha.kubernetes.io/hostname: "{{ .Values.postgresql.hostname }}"
|
||||
spec:
|
||||
type: LoadBalancer
|
||||
selector:
|
||||
app.kubernetes.io/name: postgresql
|
||||
ports:
|
||||
- name: http
|
||||
port: {{ .Values.postgresql.port }}
|
||||
targetPort: http
|
||||
protocol: TCP
|
|
@ -99,7 +99,6 @@ metadata:
|
|||
namespace: futureporn
|
||||
annotations:
|
||||
external-dns.alpha.kubernetes.io/hostname: "{{ .Values.trigger.hostname }}"
|
||||
chisel-operator.io/exit-node-name: "trigger-exit-node"
|
||||
spec:
|
||||
type: LoadBalancer
|
||||
ports:
|
||||
|
@ -109,59 +108,3 @@ spec:
|
|||
selector:
|
||||
app: trigger
|
||||
|
||||
|
||||
{{ if eq .Values.environment "development" }}
|
||||
---
|
||||
apiVersion: chisel-operator.io/v2
|
||||
kind: ExitNode
|
||||
metadata:
|
||||
name: trigger-exit-node
|
||||
namespace: futureporn
|
||||
spec:
|
||||
host: "{{ .Values.chisel.exitNodeIp }}"
|
||||
port: 9090
|
||||
auth: chisel
|
||||
{{ end }}
|
||||
|
||||
|
||||
|
||||
---
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: trigger-http
|
||||
namespace: futureporn
|
||||
spec:
|
||||
entryPoints:
|
||||
- web
|
||||
routes:
|
||||
- match: Host(`trigger.fp.sbtp.xyz`)
|
||||
kind: Rule
|
||||
middlewares:
|
||||
- name: redirect
|
||||
namespace: futureporn
|
||||
services:
|
||||
- name: trigger
|
||||
namespace: futureporn
|
||||
port: 3030
|
||||
|
||||
---
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: trigger-https
|
||||
namespace: futureporn
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}"
|
||||
spec:
|
||||
entryPoints:
|
||||
- websecure
|
||||
routes:
|
||||
- match: Host(`trigger.fp.sbtp.xyz`)
|
||||
kind: Rule
|
||||
services:
|
||||
- name: trigger
|
||||
namespace: futureporn
|
||||
port: 3030
|
||||
tls:
|
||||
secretName: trigger-tls
|
||||
|
|
|
@ -38,11 +38,11 @@ spec:
|
|||
env:
|
||||
- name: FUNCTION
|
||||
value: worker
|
||||
- name: DATABASE_URL
|
||||
- name: PGBOSS_URL
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: capture
|
||||
key: databaseUrl
|
||||
key: pgbossUrl
|
||||
- name: PORT
|
||||
value: "{{ .Values.capture.api.port }}"
|
||||
- name: S3_ENDPOINT
|
||||
|
@ -63,8 +63,8 @@ spec:
|
|||
key: s3SecretAccessKey
|
||||
resources:
|
||||
limits:
|
||||
cpu: 1000m
|
||||
memory: 2Gi
|
||||
cpu: 250m
|
||||
memory: 512Mi
|
||||
restartPolicy: Always
|
||||
|
||||
|
||||
|
@ -95,15 +95,15 @@ spec:
|
|||
env:
|
||||
- name: FUNCTION
|
||||
value: api
|
||||
- name: DATABASE_URL
|
||||
- name: PGBOSS_URL
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: capture
|
||||
key: databaseUrl
|
||||
key: pgbossUrl
|
||||
- name: PORT
|
||||
value: "{{ .Values.capture.api.port }}"
|
||||
resources:
|
||||
limits:
|
||||
cpu: 100m
|
||||
memory: 256Mi
|
||||
memory: 128Mi
|
||||
restartPolicy: Always
|
|
@ -32,7 +32,6 @@ metadata:
|
|||
namespace: futureporn
|
||||
annotations:
|
||||
external-dns.alpha.kubernetes.io/hostname: "{{ .Values.next.hostname }}"
|
||||
chisel-operator.io/exit-node-name: "next-exit-node"
|
||||
spec:
|
||||
type: LoadBalancer
|
||||
selector:
|
||||
|
@ -53,13 +52,11 @@ spec:
|
|||
# name: next
|
||||
# namespace: futureporn
|
||||
# annotations:
|
||||
# traefik.ingress.kubernetes.io/router.entrypoints: http
|
||||
# traefik.ingress.kubernetes.io/router.tls: "true"
|
||||
# cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}"
|
||||
# kubernetes.io/ingress.class: traefik
|
||||
# kubernetes.io/ingress.class: nginx
|
||||
# external-dns.alpha.kubernetes.io/hostname: "{{ .Values.next.hostname }}"
|
||||
# spec:
|
||||
# ingressClassName: traefik
|
||||
# ingressClassName: nginx
|
||||
# backend:
|
||||
# serviceName: next
|
||||
# servicePort: 3000
|
||||
|
@ -80,19 +77,6 @@ spec:
|
|||
# number: 3000
|
||||
# {{ end }}
|
||||
|
||||
{{ if eq .Values.environment "development" }}
|
||||
---
|
||||
apiVersion: chisel-operator.io/v2
|
||||
kind: ExitNode
|
||||
metadata:
|
||||
name: next-exit-node
|
||||
namespace: futureporn
|
||||
spec:
|
||||
host: "{{ .Values.chisel.exitNodeIp }}"
|
||||
port: 9090
|
||||
auth: chisel
|
||||
{{ end }}
|
||||
|
||||
|
||||
# ---
|
||||
# apiVersion: networking.k8s.io/v1
|
||||
|
@ -101,9 +85,7 @@ spec:
|
|||
# name: next
|
||||
# namespace: futureporn
|
||||
# annotations:
|
||||
# traefik.ingress.kubernetes.io/router.entrypoints: web
|
||||
# traefik.ingress.kubernetes.io/router.tls: "true"
|
||||
# cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}"
|
||||
|
||||
# spec:
|
||||
# rules:
|
||||
# - host: next.fp.sbtp.xyz
|
||||
|
@ -134,44 +116,3 @@ spec:
|
|||
dnsNames:
|
||||
- "{{ .Values.next.hostname }}"
|
||||
|
||||
|
||||
---
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: next-http
|
||||
namespace: futureporn
|
||||
spec:
|
||||
entryPoints:
|
||||
- web
|
||||
routes:
|
||||
- match: Host(`next.fp.sbtp.xyz`)
|
||||
kind: Rule
|
||||
middlewares:
|
||||
- name: redirect
|
||||
namespace: futureporn
|
||||
services:
|
||||
- name: next
|
||||
port: 3000
|
||||
|
||||
|
||||
---
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: next-https
|
||||
namespace: futureporn
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}"
|
||||
spec:
|
||||
entryPoints:
|
||||
- websecure
|
||||
routes:
|
||||
- match: Host(`next.fp.sbtp.xyz`)
|
||||
kind: Rule
|
||||
services:
|
||||
- name: next
|
||||
namespace: futureporn
|
||||
port: 3000
|
||||
tls:
|
||||
secretName: next-tls
|
|
@ -0,0 +1,55 @@
|
|||
## Resist the urge to delete this container! We use it again and again!
|
||||
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: pgadmin4
|
||||
namespace: futureporn
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: pgadmin4
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: pgadmin4
|
||||
spec:
|
||||
containers:
|
||||
- name: pgadmin4
|
||||
image: docker.io/dpage/pgadmin4:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
resources:
|
||||
limits:
|
||||
memory: 256Mi
|
||||
requests:
|
||||
memory: 100Mi
|
||||
env:
|
||||
- name: PGADMIN_DEFAULT_EMAIL
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: pgadmin4
|
||||
key: email
|
||||
- name: PGADMIN_DEFAULT_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: pgadmin4
|
||||
key: password
|
||||
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: pgadmin4
|
||||
namespace: futureporn
|
||||
spec:
|
||||
type: NodePort
|
||||
ports:
|
||||
- port: 5050
|
||||
targetPort: 80
|
||||
protocol: TCP
|
||||
selector:
|
||||
app: pgadmin4
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
|
||||
|
||||
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: postgrest
|
||||
namespace: futureporn
|
||||
labels:
|
||||
app: postgrest
|
||||
spec:
|
||||
replicas: {{ .Values.postgrest.replicas }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app: postgrest
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: postgrest
|
||||
spec:
|
||||
containers:
|
||||
- name: postgrest
|
||||
image: "{{ .Values.postgrest.image }}"
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: {{ .Values.postgrest.port }}
|
||||
env:
|
||||
- name: PGRST_DB_ANON_ROLE
|
||||
value: anonymous
|
||||
- name: PGRST_SERVER_PORT
|
||||
value: "{{ .Values.postgrest.port }}"
|
||||
- name: PGRST_DB_SCHEMAS
|
||||
value: "{{ .Values.postgrest.schemas }}"
|
||||
- name: PGRST_DB_URI
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: postgrest
|
||||
key: dbUri
|
||||
- name: PGRST_JWT_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: postgrest
|
||||
key: jwtSecret
|
|
@ -1,123 +0,0 @@
|
|||
# apiVersion: apps/v1
|
||||
# kind: ReplicaSet
|
||||
# metadata:
|
||||
# name: scout-worker
|
||||
# namespace: futureporn
|
||||
# labels:
|
||||
# app: scout-worker
|
||||
# spec:
|
||||
# replicas: {{ .Values.scout.replicas }}
|
||||
# selector:
|
||||
# matchLabels:
|
||||
# app: scout-worker
|
||||
# template:
|
||||
# metadata:
|
||||
# labels:
|
||||
# app: scout-worker
|
||||
# spec:
|
||||
# containers:
|
||||
# - name: scout-worker
|
||||
# image: "{{ .Values.scout.imageName }}"
|
||||
# imagePullPolicy: Always
|
||||
# ports:
|
||||
# - containerPort: 8080
|
||||
# env:
|
||||
# - name: TEMPORAL_SERVICE_ADDRESS
|
||||
# value: "temporal-frontend.futureporn.svc.cluster.local:7233"
|
||||
# - name: TEMPORAL_NAMESPACE
|
||||
# value: "futureporn"
|
||||
# - name: TEMPORAL_TASK_QUEUE
|
||||
# value: "scout"
|
||||
# - name: S3_BUCKET_NAME
|
||||
# value: "{{ .Values.scout.s3BucketName }}"
|
||||
# - name: CDN_BUCKET_URL
|
||||
# value: "{{ .Values.scout.cdnBucketUrl }}"
|
||||
# - name: STRAPI_URL
|
||||
# value: https://strapi.fp.sbtp.xyz
|
||||
# - name: S3_BUCKET_APPLICATION_KEY
|
||||
# valueFrom:
|
||||
# secretKeyRef:
|
||||
# name: scout
|
||||
# key: s3BucketApplicationKey
|
||||
# - name: S3_BUCKET_KEY_ID
|
||||
# valueFrom:
|
||||
# secretKeyRef:
|
||||
# name: scout
|
||||
# key: s3BucketKeyId
|
||||
# - name: SCOUT_NITTER_ACCESS_KEY
|
||||
# valueFrom:
|
||||
# secretKeyRef:
|
||||
# name: scout
|
||||
# key: nitterAccessKey
|
||||
# - name: SCOUT_NITTER_URL
|
||||
# value: https://nitter.sbtp.xyz
|
||||
# - name: SCOUT_RECENTS_TOKEN
|
||||
# valueFrom:
|
||||
# secretKeyRef:
|
||||
# name: scout
|
||||
# key: recentsToken
|
||||
# - name: SCOUT_STRAPI_API_KEY
|
||||
# valueFrom:
|
||||
# secretKeyRef:
|
||||
# name: scout
|
||||
# key: strapiApiKey
|
||||
# resources:
|
||||
# limits:
|
||||
# cpu: "500m"
|
||||
# memory: "512Mi"
|
||||
# requests:
|
||||
# cpu: "250m"
|
||||
# memory: "256Mi"
|
||||
|
||||
|
||||
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: scout
|
||||
namespace: futureporn
|
||||
labels:
|
||||
app: scout
|
||||
spec:
|
||||
replicas: {{ .Values.scout.replicas }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app: scout
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: scout
|
||||
spec:
|
||||
containers:
|
||||
- name: scout
|
||||
image: "{{ .Values.scout.imageName }}"
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 3000
|
||||
env:
|
||||
- name: SCOUT_IMAP_SERVER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: scout
|
||||
key: imapServer
|
||||
- name: SCOUT_IMAP_PORT
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: scout
|
||||
key: imapPort
|
||||
- name: SCOUT_IMAP_USERNAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: scout
|
||||
key: imapUsername
|
||||
- name: SCOUT_IMAP_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: scout
|
||||
key: imapPassword
|
||||
- name: SCOUT_IMAP_ACCESS_TOKEN
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: scout
|
||||
key: imapAccessToken
|
|
@ -6,7 +6,6 @@ metadata:
|
|||
namespace: futureporn
|
||||
annotations:
|
||||
external-dns.alpha.kubernetes.io/hostname: "{{ .Values.strapi.hostname }}"
|
||||
chisel-operator.io/exit-node-name: "strapi-exit-node"
|
||||
spec:
|
||||
type: LoadBalancer
|
||||
selector:
|
||||
|
@ -26,7 +25,7 @@ metadata:
|
|||
labels:
|
||||
app.kubernetes.io/name: strapi
|
||||
spec:
|
||||
replicas: 2
|
||||
replicas: {{ .Values.strapi.replicas }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app: strapi
|
||||
|
@ -70,7 +69,7 @@ spec:
|
|||
- name: DATABASE_CLIENT
|
||||
value: postgres
|
||||
- name: DATABASE_HOST
|
||||
value: postgresql-primary.futureporn.svc.cluster.local
|
||||
value: postgresql.futureporn.svc.cluster.local
|
||||
- name: DATABASE_NAME
|
||||
value: futureporn-strapi
|
||||
- name: JWT_SECRET
|
||||
|
@ -164,19 +163,6 @@ spec:
|
|||
|
||||
|
||||
|
||||
{{ if eq .Values.environment "development" }}
|
||||
---
|
||||
apiVersion: chisel-operator.io/v2
|
||||
kind: ExitNode
|
||||
metadata:
|
||||
name: strapi-exit-node
|
||||
namespace: futureporn
|
||||
spec:
|
||||
host: "{{ .Values.chisel.exitNodeIp }}"
|
||||
port: 9090
|
||||
auth: chisel
|
||||
{{ end }}
|
||||
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
|
@ -191,44 +177,3 @@ spec:
|
|||
dnsNames:
|
||||
- "{{ .Values.strapi.hostname }}"
|
||||
|
||||
|
||||
---
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: strapi-http
|
||||
namespace: futureporn
|
||||
spec:
|
||||
entryPoints:
|
||||
- web
|
||||
routes:
|
||||
- match: Host(`strapi.fp.sbtp.xyz`)
|
||||
kind: Rule
|
||||
middlewares:
|
||||
- name: redirect
|
||||
namespace: futureporn
|
||||
services:
|
||||
- name: strapi
|
||||
namespace: futureporn
|
||||
port: 1339
|
||||
|
||||
---
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: strapi-https
|
||||
namespace: futureporn
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}"
|
||||
spec:
|
||||
entryPoints:
|
||||
- websecure
|
||||
routes:
|
||||
- match: Host(`strapi.fp.sbtp.xyz`)
|
||||
kind: Rule
|
||||
services:
|
||||
- name: strapi
|
||||
namespace: futureporn
|
||||
port: 1339
|
||||
tls:
|
||||
secretName: strapi-tls
|
|
@ -1,77 +0,0 @@
|
|||
---
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: redirect
|
||||
namespace: futureporn
|
||||
|
||||
spec:
|
||||
redirectScheme:
|
||||
scheme: https
|
||||
permanent: true
|
||||
|
||||
|
||||
{{ if eq .Values.environment "development" }}
|
||||
---
|
||||
apiVersion: chisel-operator.io/v2
|
||||
kind: ExitNode
|
||||
metadata:
|
||||
name: traefik-exit-node
|
||||
namespace: futureporn
|
||||
spec:
|
||||
host: "{{ .Values.chisel.exitNodeIp }}"
|
||||
port: 9090
|
||||
auth: chisel
|
||||
{{ end }}
|
||||
|
||||
|
||||
# ---
|
||||
# apiVersion: v1
|
||||
# kind: Service
|
||||
# metadata:
|
||||
# name: traefik
|
||||
# namespace: futureporn
|
||||
# annotations:
|
||||
|
||||
# meta.helm.sh/release-name: fp
|
||||
# spec:
|
||||
# type: LoadBalancer
|
||||
# selector:
|
||||
# app: traefik
|
||||
# ports:
|
||||
# - protocol: TCP
|
||||
# port: 443
|
||||
# targetPort: 8443
|
||||
|
||||
# ---
|
||||
# apiVersion: networking.k8s.io/v1
|
||||
# kind: Ingress
|
||||
# metadata:
|
||||
# name: traefik
|
||||
# namespace: futureporn
|
||||
# annotations:
|
||||
# kubernetes.io/ingress.class: traefik
|
||||
# traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
||||
# traefik.ingress.kubernetes.io/router.tls: "true"
|
||||
# cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}"
|
||||
# traefik.ingress.kubernetes.io/router.middlewares: futureporn-redirect@kubernetescrd
|
||||
# spec:
|
||||
# ingressClassName: traefik
|
||||
# rules:
|
||||
# - http:
|
||||
# paths:
|
||||
# - path: /
|
||||
# pathType: Prefix
|
||||
# backend:
|
||||
# service:
|
||||
# name: traefik
|
||||
# port:
|
||||
# number: 443
|
||||
# tls:
|
||||
# - hosts:
|
||||
# - "{{ .Values.echo.hostname }}"
|
||||
# secretName: echo-cert
|
||||
# - "{{ .Values.next.hostname }}"
|
||||
# secretName: next-cert
|
||||
# - "{{ .Values.strapi.hostname }}"
|
||||
# secretName: strapi-cert
|
|
@ -135,7 +135,6 @@ metadata:
|
|||
namespace: futureporn
|
||||
annotations:
|
||||
external-dns.alpha.kubernetes.io/hostname: "{{ .Values.uppy.hostname }}"
|
||||
chisel-operator.io/exit-node-name: "uppy-exit-node"
|
||||
spec:
|
||||
type: LoadBalancer
|
||||
ports:
|
||||
|
@ -146,63 +145,9 @@ spec:
|
|||
app: uppy
|
||||
|
||||
|
||||
{{ if eq .Values.environment "development" }}
|
||||
---
|
||||
apiVersion: chisel-operator.io/v2
|
||||
kind: ExitNode
|
||||
metadata:
|
||||
name: uppy-exit-node
|
||||
namespace: futureporn
|
||||
spec:
|
||||
host: "{{ .Values.chisel.exitNodeIp }}"
|
||||
port: 9090
|
||||
auth: chisel
|
||||
{{ end }}
|
||||
|
||||
|
||||
|
||||
---
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: uppy-http
|
||||
namespace: futureporn
|
||||
spec:
|
||||
entryPoints:
|
||||
- web
|
||||
routes:
|
||||
- match: Host(`uppy.fp.sbtp.xyz`)
|
||||
kind: Rule
|
||||
middlewares:
|
||||
- name: redirect
|
||||
namespace: futureporn
|
||||
services:
|
||||
- name: uppy
|
||||
namespace: futureporn
|
||||
port: 3020
|
||||
|
||||
---
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: uppy-https
|
||||
namespace: futureporn
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}"
|
||||
spec:
|
||||
entryPoints:
|
||||
- websecure
|
||||
routes:
|
||||
- match: Host(`uppy.fp.sbtp.xyz`)
|
||||
kind: Rule
|
||||
services:
|
||||
- name: uppy
|
||||
namespace: futureporn
|
||||
port: 3020
|
||||
tls:
|
||||
secretName: uppy-tls
|
||||
|
||||
|
||||
# Welcome to Companion v4.15.1
|
||||
# ===================================
|
||||
|
||||
|
|
|
@ -1,3 +1,8 @@
|
|||
## values.yaml
|
||||
## this file is for development values only.
|
||||
## these values are loaded by Tilt.
|
||||
## For production values, see <PROJECT_ROOT>/flux/clusters/production
|
||||
|
||||
environment: development
|
||||
# storageClassName: csi-hostpath-sc # used by minikube
|
||||
storageClassName: standard # used by Kind
|
||||
|
@ -12,12 +17,12 @@ link2cid:
|
|||
next:
|
||||
imageName: fp/next
|
||||
hostname: next.fp.sbtp.xyz
|
||||
ingressClassName: traefik
|
||||
ingressClassName: nginx
|
||||
nodeExtraCaCerts: /app/letsencrypt-stg-root-x1.pem
|
||||
capture:
|
||||
imageName: fp/capture
|
||||
worker:
|
||||
replicas: 2
|
||||
replicas: 1
|
||||
api:
|
||||
port: 5003
|
||||
replicas: 1
|
||||
|
@ -27,30 +32,19 @@ mailbox:
|
|||
cdnBucketUrl: https://fp-dev.b-cdn.net
|
||||
s3BucketName: fp-dev
|
||||
port: 5000
|
||||
scout:
|
||||
replicas: 1
|
||||
imageName: fp/scout
|
||||
# worker:
|
||||
# imageName: fp/scout-
|
||||
# replicas: 1
|
||||
pubsubServerUrl: https://realtime.futureporn.svc.cluster.local/faye
|
||||
hostname: next.futureporn.svc.cluster.local
|
||||
cdnBucketUrl: https://fp-dev.b-cdn.net
|
||||
s3BucketName: fp-dev
|
||||
strapi:
|
||||
replicas: 1
|
||||
imageName: fp/strapi
|
||||
port: 1339
|
||||
url: https://strapi.fp.sbtp.xyz
|
||||
hostname: strapi.fp.sbtp.xyz
|
||||
# hostname: strapi.futureporn.svc.cluster.local ## https://gitea.futureporn.net/futureporn/pm/issues/126
|
||||
ingressClassName: traefik
|
||||
ingressClassName: nginx
|
||||
ngrok:
|
||||
hostname: grateful-engaging-cicada.ngrok-free.app
|
||||
realtime:
|
||||
imageName: fp/realtime
|
||||
adminEmail: cj@futureporn.net
|
||||
chisel:
|
||||
exitNodeIp: "155.138.254.201"
|
||||
echo:
|
||||
hostname: echo.fp.sbtp.xyz
|
||||
uppy:
|
||||
|
@ -72,10 +66,13 @@ bot:
|
|||
discordGuildId: "1084674137391374338"
|
||||
imageName: fp/bot
|
||||
replicas: 1
|
||||
# trigger:
|
||||
# imageName: ghcr.io/triggerdotdev/trigger.dev:self-host-rc.3
|
||||
# worker:
|
||||
# replicas: 1
|
||||
# webapp:
|
||||
# replicas: 1
|
||||
# hostname: trigger.fp.sbtp.xyz
|
||||
postgrest:
|
||||
image: postgrest/postgrest
|
||||
replicas: 1
|
||||
port: 9000
|
||||
schemas: api
|
||||
# postgresql:
|
||||
# image: postgres:16
|
||||
# replicas: 1
|
||||
# user: futureporn
|
||||
# port: 5432
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
||||
# img folder
|
||||
img/
|
||||
# Changelog
|
||||
CHANGELOG.md
|
|
@ -0,0 +1,6 @@
|
|||
dependencies:
|
||||
- name: common
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 2.20.5
|
||||
digest: sha256:5b98791747a148b9d4956b81bb8635f49a0ae831869d700d52e514b8fd1a2445
|
||||
generated: "2024-07-16T12:16:35.737563+02:00"
|
|
@ -0,0 +1,37 @@
|
|||
annotations:
|
||||
category: Database
|
||||
images: |
|
||||
- name: os-shell
|
||||
image: docker.io/bitnami/os-shell:12-debian-12-r24
|
||||
- name: postgres-exporter
|
||||
image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r36
|
||||
- name: postgresql
|
||||
image: docker.io/bitnami/postgresql:16.3.0-debian-12-r19
|
||||
licenses: Apache-2.0
|
||||
apiVersion: v2
|
||||
appVersion: 16.3.0
|
||||
dependencies:
|
||||
- name: common
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
tags:
|
||||
- bitnami-common
|
||||
version: 2.x.x
|
||||
description: PostgreSQL (Postgres) is an open source object-relational database known
|
||||
for reliability and data integrity. ACID-compliant, it supports foreign keys, joins,
|
||||
views, triggers and stored procedures.
|
||||
home: https://bitnami.com
|
||||
icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-220x234.png
|
||||
keywords:
|
||||
- postgresql
|
||||
- postgres
|
||||
- database
|
||||
- sql
|
||||
- replication
|
||||
- cluster
|
||||
maintainers:
|
||||
- name: Broadcom, Inc. All Rights Reserved.
|
||||
url: https://github.com/bitnami/charts
|
||||
name: postgresql
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/postgresql
|
||||
version: 15.5.17
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,117 @@
|
|||
CHART NAME: {{ .Chart.Name }}
|
||||
CHART VERSION: {{ .Chart.Version }}
|
||||
APP VERSION: {{ .Chart.AppVersion }}
|
||||
|
||||
** Please be patient while the chart is being deployed **
|
||||
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with:
|
||||
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }}
|
||||
|
||||
Get the list of pods by executing:
|
||||
|
||||
kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }}
|
||||
|
||||
Access the pod you want to debug by executing
|
||||
|
||||
kubectl exec --namespace {{ .Release.Namespace }} -ti <NAME OF THE POD> -- /opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash
|
||||
|
||||
In order to replicate the container startup scripts execute this command:
|
||||
|
||||
/opt/bitnami/scripts/postgresql/entrypoint.sh /opt/bitnami/scripts/postgresql/run.sh
|
||||
|
||||
{{- else }}
|
||||
|
||||
{{- $customUser := include "postgresql.v1.username" . }}
|
||||
{{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "common.names.fullname" .) "key" .Values.auth.secretKeys.adminPasswordKey "defaultValue" (ternary .Values.auth.postgresPassword .Values.auth.password (eq $customUser "postgres")) "context" $) -}}
|
||||
{{- $authEnabled := and (not (or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret)) (or $postgresPassword .Values.auth.enablePostgresUser (and (not (empty $customUser)) (ne $customUser "postgres"))) }}
|
||||
{{- if not $authEnabled }}
|
||||
|
||||
WARNING: PostgreSQL has been configured without authentication, this is not recommended for production environments.
|
||||
{{- end }}
|
||||
|
||||
PostgreSQL can be accessed via port {{ include "postgresql.v1.service.port" . }} on the following DNS names from within your cluster:
|
||||
|
||||
{{ include "postgresql.v1.primary.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read/Write connection
|
||||
|
||||
{{- if eq .Values.architecture "replication" }}
|
||||
|
||||
{{ include "postgresql.v1.readReplica.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read only connection
|
||||
|
||||
{{- end }}
|
||||
|
||||
{{- if and (not (empty $customUser)) (ne $customUser "postgres") }}
|
||||
{{- if .Values.auth.enablePostgresUser }}
|
||||
|
||||
To get the password for "postgres" run:
|
||||
|
||||
export POSTGRES_ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.v1.secretName" . }} -o jsonpath="{.data.{{include "postgresql.v1.adminPasswordKey" .}}}" | base64 -d)
|
||||
{{- end }}
|
||||
|
||||
To get the password for "{{ $customUser }}" run:
|
||||
|
||||
export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.v1.secretName" . }} -o jsonpath="{.data.{{include "postgresql.v1.userPasswordKey" .}}}" | base64 -d)
|
||||
{{- else }}
|
||||
{{- if .Values.auth.enablePostgresUser }}
|
||||
|
||||
To get the password for "{{ default "postgres" $customUser }}" run:
|
||||
|
||||
export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.v1.secretName" . }} -o jsonpath="{.data.{{ ternary "password" (include "postgresql.v1.adminPasswordKey" .) (and (not (empty $customUser)) (ne $customUser "postgres")) }}}" | base64 -d)
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
To connect to your database run the following command:
|
||||
{{- if $authEnabled }}
|
||||
|
||||
kubectl run {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ include "postgresql.v1.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" \
|
||||
--command -- psql --host {{ include "postgresql.v1.primary.fullname" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.v1.service.port" . }}
|
||||
{{- else }}
|
||||
|
||||
kubectl run {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ include "postgresql.v1.image" . }} \
|
||||
--command -- psql --host {{ include "postgresql.v1.primary.fullname" . }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.v1.service.port" . }}
|
||||
{{- end }}
|
||||
|
||||
> NOTE: If you access the container using bash, make sure that you execute "/opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash" in order to avoid the error "psql: local user with ID {{ .Values.primary.containerSecurityContext.runAsUser }}} does not exist"
|
||||
|
||||
To connect to your database from outside the cluster execute the following commands:
|
||||
|
||||
{{- if contains "NodePort" .Values.primary.service.type }}
|
||||
|
||||
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
|
||||
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "postgresql.v1.primary.fullname" . }})
|
||||
{{- if $authEnabled }}
|
||||
PGPASSWORD="$POSTGRES_PASSWORD" psql --host $NODE_IP --port $NODE_PORT -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }}
|
||||
{{- else }}
|
||||
psql --host $NODE_IP --port $NODE_PORT -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }}
|
||||
{{- end }}
|
||||
{{- else if contains "LoadBalancer" .Values.primary.service.type }}
|
||||
|
||||
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
|
||||
Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "postgresql.v1.primary.fullname" . }}'
|
||||
|
||||
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "postgresql.v1.primary.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}")
|
||||
{{- if $authEnabled }}
|
||||
PGPASSWORD="$POSTGRES_PASSWORD" psql --host $SERVICE_IP --port {{ include "postgresql.v1.service.port" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }}
|
||||
{{- else }}
|
||||
psql --host $SERVICE_IP --port {{ include "postgresql.v1.service.port" . }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }}
|
||||
{{- end }}
|
||||
{{- else if contains "ClusterIP" .Values.primary.service.type }}
|
||||
|
||||
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "postgresql.v1.primary.fullname" . }} {{ include "postgresql.v1.service.port" . }}:{{ include "postgresql.v1.service.port" . }} &
|
||||
{{- if $authEnabled }}
|
||||
PGPASSWORD="$POSTGRES_PASSWORD" psql --host 127.0.0.1 -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.v1.service.port" . }}
|
||||
{{- else }}
|
||||
psql --host 127.0.0.1 -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.v1.service.port" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
WARNING: The configured password will be ignored on new installation in case when previous PostgreSQL release was deleted through the helm command. In that case, old PVC will have an old password, and setting it through helm won't take effect. Deleting persistent volumes (PVs) will solve the issue.
|
||||
|
||||
{{- include "postgresql.v1.validateValues" . -}}
|
||||
{{- include "common.warnings.rollingTag" .Values.image -}}
|
||||
{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }}
|
||||
{{- include "common.warnings.resources" (dict "sections" (list "metrics" "primary" "readReplicas" "volumePermissions") "context" $) }}
|
||||
{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }}
|
|
@ -0,0 +1,417 @@
|
|||
{{/*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name for PostgreSQL Primary objects
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
*/}}
|
||||
{{- define "postgresql.v1.primary.fullname" -}}
|
||||
{{- if eq .Values.architecture "replication" -}}
|
||||
{{- printf "%s-%s" (include "common.names.fullname" .) .Values.primary.name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- include "common.names.fullname" . -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name for PostgreSQL read-only replicas objects
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
*/}}
|
||||
{{- define "postgresql.v1.readReplica.fullname" -}}
|
||||
{{- printf "%s-%s" (include "common.names.fullname" .) .Values.readReplicas.name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the default FQDN for PostgreSQL primary headless service
|
||||
We truncate at 63 chars because of the DNS naming spec.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.primary.svc.headless" -}}
|
||||
{{- printf "%s-hl" (include "postgresql.v1.primary.fullname" .) | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the default FQDN for PostgreSQL read-only replicas headless service
|
||||
We truncate at 63 chars because of the DNS naming spec.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.readReplica.svc.headless" -}}
|
||||
{{- printf "%s-hl" (include "postgresql.v1.readReplica.fullname" .) | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the proper PostgreSQL image name
|
||||
*/}}
|
||||
{{- define "postgresql.v1.image" -}}
|
||||
{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the proper PostgreSQL metrics image name
|
||||
*/}}
|
||||
{{- define "postgresql.v1.metrics.image" -}}
|
||||
{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the proper image name (for the init container volume-permissions image)
|
||||
*/}}
|
||||
{{- define "postgresql.v1.volumePermissions.image" -}}
|
||||
{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the proper Docker Image Registry Secret Names
|
||||
*/}}
|
||||
{{- define "postgresql.v1.imagePullSecrets" -}}
|
||||
{{ include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "context" $) }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the name for a custom user to create
|
||||
*/}}
|
||||
{{- define "postgresql.v1.username" -}}
|
||||
{{- if .Values.global.postgresql.auth.username -}}
|
||||
{{- .Values.global.postgresql.auth.username -}}
|
||||
{{- else -}}
|
||||
{{- .Values.auth.username -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the name for a custom database to create
|
||||
*/}}
|
||||
{{- define "postgresql.v1.database" -}}
|
||||
{{- if .Values.global.postgresql.auth.database -}}
|
||||
{{- printf "%s" (tpl .Values.global.postgresql.auth.database $) -}}
|
||||
{{- else if .Values.auth.database -}}
|
||||
{{- printf "%s" (tpl .Values.auth.database $) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Get the password secret.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.secretName" -}}
|
||||
{{- if .Values.global.postgresql.auth.existingSecret -}}
|
||||
{{- printf "%s" (tpl .Values.global.postgresql.auth.existingSecret $) -}}
|
||||
{{- else if .Values.auth.existingSecret -}}
|
||||
{{- printf "%s" (tpl .Values.auth.existingSecret $) -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s" (include "common.names.fullname" .) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Get the replication-password key.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.replicationPasswordKey" -}}
|
||||
{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret -}}
|
||||
{{- if .Values.global.postgresql.auth.secretKeys.replicationPasswordKey -}}
|
||||
{{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.replicationPasswordKey $) -}}
|
||||
{{- else if .Values.auth.secretKeys.replicationPasswordKey -}}
|
||||
{{- printf "%s" (tpl .Values.auth.secretKeys.replicationPasswordKey $) -}}
|
||||
{{- else -}}
|
||||
{{- "replication-password" -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- "replication-password" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Get the admin-password key.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.adminPasswordKey" -}}
|
||||
{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret -}}
|
||||
{{- if .Values.global.postgresql.auth.secretKeys.adminPasswordKey -}}
|
||||
{{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.adminPasswordKey $) -}}
|
||||
{{- else if .Values.auth.secretKeys.adminPasswordKey -}}
|
||||
{{- printf "%s" (tpl .Values.auth.secretKeys.adminPasswordKey $) -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- "postgres-password" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Get the user-password key.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.userPasswordKey" -}}
|
||||
{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret -}}
|
||||
{{- if or (empty (include "postgresql.v1.username" .)) (eq (include "postgresql.v1.username" .) "postgres") -}}
|
||||
{{- printf "%s" (include "postgresql.v1.adminPasswordKey" .) -}}
|
||||
{{- else -}}
|
||||
{{- if .Values.global.postgresql.auth.secretKeys.userPasswordKey -}}
|
||||
{{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.userPasswordKey $) -}}
|
||||
{{- else if .Values.auth.secretKeys.userPasswordKey -}}
|
||||
{{- printf "%s" (tpl .Values.auth.secretKeys.userPasswordKey $) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- "password" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return true if a secret object should be created
|
||||
*/}}
|
||||
{{- define "postgresql.v1.createSecret" -}}
|
||||
{{- $customUser := include "postgresql.v1.username" . -}}
|
||||
{{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "common.names.fullname" .) "key" .Values.auth.secretKeys.adminPasswordKey "defaultValue" (ternary (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword .Values.global.postgresql.auth.password .Values.auth.password) (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (or (empty $customUser) (eq $customUser "postgres"))) "context" $) -}}
|
||||
{{- if and (not (or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret)) (or $postgresPassword .Values.auth.enablePostgresUser (and (not (empty $customUser)) (ne $customUser "postgres")) (eq .Values.architecture "replication") (and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw))) -}}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return PostgreSQL service port
|
||||
*/}}
|
||||
{{- define "postgresql.v1.service.port" -}}
|
||||
{{- if .Values.global.postgresql.service.ports.postgresql -}}
|
||||
{{- .Values.global.postgresql.service.ports.postgresql -}}
|
||||
{{- else -}}
|
||||
{{- .Values.primary.service.ports.postgresql -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return PostgreSQL service port
|
||||
*/}}
|
||||
{{- define "postgresql.v1.readReplica.service.port" -}}
|
||||
{{- if .Values.global.postgresql.service.ports.postgresql -}}
|
||||
{{- .Values.global.postgresql.service.ports.postgresql -}}
|
||||
{{- else -}}
|
||||
{{- .Values.readReplicas.service.ports.postgresql -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Get the PostgreSQL primary configuration ConfigMap name.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.primary.configmapName" -}}
|
||||
{{- if .Values.primary.existingConfigmap -}}
|
||||
{{- printf "%s" (tpl .Values.primary.existingConfigmap $) -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-configuration" (include "postgresql.v1.primary.fullname" .) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return true if a configmap object should be created for PostgreSQL primary with the configuration
|
||||
*/}}
|
||||
{{- define "postgresql.v1.primary.createConfigmap" -}}
|
||||
{{- if and (or .Values.primary.configuration .Values.primary.pgHbaConfiguration) (not .Values.primary.existingConfigmap) -}}
|
||||
{{- true -}}
|
||||
{{- else -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Get the PostgreSQL primary extended configuration ConfigMap name.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.primary.extendedConfigmapName" -}}
|
||||
{{- if .Values.primary.existingExtendedConfigmap -}}
|
||||
{{- printf "%s" (tpl .Values.primary.existingExtendedConfigmap $) -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-extended-configuration" (include "postgresql.v1.primary.fullname" .) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Get the PostgreSQL read replica extended configuration ConfigMap name.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.readReplicas.extendedConfigmapName" -}}
|
||||
{{- printf "%s-extended-configuration" (include "postgresql.v1.readReplica.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return true if a configmap object should be created for PostgreSQL primary with the extended configuration
|
||||
*/}}
|
||||
{{- define "postgresql.v1.primary.createExtendedConfigmap" -}}
|
||||
{{- if and .Values.primary.extendedConfiguration (not .Values.primary.existingExtendedConfigmap) -}}
|
||||
{{- true -}}
|
||||
{{- else -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return true if a configmap object should be created for PostgreSQL read replica with the extended configuration
|
||||
*/}}
|
||||
{{- define "postgresql.v1.readReplicas.createExtendedConfigmap" -}}
|
||||
{{- if .Values.readReplicas.extendedConfiguration -}}
|
||||
{{- true -}}
|
||||
{{- else -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "postgresql.v1.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create -}}
|
||||
{{ default (include "common.names.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return true if a configmap should be mounted with PostgreSQL configuration
|
||||
*/}}
|
||||
{{- define "postgresql.v1.mountConfigurationCM" -}}
|
||||
{{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap -}}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Get the pre-initialization scripts ConfigMap name.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.preInitDb.scriptsCM" -}}
|
||||
{{- if .Values.primary.preInitDb.scriptsConfigMap -}}
|
||||
{{- printf "%s" (tpl .Values.primary.preInitDb.scriptsConfigMap $) -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-preinit-scripts" (include "postgresql.v1.primary.fullname" .) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Get the initialization scripts ConfigMap name.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.initdb.scriptsCM" -}}
|
||||
{{- if .Values.primary.initdb.scriptsConfigMap -}}
|
||||
{{- printf "%s" (tpl .Values.primary.initdb.scriptsConfigMap $) -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-init-scripts" (include "postgresql.v1.primary.fullname" .) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return true if TLS is enabled for LDAP connection
|
||||
*/}}
|
||||
{{- define "postgresql.v1.ldap.tls.enabled" -}}
|
||||
{{- if and (kindIs "string" .Values.ldap.tls) (not (empty .Values.ldap.tls)) -}}
|
||||
{{- true -}}
|
||||
{{- else if and (kindIs "map" .Values.ldap.tls) .Values.ldap.tls.enabled -}}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Get the readiness probe command
|
||||
*/}}
|
||||
{{- define "postgresql.v1.readinessProbeCommand" -}}
|
||||
{{- $customUser := include "postgresql.v1.username" . -}}
|
||||
- |
|
||||
{{- if (include "postgresql.v1.database" .) }}
|
||||
exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if .Values.tls.enabled }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||
{{- else }}
|
||||
exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if .Values.tls.enabled }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||
{{- end }}
|
||||
{{- if contains "bitnami/" .Values.image.repository }}
|
||||
[ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Compile all warnings into a single message, and call fail.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.validateValues" -}}
|
||||
{{- $messages := list -}}
|
||||
{{- $messages := append $messages (include "postgresql.v1.validateValues.ldapConfigurationMethod" .) -}}
|
||||
{{- $messages := append $messages (include "postgresql.v1.validateValues.psp" .) -}}
|
||||
{{- $messages := without $messages "" -}}
|
||||
{{- $message := join "\n" $messages -}}
|
||||
|
||||
{{- if $message -}}
|
||||
{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Validate values of Postgresql - If ldap.url is used then you don't need the other settings for ldap
|
||||
*/}}
|
||||
{{- define "postgresql.v1.validateValues.ldapConfigurationMethod" -}}
|
||||
{{- if and .Values.ldap.enabled (and (not (empty .Values.ldap.url)) (not (empty .Values.ldap.server))) -}}
|
||||
postgresql: ldap.url, ldap.server
|
||||
You cannot set both `ldap.url` and `ldap.server` at the same time.
|
||||
Please provide a unique way to configure LDAP.
|
||||
More info at https://www.postgresql.org/docs/current/auth-ldap.html
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Validate values of Postgresql - If PSP is enabled RBAC should be enabled too
|
||||
*/}}
|
||||
{{- define "postgresql.v1.validateValues.psp" -}}
|
||||
{{- if and .Values.psp.create (not .Values.rbac.create) -}}
|
||||
postgresql: psp.create, rbac.create
|
||||
RBAC should be enabled if PSP is enabled in order for PSP to work.
|
||||
More info at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the path to the cert file.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.tlsCert" -}}
|
||||
{{- if .Values.tls.autoGenerated -}}
|
||||
{{- printf "/opt/bitnami/postgresql/certs/tls.crt" -}}
|
||||
{{- else -}}
|
||||
{{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/postgresql/certs/%s" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the path to the cert key file.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.tlsCertKey" -}}
|
||||
{{- if .Values.tls.autoGenerated -}}
|
||||
{{- printf "/opt/bitnami/postgresql/certs/tls.key" -}}
|
||||
{{- else -}}
|
||||
{{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/postgresql/certs/%s" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the path to the CA cert file.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.tlsCACert" -}}
|
||||
{{- if .Values.tls.autoGenerated -}}
|
||||
{{- printf "/opt/bitnami/postgresql/certs/ca.crt" -}}
|
||||
{{- else -}}
|
||||
{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.certCAFilename -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the path to the CRL file.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.tlsCRL" -}}
|
||||
{{- if .Values.tls.crlFilename -}}
|
||||
{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.crlFilename -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return true if a TLS credentials secret object should be created
|
||||
*/}}
|
||||
{{- define "postgresql.v1.createTlsSecret" -}}
|
||||
{{- if and .Values.tls.autoGenerated (not .Values.tls.certificatesSecret) -}}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the path to the CA cert file.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.tlsSecretName" -}}
|
||||
{{- if .Values.tls.autoGenerated -}}
|
||||
{{- printf "%s-crt" (include "common.names.fullname" .) -}}
|
||||
{{- else -}}
|
||||
{{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
|
@ -0,0 +1,138 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if .Values.backup.enabled }}
|
||||
{{- $customUser := include "postgresql.v1.username" . }}
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.labels .Values.commonLabels ) "context" . ) }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: pg_dumpall
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
{{- if $annotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
schedule: {{ quote .Values.backup.cronjob.schedule }}
|
||||
{{- if .Values.backup.cronjob.timezone }}
|
||||
timeZone: {{ .Values.backup.cronjob.timezone | quote }}
|
||||
{{- end }}
|
||||
concurrencyPolicy: {{ .Values.backup.cronjob.concurrencyPolicy }}
|
||||
failedJobsHistoryLimit: {{ .Values.backup.cronjob.failedJobsHistoryLimit }}
|
||||
successfulJobsHistoryLimit: {{ .Values.backup.cronjob.successfulJobsHistoryLimit }}
|
||||
{{- if .Values.backup.cronjob.startingDeadlineSeconds }}
|
||||
startingDeadlineSeconds: {{ .Values.backup.cronjob.startingDeadlineSeconds }}
|
||||
{{- end }}
|
||||
jobTemplate:
|
||||
spec:
|
||||
{{- if .Values.backup.cronjob.ttlSecondsAfterFinished }}
|
||||
ttlSecondsAfterFinished: {{ .Values.backup.cronjob.ttlSecondsAfterFinished }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 12 }}
|
||||
app.kubernetes.io/component: pg_dumpall
|
||||
{{- if $annotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- include "postgresql.v1.imagePullSecrets" . | nindent 10 }}
|
||||
{{- if .Values.backup.cronjob.nodeSelector }}
|
||||
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.nodeSelector "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.backup.cronjob.tolerations }}
|
||||
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.tolerations "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall
|
||||
image: {{ include "postgresql.v1.image" . }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
|
||||
env:
|
||||
- name: PGUSER
|
||||
{{- if .Values.auth.enablePostgresUser }}
|
||||
value: postgres
|
||||
{{- else }}
|
||||
value: {{ $customUser | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: PGPASSFILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: PGPASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.v1.secretName" . }}
|
||||
key: {{ include "postgresql.v1.adminPasswordKey" . }}
|
||||
{{- end }}
|
||||
- name: PGHOST
|
||||
value: {{ include "postgresql.v1.primary.fullname" . }}
|
||||
- name: PGPORT
|
||||
value: {{ include "postgresql.v1.service.port" . | quote }}
|
||||
- name: PGDUMP_DIR
|
||||
value: {{ .Values.backup.cronjob.storage.mountPath }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
- name: PGSSLROOTCERT
|
||||
{{- if .Values.tls.autoGenerated }}
|
||||
value: /tmp/certs/ca.crt
|
||||
{{- else }}
|
||||
value: {{ printf "/tmp/certs/%s" .Values.tls.certCAFilename }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.command "context" $) | nindent 14 }}
|
||||
volumeMounts:
|
||||
{{- if .Values.tls.enabled }}
|
||||
- name: raw-certificates
|
||||
mountPath: /tmp/certs
|
||||
{{- end }}
|
||||
{{- if .Values.backup.cronjob.storage.enabled }}
|
||||
- name: datadir
|
||||
mountPath: {{ .Values.backup.cronjob.storage.mountPath }}
|
||||
subPath: {{ .Values.backup.cronjob.storage.subPath }}
|
||||
{{- end }}
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
{{- if .Values.backup.cronjob.extraVolumeMounts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.extraVolumeMounts "context" $) | nindent 14 }}
|
||||
{{- end }}
|
||||
{{- if .Values.backup.cronjob.containerSecurityContext.enabled }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.backup.cronjob.containerSecurityContext "context" $) | nindent 14 }}
|
||||
{{- end }}
|
||||
{{- if .Values.backup.cronjob.resources }}
|
||||
resources: {{- toYaml .Values.backup.cronjob.resources | nindent 14 }}
|
||||
{{- else if ne .Values.backup.cronjob.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.backup.cronjob.resourcesPreset) | nindent 14 }}
|
||||
{{- end }}
|
||||
restartPolicy: {{ .Values.backup.cronjob.restartPolicy }}
|
||||
{{- if .Values.backup.cronjob.podSecurityContext.enabled }}
|
||||
securityContext:
|
||||
fsGroup: {{ .Values.backup.cronjob.podSecurityContext.fsGroup }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- if .Values.tls.enabled }}
|
||||
- name: raw-certificates
|
||||
secret:
|
||||
secretName: {{ include "postgresql.v1.tlsSecretName" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.backup.cronjob.storage.enabled }}
|
||||
{{- if .Values.backup.cronjob.storage.existingClaim }}
|
||||
- name: datadir
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ printf "%s" (tpl .Values.backup.cronjob.storage.existingClaim .) }}
|
||||
{{- else }}
|
||||
- name: datadir
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: empty-dir
|
||||
emptyDir: {}
|
||||
{{- if .Values.backup.cronjob.extraVolumes }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.extraVolumes "context" $ ) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,32 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.backup.enabled .Values.backup.cronjob.networkPolicy.enabled }}
|
||||
kind: NetworkPolicy
|
||||
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: pg_dumpall
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/component: pg_dumpall
|
||||
policyTypes:
|
||||
- Egress
|
||||
egress:
|
||||
- ports:
|
||||
- port: 5432
|
||||
protocol: TCP
|
||||
- port: 53
|
||||
protocol: TCP
|
||||
- port: 53
|
||||
protocol: UDP
|
||||
{{- end }}
|
|
@ -0,0 +1,34 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.backup.enabled .Values.backup.cronjob.storage.enabled (not .Values.backup.cronjob.storage.existingClaim) -}}
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.labels .Values.commonLabels ) "context" . ) }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: pg_dumpall
|
||||
{{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations .Values.backup.cronjob.storage.resourcePolicy }}
|
||||
annotations:
|
||||
{{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.backup.cronjob.storage.resourcePolicy }}
|
||||
helm.sh/resource-policy: {{ .Values.backup.cronjob.storage.resourcePolicy | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
accessModes:
|
||||
{{- range .Values.backup.cronjob.storage.accessModes }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.backup.cronjob.storage.size | quote }}
|
||||
{{ include "common.storage.class" (dict "persistence" .Values.backup.cronjob.storage "global" .Values.global) }}
|
||||
{{- end }}
|
|
@ -0,0 +1,9 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- range .Values.extraDeploy }}
|
||||
---
|
||||
{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
|
||||
{{- end }}
|
|
@ -0,0 +1,26 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if (include "postgresql.v1.primary.createConfigmap" .) }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ printf "%s-configuration" (include "postgresql.v1.primary.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: primary
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
{{- if .Values.primary.configuration }}
|
||||
postgresql.conf: |
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.configuration "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.pgHbaConfiguration }}
|
||||
pg_hba.conf: |
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.pgHbaConfiguration "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,20 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if (include "postgresql.v1.primary.createExtendedConfigmap" .) }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ printf "%s-extended-configuration" (include "postgresql.v1.primary.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: primary
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
override.conf: |-
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.extendedConfiguration "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
|
@ -0,0 +1,17 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.primary.initdb.scripts (not .Values.primary.initdb.scriptsConfigMap) }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ printf "%s-init-scripts" (include "postgresql.v1.primary.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
data: {{- include "common.tplvalues.render" (dict "value" .Values.primary.initdb.scripts "context" .) | nindent 2 }}
|
||||
{{- end }}
|
|
@ -0,0 +1,18 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ printf "%s-metrics" (include "postgresql.v1.primary.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }}
|
||||
{{- end }}
|
|
@ -0,0 +1,31 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if .Values.metrics.enabled }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ printf "%s-metrics" (include "postgresql.v1.primary.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: metrics
|
||||
{{- if or .Values.commonAnnotations .Values.metrics.service.annotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
sessionAffinity: {{ .Values.metrics.service.sessionAffinity }}
|
||||
{{- if .Values.metrics.service.clusterIP }}
|
||||
clusterIP: {{ .Values.metrics.service.clusterIP }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: http-metrics
|
||||
port: {{ .Values.metrics.service.ports.metrics }}
|
||||
targetPort: http-metrics
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: primary
|
||||
{{- end }}
|
|
@ -0,0 +1,78 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if .Values.primary.networkPolicy.enabled }}
|
||||
kind: NetworkPolicy
|
||||
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.primary.fullname" . }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: primary
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/component: primary
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
{{- if .Values.primary.networkPolicy.allowExternalEgress }}
|
||||
egress:
|
||||
- {}
|
||||
{{- else }}
|
||||
egress:
|
||||
# Allow dns resolution
|
||||
- ports:
|
||||
- port: 53
|
||||
protocol: UDP
|
||||
- port: 53
|
||||
protocol: TCP
|
||||
# Allow outbound connections to read-replicas
|
||||
- ports:
|
||||
- port: {{ .Values.containerPorts.postgresql }}
|
||||
to:
|
||||
- podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
|
||||
app.kubernetes.io/component: read
|
||||
{{- if .Values.primary.networkPolicy.extraEgress }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ingress:
|
||||
- ports:
|
||||
- port: {{ .Values.containerPorts.postgresql }}
|
||||
{{- if .Values.metrics.enabled }}
|
||||
- port: {{ .Values.metrics.containerPorts.metrics }}
|
||||
{{- end }}
|
||||
{{- if not .Values.primary.networkPolicy.allowExternal }}
|
||||
from:
|
||||
- podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
{{ template "postgresql.v1.primary.fullname" . }}-client: "true"
|
||||
{{- if .Values.primary.networkPolicy.ingressNSMatchLabels }}
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
{{- range $key, $value := .Values.primary.networkPolicy.ingressNSMatchLabels }}
|
||||
{{ $key | quote }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.networkPolicy.ingressNSPodMatchLabels }}
|
||||
podSelector:
|
||||
matchLabels:
|
||||
{{- range $key, $value := .Values.primary.networkPolicy.ingressNSPodMatchLabels }}
|
||||
{{ $key | quote }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.networkPolicy.extraIngress }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,29 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if .Values.primary.pdb.create }}
|
||||
apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.primary.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.labels .Values.commonLabels ) "context" . ) }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: primary
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if .Values.primary.pdb.minAvailable }}
|
||||
minAvailable: {{ .Values.primary.pdb.minAvailable }}
|
||||
{{- end }}
|
||||
{{- if or .Values.primary.pdb.maxUnavailable ( not .Values.primary.pdb.minAvailable ) }}
|
||||
maxUnavailable: {{ .Values.primary.pdb.maxUnavailable | default 1 }}
|
||||
{{- end }}
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
selector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/component: primary
|
||||
{{- end }}
|
|
@ -0,0 +1,17 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.primary.preInitDb.scripts (not .Values.primary.preInitDb.scriptsConfigMap) }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ printf "%s-preinit-scripts" (include "postgresql.v1.primary.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
data: {{- include "common.tplvalues.render" (dict "value" .Values.primary.preInitDb.scripts "context" .) | nindent 2 }}
|
||||
{{- end }}
|
|
@ -0,0 +1,46 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.primary.fullname" . }}
|
||||
namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }}
|
||||
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: metrics
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if .Values.metrics.serviceMonitor.jobLabel }}
|
||||
jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }}
|
||||
{{- end }}
|
||||
selector:
|
||||
{{- $svcLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.selector .Values.commonLabels ) "context" . ) }}
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $svcLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/component: metrics
|
||||
endpoints:
|
||||
- port: http-metrics
|
||||
{{- if .Values.metrics.serviceMonitor.interval }}
|
||||
interval: {{ .Values.metrics.serviceMonitor.interval }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
|
||||
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.serviceMonitor.relabelings }}
|
||||
relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.serviceMonitor.metricRelabelings }}
|
||||
metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.serviceMonitor.honorLabels }}
|
||||
honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }}
|
||||
{{- end }}
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- {{ .Release.Namespace | quote }}
|
||||
{{- end }}
|
|
@ -0,0 +1,703 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- $customUser := include "postgresql.v1.username" . }}
|
||||
apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.primary.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.labels .Values.commonLabels ) "context" . ) }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: primary
|
||||
{{- if or .Values.commonAnnotations .Values.primary.annotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
replicas: 1
|
||||
serviceName: {{ include "postgresql.v1.primary.svc.headless" . }}
|
||||
{{- if .Values.primary.updateStrategy }}
|
||||
updateStrategy: {{- toYaml .Values.primary.updateStrategy | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
selector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/component: primary
|
||||
template:
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.primary.fullname" . }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
|
||||
app.kubernetes.io/component: primary
|
||||
{{- if or (include "postgresql.v1.primary.createConfigmap" .) (include "postgresql.v1.primary.createExtendedConfigmap" .) .Values.primary.podAnnotations }}
|
||||
annotations:
|
||||
{{- if (include "postgresql.v1.primary.createConfigmap" .) }}
|
||||
checksum/configuration: {{ pick (include (print $.Template.BasePath "/primary/configmap.yaml") . | fromYaml) "data" | toYaml | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if (include "postgresql.v1.primary.createExtendedConfigmap" .) }}
|
||||
checksum/extended-configuration: {{ pick (include (print $.Template.BasePath "/primary/extended-configmap.yaml") . | fromYaml) "data" | toYaml | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.podAnnotations }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.podAnnotations "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if .Values.primary.extraPodSpec }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.primary.extraPodSpec "context" $) | nindent 6 }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ include "postgresql.v1.serviceAccountName" . }}
|
||||
{{- include "postgresql.v1.imagePullSecrets" . | nindent 6 }}
|
||||
automountServiceAccountToken: {{ .Values.primary.automountServiceAccountToken }}
|
||||
{{- if .Values.primary.hostAliases }}
|
||||
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.primary.hostAliases "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.affinity }}
|
||||
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.primary.affinity "context" $) | nindent 8 }}
|
||||
{{- else }}
|
||||
affinity:
|
||||
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAffinityPreset "component" "primary" "customLabels" $podLabels "context" $) | nindent 10 }}
|
||||
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAntiAffinityPreset "component" "primary" "customLabels" $podLabels "context" $) | nindent 10 }}
|
||||
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.primary.nodeAffinityPreset.type "key" .Values.primary.nodeAffinityPreset.key "values" .Values.primary.nodeAffinityPreset.values) | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.nodeSelector }}
|
||||
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.nodeSelector "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.tolerations }}
|
||||
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.tolerations "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.topologySpreadConstraints }}
|
||||
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.primary.topologySpreadConstraints "context" .) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.priorityClassName }}
|
||||
priorityClassName: {{ .Values.primary.priorityClassName }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.schedulerName }}
|
||||
schedulerName: {{ .Values.primary.schedulerName | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.terminationGracePeriodSeconds }}
|
||||
terminationGracePeriodSeconds: {{ .Values.primary.terminationGracePeriodSeconds }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.podSecurityContext.enabled }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.podSecurityContext "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
hostNetwork: {{ .Values.primary.hostNetwork }}
|
||||
hostIPC: {{ .Values.primary.hostIPC }}
|
||||
{{- if or (and .Values.tls.enabled (not .Values.volumePermissions.enabled)) (and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled)) .Values.primary.initContainers }}
|
||||
initContainers:
|
||||
{{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }}
|
||||
- name: copy-certs
|
||||
image: {{ include "postgresql.v1.volumePermissions.image" . }}
|
||||
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
|
||||
{{- if .Values.primary.resources }}
|
||||
resources: {{- toYaml .Values.primary.resources | nindent 12 }}
|
||||
{{- else if ne .Values.primary.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
# We don't require a privileged container in this case
|
||||
{{- if .Values.primary.containerSecurityContext.enabled }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
command:
|
||||
- /bin/sh
|
||||
- -ec
|
||||
- |
|
||||
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
|
||||
chmod 600 {{ include "postgresql.v1.tlsCertKey" . }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: raw-certificates
|
||||
mountPath: /tmp/certs
|
||||
- name: postgresql-certificates
|
||||
mountPath: /opt/bitnami/postgresql/certs
|
||||
{{- else if and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled) }}
|
||||
- name: init-chmod-data
|
||||
image: {{ include "postgresql.v1.volumePermissions.image" . }}
|
||||
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
|
||||
{{- if .Values.volumePermissions.resources }}
|
||||
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
|
||||
{{- else if ne .Values.volumePermissions.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
command:
|
||||
- /bin/sh
|
||||
- -ec
|
||||
- |
|
||||
{{- if .Values.primary.persistence.enabled }}
|
||||
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||
chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.primary.persistence.mountPath }}
|
||||
{{- else }}
|
||||
chown {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} {{ .Values.primary.persistence.mountPath }}
|
||||
{{- end }}
|
||||
mkdir -p {{ .Values.primary.persistence.mountPath }}/data {{- if (include "postgresql.v1.mountConfigurationCM" .) }} {{ .Values.primary.persistence.mountPath }}/conf {{- end }}
|
||||
chmod 700 {{ .Values.primary.persistence.mountPath }}/data {{- if (include "postgresql.v1.mountConfigurationCM" .) }} {{ .Values.primary.persistence.mountPath }}/conf {{- end }}
|
||||
find {{ .Values.primary.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.v1.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \
|
||||
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||
xargs -r chown -R `id -u`:`id -G | cut -d " " -f2`
|
||||
{{- else }}
|
||||
xargs -r chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.shmVolume.enabled }}
|
||||
chmod -R 777 /dev/shm
|
||||
{{- end }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
|
||||
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||
chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/
|
||||
{{- else }}
|
||||
chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} /opt/bitnami/postgresql/certs/
|
||||
{{- end }}
|
||||
chmod 600 {{ include "postgresql.v1.tlsCertKey" . }}
|
||||
{{- end }}
|
||||
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||
securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }}
|
||||
{{- else }}
|
||||
securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: {{ .Values.primary.persistence.volumeName }}
|
||||
mountPath: {{ .Values.primary.persistence.mountPath }}
|
||||
{{- if .Values.primary.persistence.subPath }}
|
||||
subPath: {{ .Values.primary.persistence.subPath }}
|
||||
{{- end }}
|
||||
{{- if .Values.shmVolume.enabled }}
|
||||
- name: dshm
|
||||
mountPath: /dev/shm
|
||||
{{- end }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
- name: raw-certificates
|
||||
mountPath: /tmp/certs
|
||||
- name: postgresql-certificates
|
||||
mountPath: /opt/bitnami/postgresql/certs
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.initContainers }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.initContainers "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: postgresql
|
||||
image: {{ include "postgresql.v1.image" . }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
|
||||
{{- if .Values.primary.containerSecurityContext.enabled }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
|
||||
{{- else if .Values.primary.command }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.primary.command "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
|
||||
{{- else if .Values.primary.args }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.primary.args "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: BITNAMI_DEBUG
|
||||
value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }}
|
||||
- name: POSTGRESQL_PORT_NUMBER
|
||||
value: {{ .Values.containerPorts.postgresql | quote }}
|
||||
- name: POSTGRESQL_VOLUME_DIR
|
||||
value: {{ .Values.primary.persistence.mountPath | quote }}
|
||||
{{- if .Values.primary.persistence.mountPath }}
|
||||
- name: PGDATA
|
||||
value: {{ .Values.postgresqlDataDir | quote }}
|
||||
{{- end }}
|
||||
# Authentication
|
||||
{{- if or (eq $customUser "postgres") (empty $customUser) }}
|
||||
{{- if .Values.auth.enablePostgresUser }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_PASSWORD_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.v1.secretName" . }}
|
||||
key: {{ include "postgresql.v1.adminPasswordKey" . }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
- name: ALLOW_EMPTY_PASSWORD
|
||||
value: "true"
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_USER
|
||||
value: {{ $customUser | quote }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_PASSWORD_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.userPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.v1.secretName" . }}
|
||||
key: {{ include "postgresql.v1.userPasswordKey" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.auth.enablePostgresUser }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_POSTGRES_PASSWORD_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.v1.secretName" . }}
|
||||
key: {{ include "postgresql.v1.adminPasswordKey" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if (include "postgresql.v1.database" .) }}
|
||||
- name: POSTGRES_DATABASE
|
||||
value: {{ (include "postgresql.v1.database" .) | quote }}
|
||||
{{- end }}
|
||||
{{- if or (eq .Values.architecture "replication") .Values.primary.standby.enabled }}
|
||||
# Replication
|
||||
- name: POSTGRES_REPLICATION_MODE
|
||||
value: {{ ternary "slave" "master" .Values.primary.standby.enabled | quote }}
|
||||
- name: POSTGRES_REPLICATION_USER
|
||||
value: {{ .Values.auth.replicationUsername | quote }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_REPLICATION_PASSWORD_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.replicationPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_REPLICATION_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.v1.secretName" . }}
|
||||
key: {{ include "postgresql.v1.replicationPasswordKey" . }}
|
||||
{{- end }}
|
||||
{{- if ne .Values.replication.synchronousCommit "off" }}
|
||||
- name: POSTGRES_SYNCHRONOUS_COMMIT_MODE
|
||||
value: {{ .Values.replication.synchronousCommit | quote }}
|
||||
- name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS
|
||||
value: {{ .Values.replication.numSynchronousReplicas | quote }}
|
||||
{{- end }}
|
||||
- name: POSTGRES_CLUSTER_APP_NAME
|
||||
value: {{ .Values.replication.applicationName }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.initdb.args }}
|
||||
# Initdb
|
||||
- name: POSTGRES_INITDB_ARGS
|
||||
value: {{ .Values.primary.initdb.args | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.initdb.postgresqlWalDir }}
|
||||
- name: POSTGRES_INITDB_WALDIR
|
||||
value: {{ .Values.primary.initdb.postgresqlWalDir | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.initdb.user }}
|
||||
- name: POSTGRES_INITSCRIPTS_USERNAME
|
||||
value: {{ .Values.primary.initdb.user }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.initdb.password }}
|
||||
- name: POSTGRES_INITSCRIPTS_PASSWORD
|
||||
value: {{ .Values.primary.initdb.password | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.standby.enabled }}
|
||||
# Standby
|
||||
- name: POSTGRES_MASTER_HOST
|
||||
value: {{ .Values.primary.standby.primaryHost }}
|
||||
- name: POSTGRES_MASTER_PORT_NUMBER
|
||||
value: {{ .Values.primary.standby.primaryPort | quote }}
|
||||
{{- end }}
|
||||
# LDAP
|
||||
- name: POSTGRESQL_ENABLE_LDAP
|
||||
value: {{ ternary "yes" "no" .Values.ldap.enabled | quote }}
|
||||
{{- if .Values.ldap.enabled }}
|
||||
{{- if or .Values.ldap.url .Values.ldap.uri }}
|
||||
- name: POSTGRESQL_LDAP_URL
|
||||
value: {{ coalesce .Values.ldap.url .Values.ldap.uri }}
|
||||
{{- else }}
|
||||
- name: POSTGRESQL_LDAP_SERVER
|
||||
value: {{ .Values.ldap.server }}
|
||||
- name: POSTGRESQL_LDAP_PORT
|
||||
value: {{ .Values.ldap.port | quote }}
|
||||
- name: POSTGRESQL_LDAP_SCHEME
|
||||
value: {{ .Values.ldap.scheme }}
|
||||
{{- if (include "postgresql.v1.ldap.tls.enabled" .) }}
|
||||
- name: POSTGRESQL_LDAP_TLS
|
||||
value: "1"
|
||||
{{- end }}
|
||||
- name: POSTGRESQL_LDAP_PREFIX
|
||||
value: {{ .Values.ldap.prefix | quote }}
|
||||
- name: POSTGRESQL_LDAP_SUFFIX
|
||||
value: {{ .Values.ldap.suffix | quote }}
|
||||
- name: POSTGRESQL_LDAP_BASE_DN
|
||||
value: {{ coalesce .Values.ldap.baseDN .Values.ldap.basedn }}
|
||||
- name: POSTGRESQL_LDAP_BIND_DN
|
||||
value: {{ coalesce .Values.ldap.bindDN .Values.ldap.binddn}}
|
||||
{{- if or (not (empty .Values.ldap.bind_password)) (not (empty .Values.ldap.bindpw)) }}
|
||||
- name: POSTGRESQL_LDAP_BIND_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.v1.secretName" . }}
|
||||
key: ldap-password
|
||||
{{- end }}
|
||||
- name: POSTGRESQL_LDAP_SEARCH_ATTR
|
||||
value: {{ coalesce .Values.ldap.search_attr .Values.ldap.searchAttribute }}
|
||||
- name: POSTGRESQL_LDAP_SEARCH_FILTER
|
||||
value: {{ coalesce .Values.ldap.search_filter .Values.ldap.searchFilter }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
# TLS
|
||||
- name: POSTGRESQL_ENABLE_TLS
|
||||
value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
- name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS
|
||||
value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }}
|
||||
- name: POSTGRESQL_TLS_CERT_FILE
|
||||
value: {{ include "postgresql.v1.tlsCert" . }}
|
||||
- name: POSTGRESQL_TLS_KEY_FILE
|
||||
value: {{ include "postgresql.v1.tlsCertKey" . }}
|
||||
{{- if .Values.tls.certCAFilename }}
|
||||
- name: POSTGRESQL_TLS_CA_FILE
|
||||
value: {{ include "postgresql.v1.tlsCACert" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.tls.crlFilename }}
|
||||
- name: POSTGRESQL_TLS_CRL_FILE
|
||||
value: {{ include "postgresql.v1.tlsCRL" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
# Audit
|
||||
- name: POSTGRESQL_LOG_HOSTNAME
|
||||
value: {{ .Values.audit.logHostname | quote }}
|
||||
- name: POSTGRESQL_LOG_CONNECTIONS
|
||||
value: {{ .Values.audit.logConnections | quote }}
|
||||
- name: POSTGRESQL_LOG_DISCONNECTIONS
|
||||
value: {{ .Values.audit.logDisconnections | quote }}
|
||||
{{- if .Values.audit.logLinePrefix }}
|
||||
- name: POSTGRESQL_LOG_LINE_PREFIX
|
||||
value: {{ .Values.audit.logLinePrefix | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.audit.logTimezone }}
|
||||
- name: POSTGRESQL_LOG_TIMEZONE
|
||||
value: {{ .Values.audit.logTimezone | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.audit.pgAuditLog }}
|
||||
- name: POSTGRESQL_PGAUDIT_LOG
|
||||
value: {{ .Values.audit.pgAuditLog | quote }}
|
||||
{{- end }}
|
||||
- name: POSTGRESQL_PGAUDIT_LOG_CATALOG
|
||||
value: {{ .Values.audit.pgAuditLogCatalog | quote }}
|
||||
# Others
|
||||
- name: POSTGRESQL_CLIENT_MIN_MESSAGES
|
||||
value: {{ .Values.audit.clientMinMessages | quote }}
|
||||
- name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES
|
||||
value: {{ .Values.postgresqlSharedPreloadLibraries | quote }}
|
||||
{{- if .Values.primary.extraEnvVars }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.primary.extraEnvVars "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.primary.extraEnvVarsCM .Values.primary.extraEnvVarsSecret }}
|
||||
envFrom:
|
||||
{{- if .Values.primary.extraEnvVarsCM }}
|
||||
- configMapRef:
|
||||
name: {{ .Values.primary.extraEnvVarsCM }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.extraEnvVarsSecret }}
|
||||
- secretRef:
|
||||
name: {{ .Values.primary.extraEnvVarsSecret }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: tcp-postgresql
|
||||
containerPort: {{ .Values.containerPorts.postgresql }}
|
||||
{{- if not .Values.diagnosticMode.enabled }}
|
||||
{{- if .Values.primary.customStartupProbe }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customStartupProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.primary.startupProbe.enabled }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.startupProbe "enabled") "context" $) | nindent 12 }}
|
||||
exec:
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
{{- if (include "postgresql.v1.database" .) }}
|
||||
- exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||
{{- else }}
|
||||
- exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.customLivenessProbe }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customLivenessProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.primary.livenessProbe.enabled }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.livenessProbe "enabled") "context" $) | nindent 12 }}
|
||||
exec:
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
{{- if (include "postgresql.v1.database" .) }}
|
||||
- exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||
{{- else }}
|
||||
- exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.customReadinessProbe }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customReadinessProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.primary.readinessProbe.enabled }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.readinessProbe "enabled") "context" $) | nindent 12 }}
|
||||
exec:
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- -e
|
||||
{{- include "postgresql.v1.readinessProbeCommand" . | nindent 16 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.resources }}
|
||||
resources: {{- toYaml .Values.primary.resources | nindent 12 }}
|
||||
{{- else if ne .Values.primary.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.lifecycleHooks }}
|
||||
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.primary.lifecycleHooks "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/postgresql/conf
|
||||
subPath: app-conf-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/postgresql/tmp
|
||||
subPath: app-tmp-dir
|
||||
{{- if or .Values.primary.preInitDb.scriptsConfigMap .Values.primary.preInitDb.scripts }}
|
||||
- name: custom-preinit-scripts
|
||||
mountPath: /docker-entrypoint-preinitdb.d/
|
||||
{{- end }}
|
||||
{{- if .Values.primary.preInitDb.scriptsSecret }}
|
||||
- name: custom-preinit-scripts-secret
|
||||
mountPath: /docker-entrypoint-preinitdb.d/secret
|
||||
{{- end }}
|
||||
{{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }}
|
||||
- name: custom-init-scripts
|
||||
mountPath: /docker-entrypoint-initdb.d/
|
||||
{{- end }}
|
||||
{{- if .Values.primary.initdb.scriptsSecret }}
|
||||
- name: custom-init-scripts-secret
|
||||
mountPath: /docker-entrypoint-initdb.d/secret
|
||||
{{- end }}
|
||||
{{- if or .Values.primary.extendedConfiguration .Values.primary.existingExtendedConfigmap }}
|
||||
- name: postgresql-extended-config
|
||||
mountPath: {{ .Values.primary.persistence.mountPath }}/conf/conf.d/
|
||||
{{- end }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: postgresql-password
|
||||
mountPath: /opt/bitnami/postgresql/secrets/
|
||||
{{- end }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
- name: postgresql-certificates
|
||||
mountPath: /opt/bitnami/postgresql/certs
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if .Values.shmVolume.enabled }}
|
||||
- name: dshm
|
||||
mountPath: /dev/shm
|
||||
{{- end }}
|
||||
- name: {{ .Values.primary.persistence.volumeName }}
|
||||
mountPath: {{ .Values.primary.persistence.mountPath }}
|
||||
{{- if .Values.primary.persistence.subPath }}
|
||||
subPath: {{ .Values.primary.persistence.subPath }}
|
||||
{{- end }}
|
||||
{{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }}
|
||||
- name: postgresql-config
|
||||
mountPath: {{ .Values.primary.persistence.mountPath }}/conf
|
||||
{{- end }}
|
||||
{{- if .Values.primary.extraVolumeMounts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumeMounts "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.enabled }}
|
||||
- name: metrics
|
||||
image: {{ include "postgresql.v1.metrics.image" . }}
|
||||
imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
|
||||
{{- if .Values.metrics.containerSecurityContext.enabled }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
|
||||
{{- else if or .Values.metrics.customMetrics .Values.metrics.collectors }}
|
||||
args:
|
||||
{{- if .Values.metrics.customMetrics }}
|
||||
- --extend.query-path
|
||||
- /conf/custom-metrics.yaml
|
||||
{{- end }}
|
||||
{{- range $name, $enabled := .Values.metrics.collectors }}
|
||||
- --{{ if not $enabled }}no-{{ end }}collector.{{ $name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: DATA_SOURCE_URI
|
||||
value: {{ printf "127.0.0.1:%d/postgres?sslmode=disable" (int (include "postgresql.v1.service.port" .)) }}
|
||||
{{- $pwdKey := ternary (include "postgresql.v1.adminPasswordKey" .) (include "postgresql.v1.userPasswordKey" .) (or (eq $customUser "postgres") (empty $customUser)) }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: DATA_SOURCE_PASS_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" $pwdKey }}
|
||||
{{- else }}
|
||||
- name: DATA_SOURCE_PASS
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.v1.secretName" . }}
|
||||
key: {{ $pwdKey }}
|
||||
{{- end }}
|
||||
- name: DATA_SOURCE_USER
|
||||
value: {{ default "postgres" $customUser | quote }}
|
||||
{{- if .Values.metrics.extraEnvVars }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: http-metrics
|
||||
containerPort: {{ .Values.metrics.containerPorts.metrics }}
|
||||
{{- if not .Values.diagnosticMode.enabled }}
|
||||
{{- if .Values.metrics.customStartupProbe }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.metrics.startupProbe.enabled }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }}
|
||||
tcpSocket:
|
||||
port: http-metrics
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.customLivenessProbe }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.metrics.livenessProbe.enabled }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }}
|
||||
httpGet:
|
||||
path: /
|
||||
port: http-metrics
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.customReadinessProbe }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.metrics.readinessProbe.enabled }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }}
|
||||
httpGet:
|
||||
path: /
|
||||
port: http-metrics
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: postgresql-password
|
||||
mountPath: /opt/bitnami/postgresql/secrets/
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.customMetrics }}
|
||||
- name: custom-metrics
|
||||
mountPath: /conf
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.resources }}
|
||||
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
|
||||
{{- else if ne .Values.metrics.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.sidecars }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.sidecars "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: empty-dir
|
||||
emptyDir: {}
|
||||
{{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }}
|
||||
- name: postgresql-config
|
||||
configMap:
|
||||
name: {{ include "postgresql.v1.primary.configmapName" . }}
|
||||
{{- end }}
|
||||
{{- if or .Values.primary.extendedConfiguration .Values.primary.existingExtendedConfigmap }}
|
||||
- name: postgresql-extended-config
|
||||
configMap:
|
||||
name: {{ include "postgresql.v1.primary.extendedConfigmapName" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: postgresql-password
|
||||
secret:
|
||||
secretName: {{ include "postgresql.v1.secretName" . }}
|
||||
{{- end }}
|
||||
{{- if or .Values.primary.preInitDb.scriptsConfigMap .Values.primary.preInitDb.scripts }}
|
||||
- name: custom-preinit-scripts
|
||||
configMap:
|
||||
name: {{ include "postgresql.v1.preInitDb.scriptsCM" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.preInitDb.scriptsSecret }}
|
||||
- name: custom-preinit-scripts-secret
|
||||
secret:
|
||||
secretName: {{ tpl .Values.primary.preInitDb.scriptsSecret $ }}
|
||||
{{- end }}
|
||||
{{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }}
|
||||
- name: custom-init-scripts
|
||||
configMap:
|
||||
name: {{ include "postgresql.v1.initdb.scriptsCM" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.initdb.scriptsSecret }}
|
||||
- name: custom-init-scripts-secret
|
||||
secret:
|
||||
secretName: {{ tpl .Values.primary.initdb.scriptsSecret $ }}
|
||||
{{- end }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
- name: raw-certificates
|
||||
secret:
|
||||
secretName: {{ include "postgresql.v1.tlsSecretName" . }}
|
||||
- name: postgresql-certificates
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.extraVolumes }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.extraVolumes "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
|
||||
- name: custom-metrics
|
||||
configMap:
|
||||
name: {{ printf "%s-metrics" (include "postgresql.v1.primary.fullname" .) }}
|
||||
{{- end }}
|
||||
{{- if .Values.shmVolume.enabled }}
|
||||
- name: dshm
|
||||
emptyDir:
|
||||
medium: Memory
|
||||
{{- if .Values.shmVolume.sizeLimit }}
|
||||
sizeLimit: {{ .Values.shmVolume.sizeLimit }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if and .Values.primary.persistence.enabled .Values.primary.persistence.existingClaim }}
|
||||
- name: {{ .Values.primary.persistence.volumeName }}
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ tpl .Values.primary.persistence.existingClaim $ }}
|
||||
{{- else if not .Values.primary.persistence.enabled }}
|
||||
- name: {{ .Values.primary.persistence.volumeName }}
|
||||
emptyDir: {}
|
||||
{{- else }}
|
||||
{{- if .Values.primary.persistentVolumeClaimRetentionPolicy.enabled }}
|
||||
persistentVolumeClaimRetentionPolicy:
|
||||
whenDeleted: {{ .Values.primary.persistentVolumeClaimRetentionPolicy.whenDeleted }}
|
||||
whenScaled: {{ .Values.primary.persistentVolumeClaimRetentionPolicy.whenScaled }}
|
||||
{{- end }}
|
||||
volumeClaimTemplates:
|
||||
- apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: {{ .Values.primary.persistence.volumeName }}
|
||||
{{- if .Values.primary.persistence.annotations }}
|
||||
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.annotations "context" $) | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.persistence.labels }}
|
||||
labels: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.labels "context" $) | nindent 10 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
accessModes:
|
||||
{{- range .Values.primary.persistence.accessModes }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.persistence.dataSource }}
|
||||
dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.dataSource "context" $) | nindent 10 }}
|
||||
{{- end }}
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.primary.persistence.size | quote }}
|
||||
{{- if .Values.primary.persistence.selector }}
|
||||
selector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.selector "context" $) | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- include "common.storage.class" (dict "persistence" .Values.primary.persistence "global" .Values.global) | nindent 8 }}
|
||||
{{- end }}
|
|
@ -0,0 +1,31 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.primary.svc.headless" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: primary
|
||||
annotations:
|
||||
{{- if or .Values.primary.service.headless.annotations .Values.commonAnnotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.service.headless.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
clusterIP: None
|
||||
# We want all pods in the StatefulSet to have their addresses published for
|
||||
# the sake of the other Postgresql pods even before they're ready, since they
|
||||
# have to be able to talk to each other in order to become ready.
|
||||
publishNotReadyAddresses: true
|
||||
ports:
|
||||
- name: tcp-postgresql
|
||||
port: {{ template "postgresql.v1.service.port" . }}
|
||||
targetPort: tcp-postgresql
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: primary
|
|
@ -0,0 +1,54 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.primary.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: primary
|
||||
{{- if or .Values.commonAnnotations .Values.primary.service.annotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.service.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: {{ .Values.primary.service.type }}
|
||||
{{- if or (eq .Values.primary.service.type "LoadBalancer") (eq .Values.primary.service.type "NodePort") }}
|
||||
externalTrafficPolicy: {{ .Values.primary.service.externalTrafficPolicy | quote }}
|
||||
{{- end }}
|
||||
{{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerSourceRanges)) }}
|
||||
loadBalancerSourceRanges: {{ .Values.primary.service.loadBalancerSourceRanges | toJson}}
|
||||
{{- end }}
|
||||
{{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerClass)) }}
|
||||
loadBalancerClass: {{ .Values.primary.service.loadBalancerClass }}
|
||||
{{- end }}
|
||||
{{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerIP)) }}
|
||||
loadBalancerIP: {{ .Values.primary.service.loadBalancerIP }}
|
||||
{{- end }}
|
||||
{{- if and .Values.primary.service.clusterIP (eq .Values.primary.service.type "ClusterIP") }}
|
||||
clusterIP: {{ .Values.primary.service.clusterIP }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.service.sessionAffinity }}
|
||||
sessionAffinity: {{ .Values.primary.service.sessionAffinity }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.service.sessionAffinityConfig }}
|
||||
sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.sessionAffinityConfig "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: tcp-postgresql
|
||||
port: {{ template "postgresql.v1.service.port" . }}
|
||||
targetPort: tcp-postgresql
|
||||
{{- if and (or (eq .Values.primary.service.type "NodePort") (eq .Values.primary.service.type "LoadBalancer")) (not (empty .Values.primary.service.nodePorts.postgresql)) }}
|
||||
nodePort: {{ .Values.primary.service.nodePorts.postgresql }}
|
||||
{{- else if eq .Values.primary.service.type "ClusterIP" }}
|
||||
nodePort: null
|
||||
{{- end }}
|
||||
{{- if .Values.primary.service.extraPorts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.primary.service.extraPorts "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: primary
|
|
@ -0,0 +1,22 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: PrometheusRule
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}
|
||||
namespace: {{ default .Release.Namespace .Values.metrics.prometheusRule.namespace | quote }}
|
||||
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.prometheusRule.labels .Values.commonLabels ) "context" . ) }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: metrics
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
groups:
|
||||
- name: {{ include "common.names.fullname" . }}
|
||||
rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
|
@ -0,0 +1,42 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and (include "common.capabilities.psp.supported" .) .Values.psp.create }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
privileged: false
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'secret'
|
||||
- 'persistentVolumeClaim'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
hostNetwork: false
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'RunAsAny'
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1
|
||||
max: 65535
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1
|
||||
max: 65535
|
||||
readOnlyRootFilesystem: false
|
||||
{{- end }}
|
|
@ -0,0 +1,20 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if (include "postgresql.v1.readReplicas.createExtendedConfigmap" .) }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ printf "%s-extended-configuration" (include "postgresql.v1.readReplica.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: read
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
override.conf: |-
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extendedConfiguration "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
|
@ -0,0 +1,18 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.metrics.enabled .Values.metrics.customMetrics (eq .Values.architecture "replication") }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ printf "%s-metrics" (include "postgresql.v1.readReplica.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }}
|
||||
{{- end }}
|
|
@ -0,0 +1,31 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.metrics.enabled (eq .Values.architecture "replication") }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ printf "%s-metrics" (include "postgresql.v1.readReplica.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: metrics-read
|
||||
{{- if or .Values.commonAnnotations .Values.metrics.service.annotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
sessionAffinity: {{ .Values.metrics.service.sessionAffinity }}
|
||||
{{- if .Values.metrics.service.clusterIP }}
|
||||
clusterIP: {{ .Values.metrics.service.clusterIP }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: http-metrics
|
||||
port: {{ .Values.metrics.service.ports.metrics }}
|
||||
targetPort: http-metrics
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: read
|
||||
{{- end }}
|
|
@ -0,0 +1,80 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if eq .Values.architecture "replication" }}
|
||||
{{- if .Values.readReplicas.networkPolicy.enabled }}
|
||||
kind: NetworkPolicy
|
||||
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.readReplica.fullname" . }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: read
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/component: read
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
{{- if .Values.readReplicas.networkPolicy.allowExternalEgress }}
|
||||
egress:
|
||||
- {}
|
||||
{{- else }}
|
||||
egress:
|
||||
# Allow dns resolution
|
||||
- ports:
|
||||
- port: 53
|
||||
protocol: UDP
|
||||
- port: 53
|
||||
protocol: TCP
|
||||
# Allow outbound connections to primary
|
||||
- ports:
|
||||
- port: {{ .Values.containerPorts.postgresql }}
|
||||
to:
|
||||
- podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
|
||||
app.kubernetes.io/component: primary
|
||||
{{- if .Values.readReplicas.networkPolicy.extraEgress }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ingress:
|
||||
- ports:
|
||||
- port: {{ .Values.containerPorts.postgresql }}
|
||||
{{- if .Values.metrics.enabled }}
|
||||
- port: {{ .Values.metrics.containerPorts.metrics }}
|
||||
{{- end }}
|
||||
{{- if not .Values.readReplicas.networkPolicy.allowExternal }}
|
||||
from:
|
||||
- podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
{{ template "postgresql.v1.readReplica.fullname" . }}-client: "true"
|
||||
{{- if .Values.readReplicas.networkPolicy.ingressNSMatchLabels }}
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
{{- range $key, $value := .Values.readReplicas.networkPolicy.ingressNSMatchLabels }}
|
||||
{{ $key | quote }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.networkPolicy.ingressNSPodMatchLabels }}
|
||||
podSelector:
|
||||
matchLabels:
|
||||
{{- range $key, $value := .Values.readReplicas.networkPolicy.ingressNSPodMatchLabels }}
|
||||
{{ $key | quote }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.networkPolicy.extraIngress }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,29 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and ( eq .Values.architecture "replication" ) .Values.readReplicas.pdb.create }}
|
||||
apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.readReplica.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.labels .Values.commonLabels ) "context" . ) }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: read
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if .Values.readReplicas.pdb.minAvailable }}
|
||||
minAvailable: {{ .Values.readReplicas.pdb.minAvailable }}
|
||||
{{- end }}
|
||||
{{- if or .Values.readReplicas.pdb.maxUnavailable ( not .Values.readReplicas.pdb.minAvailable ) }}
|
||||
maxUnavailable: {{ .Values.readReplicas.pdb.maxUnavailable | default 1 }}
|
||||
{{- end }}
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
selector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/component: read
|
||||
{{- end }}
|
|
@ -0,0 +1,46 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled (eq .Values.architecture "replication") }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.readReplica.fullname" . }}
|
||||
namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }}
|
||||
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: metrics-read
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if .Values.metrics.serviceMonitor.jobLabel }}
|
||||
jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }}
|
||||
{{- end }}
|
||||
selector:
|
||||
{{- $svcLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.selector .Values.commonLabels ) "context" . ) }}
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $svcLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/component: metrics-read
|
||||
endpoints:
|
||||
- port: http-metrics
|
||||
{{- if .Values.metrics.serviceMonitor.interval }}
|
||||
interval: {{ .Values.metrics.serviceMonitor.interval }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
|
||||
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.serviceMonitor.relabelings }}
|
||||
relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.serviceMonitor.metricRelabelings }}
|
||||
metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.serviceMonitor.honorLabels }}
|
||||
honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }}
|
||||
{{- end }}
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- {{ .Release.Namespace | quote }}
|
||||
{{- end }}
|
|
@ -0,0 +1,578 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if eq .Values.architecture "replication" }}
|
||||
{{- $customUser := include "postgresql.v1.username" . }}
|
||||
apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.readReplica.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.labels .Values.commonLabels ) "context" . ) }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: read
|
||||
{{- if or .Values.commonAnnotations .Values.readReplicas.annotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
replicas: {{ .Values.readReplicas.replicaCount }}
|
||||
serviceName: {{ include "postgresql.v1.readReplica.svc.headless" . }}
|
||||
{{- if .Values.readReplicas.updateStrategy }}
|
||||
updateStrategy: {{- toYaml .Values.readReplicas.updateStrategy | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
selector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/component: read
|
||||
template:
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.readReplica.fullname" . }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
|
||||
app.kubernetes.io/component: read
|
||||
{{- if or (include "postgresql.v1.readReplicas.createExtendedConfigmap" .) .Values.readReplicas.podAnnotations }}
|
||||
annotations:
|
||||
{{- if (include "postgresql.v1.readReplicas.createExtendedConfigmap" .) }}
|
||||
checksum/extended-configuration: {{ pick (include (print $.Template.BasePath "/primary/extended-configmap.yaml") . | fromYaml) "data" | toYaml | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.podAnnotations }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.podAnnotations "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if .Values.readReplicas.extraPodSpec }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraPodSpec "context" $) | nindent 6 }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ include "postgresql.v1.serviceAccountName" . }}
|
||||
{{- include "postgresql.v1.imagePullSecrets" . | nindent 6 }}
|
||||
automountServiceAccountToken: {{ .Values.readReplicas.automountServiceAccountToken }}
|
||||
{{- if .Values.readReplicas.hostAliases }}
|
||||
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.hostAliases "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.affinity }}
|
||||
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.affinity "context" $) | nindent 8 }}
|
||||
{{- else }}
|
||||
affinity:
|
||||
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAffinityPreset "component" "read" "customLabels" $podLabels "context" $) | nindent 10 }}
|
||||
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAntiAffinityPreset "component" "read" "customLabels" $podLabels "context" $) | nindent 10 }}
|
||||
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.readReplicas.nodeAffinityPreset.type "key" .Values.readReplicas.nodeAffinityPreset.key "values" .Values.readReplicas.nodeAffinityPreset.values) | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.nodeSelector }}
|
||||
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.nodeSelector "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.tolerations }}
|
||||
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.tolerations "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.topologySpreadConstraints }}
|
||||
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.topologySpreadConstraints "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.priorityClassName }}
|
||||
priorityClassName: {{ .Values.readReplicas.priorityClassName }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.schedulerName }}
|
||||
schedulerName: {{ .Values.readReplicas.schedulerName | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.terminationGracePeriodSeconds }}
|
||||
terminationGracePeriodSeconds: {{ .Values.readReplicas.terminationGracePeriodSeconds }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.podSecurityContext.enabled }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.podSecurityContext "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
hostNetwork: {{ .Values.readReplicas.hostNetwork }}
|
||||
hostIPC: {{ .Values.readReplicas.hostIPC }}
|
||||
{{- if or (and .Values.tls.enabled (not .Values.volumePermissions.enabled)) (and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled)) .Values.readReplicas.initContainers }}
|
||||
initContainers:
|
||||
{{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }}
|
||||
- name: copy-certs
|
||||
image: {{ include "postgresql.v1.volumePermissions.image" . }}
|
||||
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
|
||||
{{- if .Values.readReplicas.resources }}
|
||||
resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
|
||||
{{- else if ne .Values.readReplicas.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.readReplicas.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
# We don't require a privileged container in this case
|
||||
{{- if .Values.readReplicas.containerSecurityContext.enabled }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.containerSecurityContext "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
command:
|
||||
- /bin/sh
|
||||
- -ec
|
||||
- |
|
||||
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
|
||||
chmod 600 {{ include "postgresql.v1.tlsCertKey" . }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: raw-certificates
|
||||
mountPath: /tmp/certs
|
||||
- name: postgresql-certificates
|
||||
mountPath: /opt/bitnami/postgresql/certs
|
||||
{{- else if and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled) }}
|
||||
- name: init-chmod-data
|
||||
image: {{ include "postgresql.v1.volumePermissions.image" . }}
|
||||
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
|
||||
{{- if .Values.readReplicas.resources }}
|
||||
resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
|
||||
{{- else if ne .Values.readReplicas.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.readReplicas.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
command:
|
||||
- /bin/sh
|
||||
- -ec
|
||||
- |
|
||||
{{- if .Values.readReplicas.persistence.enabled }}
|
||||
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||
chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.readReplicas.persistence.mountPath }}
|
||||
{{- else }}
|
||||
chown {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} {{ .Values.readReplicas.persistence.mountPath }}
|
||||
{{- end }}
|
||||
mkdir -p {{ .Values.readReplicas.persistence.mountPath }}/data {{- if (include "postgresql.v1.mountConfigurationCM" .) }} {{ .Values.readReplicas.persistence.mountPath }}/conf {{- end }}
|
||||
chmod 700 {{ .Values.readReplicas.persistence.mountPath }}/data {{- if (include "postgresql.v1.mountConfigurationCM" .) }} {{ .Values.readReplicas.persistence.mountPath }}/conf {{- end }}
|
||||
find {{ .Values.readReplicas.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.v1.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \
|
||||
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||
xargs -r chown -R `id -u`:`id -G | cut -d " " -f2`
|
||||
{{- else }}
|
||||
xargs -r chown -R {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.shmVolume.enabled }}
|
||||
chmod -R 777 /dev/shm
|
||||
{{- end }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
|
||||
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||
chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/
|
||||
{{- else }}
|
||||
chown -R {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} /opt/bitnami/postgresql/certs/
|
||||
{{- end }}
|
||||
chmod 600 {{ include "postgresql.v1.tlsCertKey" . }}
|
||||
{{- end }}
|
||||
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||
securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }}
|
||||
{{- else }}
|
||||
securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: data
|
||||
mountPath: {{ .Values.readReplicas.persistence.mountPath }}
|
||||
{{- if .Values.readReplicas.persistence.subPath }}
|
||||
subPath: {{ .Values.readReplicas.persistence.subPath }}
|
||||
{{- end }}
|
||||
{{- if .Values.shmVolume.enabled }}
|
||||
- name: dshm
|
||||
mountPath: /dev/shm
|
||||
{{- end }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
- name: raw-certificates
|
||||
mountPath: /tmp/certs
|
||||
- name: postgresql-certificates
|
||||
mountPath: /opt/bitnami/postgresql/certs
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.initContainers }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.initContainers "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: postgresql
|
||||
image: {{ include "postgresql.v1.image" . }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
|
||||
{{- if .Values.readReplicas.containerSecurityContext.enabled }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.containerSecurityContext "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
|
||||
{{- else if .Values.readReplicas.command }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.command "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
|
||||
{{- else if .Values.readReplicas.args }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.args "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: BITNAMI_DEBUG
|
||||
value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }}
|
||||
- name: POSTGRESQL_PORT_NUMBER
|
||||
value: {{ .Values.containerPorts.postgresql | quote }}
|
||||
- name: POSTGRESQL_VOLUME_DIR
|
||||
value: {{ .Values.readReplicas.persistence.mountPath | quote }}
|
||||
{{- if .Values.readReplicas.persistence.mountPath }}
|
||||
- name: PGDATA
|
||||
value: {{ .Values.postgresqlDataDir | quote }}
|
||||
{{- end }}
|
||||
# Authentication
|
||||
{{- if or (eq $customUser "postgres") (empty $customUser) }}
|
||||
{{- if .Values.auth.enablePostgresUser }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_PASSWORD_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.v1.secretName" . }}
|
||||
key: {{ include "postgresql.v1.adminPasswordKey" . }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
- name: ALLOW_EMPTY_PASSWORD
|
||||
value: "true"
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_USER
|
||||
value: {{ $customUser | quote }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_PASSWORD_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.userPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.v1.secretName" . }}
|
||||
key: {{ include "postgresql.v1.userPasswordKey" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.auth.enablePostgresUser }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_POSTGRES_PASSWORD_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.v1.secretName" . }}
|
||||
key: {{ include "postgresql.v1.adminPasswordKey" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
# Replication
|
||||
- name: POSTGRES_REPLICATION_MODE
|
||||
value: "slave"
|
||||
- name: POSTGRES_REPLICATION_USER
|
||||
value: {{ .Values.auth.replicationUsername | quote }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_REPLICATION_PASSWORD_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.replicationPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_REPLICATION_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.v1.secretName" . }}
|
||||
key: {{ include "postgresql.v1.replicationPasswordKey" . }}
|
||||
{{- end }}
|
||||
- name: POSTGRES_CLUSTER_APP_NAME
|
||||
value: {{ .Values.replication.applicationName }}
|
||||
- name: POSTGRES_MASTER_HOST
|
||||
value: {{ include "postgresql.v1.primary.fullname" . }}
|
||||
- name: POSTGRES_MASTER_PORT_NUMBER
|
||||
value: {{ include "postgresql.v1.service.port" . | quote }}
|
||||
# TLS
|
||||
- name: POSTGRESQL_ENABLE_TLS
|
||||
value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
- name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS
|
||||
value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }}
|
||||
- name: POSTGRESQL_TLS_CERT_FILE
|
||||
value: {{ include "postgresql.v1.tlsCert" . }}
|
||||
- name: POSTGRESQL_TLS_KEY_FILE
|
||||
value: {{ include "postgresql.v1.tlsCertKey" . }}
|
||||
{{- if .Values.tls.certCAFilename }}
|
||||
- name: POSTGRESQL_TLS_CA_FILE
|
||||
value: {{ include "postgresql.v1.tlsCACert" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.tls.crlFilename }}
|
||||
- name: POSTGRESQL_TLS_CRL_FILE
|
||||
value: {{ include "postgresql.v1.tlsCRL" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
# Audit
|
||||
- name: POSTGRESQL_LOG_HOSTNAME
|
||||
value: {{ .Values.audit.logHostname | quote }}
|
||||
- name: POSTGRESQL_LOG_CONNECTIONS
|
||||
value: {{ .Values.audit.logConnections | quote }}
|
||||
- name: POSTGRESQL_LOG_DISCONNECTIONS
|
||||
value: {{ .Values.audit.logDisconnections | quote }}
|
||||
{{- if .Values.audit.logLinePrefix }}
|
||||
- name: POSTGRESQL_LOG_LINE_PREFIX
|
||||
value: {{ .Values.audit.logLinePrefix | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.audit.logTimezone }}
|
||||
- name: POSTGRESQL_LOG_TIMEZONE
|
||||
value: {{ .Values.audit.logTimezone | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.audit.pgAuditLog }}
|
||||
- name: POSTGRESQL_PGAUDIT_LOG
|
||||
value: {{ .Values.audit.pgAuditLog | quote }}
|
||||
{{- end }}
|
||||
- name: POSTGRESQL_PGAUDIT_LOG_CATALOG
|
||||
value: {{ .Values.audit.pgAuditLogCatalog | quote }}
|
||||
# Others
|
||||
- name: POSTGRESQL_CLIENT_MIN_MESSAGES
|
||||
value: {{ .Values.audit.clientMinMessages | quote }}
|
||||
- name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES
|
||||
value: {{ .Values.postgresqlSharedPreloadLibraries | quote }}
|
||||
{{- if .Values.readReplicas.extraEnvVars }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraEnvVars "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.readReplicas.extraEnvVarsCM .Values.readReplicas.extraEnvVarsSecret }}
|
||||
envFrom:
|
||||
{{- if .Values.readReplicas.extraEnvVarsCM }}
|
||||
- configMapRef:
|
||||
name: {{ .Values.readReplicas.extraEnvVarsCM }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.extraEnvVarsSecret }}
|
||||
- secretRef:
|
||||
name: {{ .Values.readReplicas.extraEnvVarsSecret }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: tcp-postgresql
|
||||
containerPort: {{ .Values.containerPorts.postgresql }}
|
||||
{{- if not .Values.diagnosticMode.enabled }}
|
||||
{{- if .Values.readReplicas.customStartupProbe }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customStartupProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.readReplicas.startupProbe.enabled }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.startupProbe "enabled") "context" $) | nindent 12 }}
|
||||
exec:
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
{{- if (include "postgresql.v1.database" .) }}
|
||||
- exec pg_isready -U {{ default "postgres" $customUser| quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||
{{- else }}
|
||||
- exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.customLivenessProbe }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customLivenessProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.readReplicas.livenessProbe.enabled }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.livenessProbe "enabled") "context" $) | nindent 12 }}
|
||||
exec:
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
{{- if (include "postgresql.v1.database" .) }}
|
||||
- exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||
{{- else }}
|
||||
- exec pg_isready -U {{default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.customReadinessProbe }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customReadinessProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.readReplicas.readinessProbe.enabled }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.readinessProbe "enabled") "context" $) | nindent 12 }}
|
||||
exec:
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- -e
|
||||
{{- include "postgresql.v1.readinessProbeCommand" . | nindent 16 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.resources }}
|
||||
resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
|
||||
{{- else if ne .Values.readReplicas.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.readReplicas.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.lifecycleHooks }}
|
||||
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.lifecycleHooks "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/postgresql/conf
|
||||
subPath: app-conf-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/postgresql/tmp
|
||||
subPath: app-tmp-dir
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: postgresql-password
|
||||
mountPath: /opt/bitnami/postgresql/secrets/
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.extendedConfiguration }}
|
||||
- name: postgresql-extended-config
|
||||
mountPath: {{ .Values.readReplicas.persistence.mountPath }}/conf/conf.d/
|
||||
{{- end }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
- name: postgresql-certificates
|
||||
mountPath: /opt/bitnami/postgresql/certs
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if .Values.shmVolume.enabled }}
|
||||
- name: dshm
|
||||
mountPath: /dev/shm
|
||||
{{- end }}
|
||||
- name: data
|
||||
mountPath: {{ .Values.readReplicas.persistence.mountPath }}
|
||||
{{- if .Values.readReplicas.persistence.subPath }}
|
||||
subPath: {{ .Values.readReplicas.persistence.subPath }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.extraVolumeMounts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraVolumeMounts "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.enabled }}
|
||||
- name: metrics
|
||||
image: {{ include "postgresql.v1.metrics.image" . }}
|
||||
imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
|
||||
{{- if .Values.metrics.containerSecurityContext.enabled }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
|
||||
{{- else if .Values.metrics.customMetrics }}
|
||||
args: [ "--extend.query-path", "/conf/custom-metrics.yaml" ]
|
||||
{{- end }}
|
||||
env:
|
||||
- name: DATA_SOURCE_URI
|
||||
value: {{ printf "127.0.0.1:%d/postgres?sslmode=disable" (int (include "postgresql.v1.service.port" .)) }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: DATA_SOURCE_PASS_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.userPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: DATA_SOURCE_PASS
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.v1.secretName" . }}
|
||||
key: {{ include "postgresql.v1.userPasswordKey" . }}
|
||||
{{- end }}
|
||||
- name: DATA_SOURCE_USER
|
||||
value: {{ default "postgres" $customUser | quote }}
|
||||
{{- if .Values.metrics.extraEnvVars }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: http-metrics
|
||||
containerPort: {{ .Values.metrics.containerPorts.metrics }}
|
||||
{{- if not .Values.diagnosticMode.enabled }}
|
||||
{{- if .Values.metrics.customStartupProbe }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.metrics.startupProbe.enabled }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }}
|
||||
tcpSocket:
|
||||
port: http-metrics
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.customLivenessProbe }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.metrics.livenessProbe.enabled }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }}
|
||||
httpGet:
|
||||
path: /
|
||||
port: http-metrics
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.customReadinessProbe }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.metrics.readinessProbe.enabled }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }}
|
||||
httpGet:
|
||||
path: /
|
||||
port: http-metrics
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: postgresql-password
|
||||
mountPath: /opt/bitnami/postgresql/secrets/
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.customMetrics }}
|
||||
- name: custom-metrics
|
||||
mountPath: /conf
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.resources }}
|
||||
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
|
||||
{{- else if ne .Values.metrics.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.sidecars }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.sidecars "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- if .Values.readReplicas.extendedConfiguration }}
|
||||
- name: postgresql-extended-config
|
||||
configMap:
|
||||
name: {{ include "postgresql.v1.readReplicas.extendedConfigmapName" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: postgresql-password
|
||||
secret:
|
||||
secretName: {{ include "postgresql.v1.secretName" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
- name: raw-certificates
|
||||
secret:
|
||||
secretName: {{ include "postgresql.v1.tlsSecretName" . }}
|
||||
- name: postgresql-certificates
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
|
||||
- name: custom-metrics
|
||||
configMap:
|
||||
name: {{ printf "%s-metrics" (include "postgresql.v1.readReplica.fullname" .) }}
|
||||
{{- end }}
|
||||
{{- if .Values.shmVolume.enabled }}
|
||||
- name: dshm
|
||||
emptyDir:
|
||||
medium: Memory
|
||||
{{- if .Values.shmVolume.sizeLimit }}
|
||||
sizeLimit: {{ .Values.shmVolume.sizeLimit }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: empty-dir
|
||||
emptyDir: {}
|
||||
{{- if .Values.readReplicas.extraVolumes }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extraVolumes "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if and .Values.readReplicas.persistence.enabled .Values.readReplicas.persistence.existingClaim }}
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ tpl .Values.readReplicas.persistence.existingClaim $ }}
|
||||
{{- else if not .Values.readReplicas.persistence.enabled }}
|
||||
- name: data
|
||||
emptyDir: {}
|
||||
{{- else }}
|
||||
{{- if .Values.readReplicas.persistentVolumeClaimRetentionPolicy.enabled }}
|
||||
persistentVolumeClaimRetentionPolicy:
|
||||
whenDeleted: {{ .Values.readReplicas.persistentVolumeClaimRetentionPolicy.whenDeleted }}
|
||||
whenScaled: {{ .Values.readReplicas.persistentVolumeClaimRetentionPolicy.whenScaled }}
|
||||
{{- end }}
|
||||
volumeClaimTemplates:
|
||||
- apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: data
|
||||
{{- if .Values.readReplicas.persistence.annotations }}
|
||||
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.annotations "context" $) | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.persistence.labels }}
|
||||
labels: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.labels "context" $) | nindent 10 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
accessModes:
|
||||
{{- range .Values.readReplicas.persistence.accessModes }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.persistence.dataSource }}
|
||||
dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.dataSource "context" $) | nindent 10 }}
|
||||
{{- end }}
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.readReplicas.persistence.size | quote }}
|
||||
{{- if .Values.readReplicas.persistence.selector }}
|
||||
selector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.selector "context" $) | nindent 10 }}
|
||||
{{- end -}}
|
||||
{{- include "common.storage.class" (dict "persistence" .Values.readReplicas.persistence "global" .Values.global) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,33 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if eq .Values.architecture "replication" }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.readReplica.svc.headless" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: read
|
||||
annotations:
|
||||
{{- if or .Values.readReplicas.service.headless.annotations .Values.commonAnnotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.service.headless.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
clusterIP: None
|
||||
# We want all pods in the StatefulSet to have their addresses published for
|
||||
# the sake of the other Postgresql pods even before they're ready, since they
|
||||
# have to be able to talk to each other in order to become ready.
|
||||
publishNotReadyAddresses: true
|
||||
ports:
|
||||
- name: tcp-postgresql
|
||||
port: {{ include "postgresql.v1.readReplica.service.port" . }}
|
||||
targetPort: tcp-postgresql
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: read
|
||||
{{- end }}
|
|
@ -0,0 +1,56 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if eq .Values.architecture "replication" }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.readReplica.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: read
|
||||
{{- if or .Values.commonAnnotations .Values.readReplicas.service.annotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.service.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: {{ .Values.readReplicas.service.type }}
|
||||
{{- if or (eq .Values.readReplicas.service.type "LoadBalancer") (eq .Values.readReplicas.service.type "NodePort") }}
|
||||
externalTrafficPolicy: {{ .Values.readReplicas.service.externalTrafficPolicy | quote }}
|
||||
{{- end }}
|
||||
{{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerSourceRanges)) }}
|
||||
loadBalancerSourceRanges: {{ .Values.readReplicas.service.loadBalancerSourceRanges }}
|
||||
{{- end }}
|
||||
{{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerClass)) }}
|
||||
loadBalancerClass: {{ .Values.readReplicas.service.loadBalancerClass }}
|
||||
{{- end }}
|
||||
{{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerIP)) }}
|
||||
loadBalancerIP: {{ .Values.readReplicas.service.loadBalancerIP }}
|
||||
{{- end }}
|
||||
{{- if and .Values.readReplicas.service.clusterIP (eq .Values.readReplicas.service.type "ClusterIP") }}
|
||||
clusterIP: {{ .Values.readReplicas.service.clusterIP }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.service.sessionAffinity }}
|
||||
sessionAffinity: {{ .Values.readReplicas.service.sessionAffinity }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.service.sessionAffinityConfig }}
|
||||
sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.sessionAffinityConfig "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: tcp-postgresql
|
||||
port: {{ include "postgresql.v1.readReplica.service.port" . }}
|
||||
targetPort: tcp-postgresql
|
||||
{{- if and (or (eq .Values.readReplicas.service.type "NodePort") (eq .Values.readReplicas.service.type "LoadBalancer")) (not (empty .Values.readReplicas.service.nodePorts.postgresql)) }}
|
||||
nodePort: {{ .Values.readReplicas.service.nodePorts.postgresql }}
|
||||
{{- else if eq .Values.readReplicas.service.type "ClusterIP" }}
|
||||
nodePort: null
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.service.extraPorts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.extraPorts "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: read
|
||||
{{- end }}
|
|
@ -0,0 +1,32 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if .Values.rbac.create }}
|
||||
kind: Role
|
||||
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
# yamllint disable rule:indentation
|
||||
rules:
|
||||
{{- if and (include "common.capabilities.psp.supported" .) .Values.psp.create }}
|
||||
- apiGroups:
|
||||
- 'policy'
|
||||
resources:
|
||||
- 'podsecuritypolicies'
|
||||
verbs:
|
||||
- 'use'
|
||||
resourceNames:
|
||||
- {{ include "common.names.fullname" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.rbac.rules }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }}
|
||||
{{- end }}
|
||||
# yamllint enable rule:indentation
|
||||
{{- end }}
|
|
@ -0,0 +1,24 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if .Values.rbac.create }}
|
||||
kind: RoleBinding
|
||||
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: {{ include "common.names.fullname" . }}
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "postgresql.v1.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- end }}
|
|
@ -0,0 +1,99 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- $host := include "postgresql.v1.primary.fullname" . }}
|
||||
{{- $port := include "postgresql.v1.service.port" . }}
|
||||
{{- $customUser := include "postgresql.v1.username" . }}
|
||||
{{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "postgresql.v1.secretName" .) "key" (coalesce .Values.global.postgresql.auth.secretKeys.adminPasswordKey .Values.auth.secretKeys.adminPasswordKey) "defaultValue" (ternary (coalesce .Values.global.postgresql.auth.password .Values.auth.password .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (or (empty $customUser) (eq $customUser "postgres"))) "context" $) | trimAll "\"" | b64dec }}
|
||||
{{- if and (not $postgresPassword) .Values.auth.enablePostgresUser }}
|
||||
{{- $postgresPassword = randAlphaNum 10 }}
|
||||
{{- end }}
|
||||
{{- $replicationPassword := "" }}
|
||||
{{- if eq .Values.architecture "replication" }}
|
||||
{{- $replicationPassword = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.v1.secretName" .) "key" (coalesce .Values.global.postgresql.auth.secretKeys.replicationPasswordKey .Values.auth.secretKeys.replicationPasswordKey) "providedValues" (list "auth.replicationPassword") "context" $) | trimAll "\"" | b64dec }}
|
||||
{{- end }}
|
||||
{{- $ldapPassword := "" }}
|
||||
{{- if and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw) }}
|
||||
{{- $ldapPassword = coalesce .Values.ldap.bind_password .Values.ldap.bindpw }}
|
||||
{{- end }}
|
||||
{{- $password := "" }}
|
||||
{{- if and (not (empty $customUser)) (ne $customUser "postgres") }}
|
||||
{{- $password = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.v1.secretName" .) "key" (coalesce .Values.global.postgresql.auth.secretKeys.userPasswordKey .Values.auth.secretKeys.userPasswordKey) "providedValues" (list "global.postgresql.auth.password" "auth.password") "context" $) | trimAll "\"" | b64dec }}
|
||||
{{- end }}
|
||||
{{- $database := include "postgresql.v1.database" . }}
|
||||
{{- if (include "postgresql.v1.createSecret" .) }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{- if $postgresPassword }}
|
||||
postgres-password: {{ $postgresPassword | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if $password }}
|
||||
password: {{ $password | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if $replicationPassword }}
|
||||
replication-password: {{ $replicationPassword | b64enc | quote }}
|
||||
{{- end }}
|
||||
# We don't auto-generate LDAP password when it's not provided as we do for other passwords
|
||||
{{- if and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw) }}
|
||||
ldap-password: {{ $ldapPassword | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.serviceBindings.enabled }}
|
||||
{{- if $postgresPassword }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}-svcbind-postgres
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
type: servicebinding.io/postgresql
|
||||
data:
|
||||
provider: {{ print "bitnami" | b64enc | quote }}
|
||||
type: {{ print "postgresql" | b64enc | quote }}
|
||||
host: {{ $host | b64enc | quote }}
|
||||
port: {{ $port | b64enc | quote }}
|
||||
username: {{ print "postgres" | b64enc | quote }}
|
||||
database: {{ print "postgres" | b64enc | quote }}
|
||||
password: {{ $postgresPassword | b64enc | quote }}
|
||||
uri: {{ printf "postgresql://postgres:%s@%s:%s/postgres" $postgresPassword $host $port | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if $password }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}-svcbind-custom-user
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
type: servicebinding.io/postgresql
|
||||
data:
|
||||
provider: {{ print "bitnami" | b64enc | quote }}
|
||||
type: {{ print "postgresql" | b64enc | quote }}
|
||||
host: {{ $host | b64enc | quote }}
|
||||
port: {{ $port | b64enc | quote }}
|
||||
username: {{ $customUser | b64enc | quote }}
|
||||
password: {{ $password | b64enc | quote }}
|
||||
{{- if $database }}
|
||||
database: {{ $database | b64enc | quote }}
|
||||
{{- end }}
|
||||
uri: {{ printf "postgresql://%s:%s@%s:%s/%s" $customUser $password $host $port $database | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,18 @@
|
|||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
|
||||
{{- end }}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue