From dc75f3e0ccc5c8dc4a6a33bd8e8d7a2177d2a616 Mon Sep 17 00:00:00 2001 From: Michael Simmons Date: Tue, 11 Aug 2020 11:42:41 -0600 Subject: [PATCH 1/7] Added cert-manager --- .DS_Store | Bin 0 -> 6148 bytes stable/.DS_Store | Bin 0 -> 6148 bytes stable/cert-manager/00-crds.yaml | 5354 +++++++++++++++++ stable/cert-manager/BUILD.bazel | 67 + stable/cert-manager/Chart.yaml | 18 + stable/cert-manager/IRONBANK.md.gotmpl | 28 + stable/cert-manager/README-original.md | 153 + stable/cert-manager/README.md | 92 + stable/cert-manager/README.template.md | 184 + stable/cert-manager/templates/BUILD.bazel | 52 + stable/cert-manager/templates/NOTES.txt | 15 + stable/cert-manager/templates/_helpers.tpl | 128 + .../templates/cainjector-deployment.yaml | 86 + .../templates/cainjector-psp-clusterrole.yaml | 21 + .../cainjector-psp-clusterrolebinding.yaml | 23 + .../templates/cainjector-psp.yaml | 52 + .../templates/cainjector-rbac.yaml | 111 + .../templates/cainjector-serviceaccount.yaml | 23 + stable/cert-manager/templates/deployment.yaml | 156 + .../templates/psp-clusterrole.yaml | 19 + .../templates/psp-clusterrolebinding.yaml | 21 + stable/cert-manager/templates/psp.yaml | 50 + stable/cert-manager/templates/rbac.yaml | 450 ++ stable/cert-manager/templates/service.yaml | 24 + .../templates/serviceaccount.yaml | 21 + .../templates/servicemonitor.yaml | 37 + .../templates/webhook-deployment.yaml | 108 + .../templates/webhook-mutating-webhook.yaml | 44 + .../templates/webhook-psp-clusterrole.yaml | 19 + .../webhook-psp-clusterrolebinding.yaml | 21 + .../cert-manager/templates/webhook-psp.yaml | 50 + .../cert-manager/templates/webhook-rbac.yaml | 49 + .../templates/webhook-service.yaml | 22 + .../templates/webhook-serviceaccount.yaml | 21 + .../templates/webhook-validating-webhook.yaml | 54 + stable/cert-manager/values-ironbank.yaml | 311 + stable/cert-manager/values.yaml | 308 + 37 files changed, 8192 insertions(+) create mode 100644 .DS_Store create mode 100644 stable/.DS_Store create mode 100644 stable/cert-manager/00-crds.yaml create mode 100644 stable/cert-manager/BUILD.bazel create mode 100644 stable/cert-manager/Chart.yaml create mode 100644 stable/cert-manager/IRONBANK.md.gotmpl create mode 100644 stable/cert-manager/README-original.md create mode 100644 stable/cert-manager/README.md create mode 100644 stable/cert-manager/README.template.md create mode 100644 stable/cert-manager/templates/BUILD.bazel create mode 100644 stable/cert-manager/templates/NOTES.txt create mode 100644 stable/cert-manager/templates/_helpers.tpl create mode 100644 stable/cert-manager/templates/cainjector-deployment.yaml create mode 100644 stable/cert-manager/templates/cainjector-psp-clusterrole.yaml create mode 100644 stable/cert-manager/templates/cainjector-psp-clusterrolebinding.yaml create mode 100644 stable/cert-manager/templates/cainjector-psp.yaml create mode 100644 stable/cert-manager/templates/cainjector-rbac.yaml create mode 100644 stable/cert-manager/templates/cainjector-serviceaccount.yaml create mode 100644 stable/cert-manager/templates/deployment.yaml create mode 100644 stable/cert-manager/templates/psp-clusterrole.yaml create mode 100644 stable/cert-manager/templates/psp-clusterrolebinding.yaml create mode 100644 stable/cert-manager/templates/psp.yaml create mode 100644 stable/cert-manager/templates/rbac.yaml create mode 100644 stable/cert-manager/templates/service.yaml create mode 100644 stable/cert-manager/templates/serviceaccount.yaml create mode 100644 stable/cert-manager/templates/servicemonitor.yaml create mode 100644 stable/cert-manager/templates/webhook-deployment.yaml create mode 100644 stable/cert-manager/templates/webhook-mutating-webhook.yaml create mode 100644 stable/cert-manager/templates/webhook-psp-clusterrole.yaml create mode 100644 stable/cert-manager/templates/webhook-psp-clusterrolebinding.yaml create mode 100644 stable/cert-manager/templates/webhook-psp.yaml create mode 100644 stable/cert-manager/templates/webhook-rbac.yaml create mode 100644 stable/cert-manager/templates/webhook-service.yaml create mode 100644 stable/cert-manager/templates/webhook-serviceaccount.yaml create mode 100644 stable/cert-manager/templates/webhook-validating-webhook.yaml create mode 100644 stable/cert-manager/values-ironbank.yaml create mode 100644 stable/cert-manager/values.yaml diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..75397b431e5086fc81704bb7e91b8ad64901ce61 GIT binary patch literal 6148 zcmeHKO>Wab6n@i&)Cr2n0;yekgTx|=QVJ~yRdUmG(FGF12o``^8(YN4^;EV~tAteE z^bUm^a1>6!K{x<>^OLG}UHo~Yq2eQMtihFBYFbt<6H@9j4w4t z2Q!EGDo!U@C5PXq_mrWX)R+JWqa@(PkWZ2zlk>Q0z_MCa>!7DJbuXW!r0oXuL+ z>YerN{llZv57Upcvrk9}#&BRuyQOgspW#%JJaN+`=E*zs&pGp0gV$OC{c~D3uXPsY zke_QXxiQOi_V~%JdV1DLVRX z9p`8)6)HM0{rF&dWu{*!OsRW2q25F!M)1%3vy^ Iz+YA1C(B8qNB{r; literal 0 HcmV?d00001 diff --git a/stable/.DS_Store b/stable/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..4f2d5025376f082c716f08cf8fdd86cdcf0980b2 GIT binary patch literal 6148 zcmeHK!EVz)5S?vO;-pkW6;gBb1&KoJ^m{}sFbWt2)=dHacCS*Od`c*z{P&BI<1p^KVeEp#3&ef+&0o^c z`$wERNk=;FyE_VlG;6nih>cQt^Ge0CYF2H#_OdsKC%w$c#%b3{p7YgXCmXoB|0IsX zzkSDj8u*iw`t^r#lsQ4 z-8-|UJv}^ZH|^W|2eVn#+P$&&;P`a-?)~(`?Bf?XB@$T3q+Qea2fm`SQYbI&hb~HH z@=DU%UJ`|I#495|qyp7rsP2=86*Dbp{SAz~)+MlfI$vao-2$tEbvME4`%10C1@@-` zdxzf8m|Wy-QHo#RfpdR|Hbb5O6&C6eKMOfF!46P=K=IgJonyV1&jihuK=$PHk`4eajsA<9cbhc09eMbH1zqe z0>{`II~wN-aR(+;C{Tq8eZ&wd9OJg;bu`Wus&Eqe@FDb*g+8GO`E=yBC7nb^p=pf* zMu9~IO6s!C`~RcW=l{hZb7d4T3j9|Ji1JbIsEaA-y>)4Fyw}?BQ#c#*<_cv98oeFM g4sXQ`xHR0exdZHIoGZi#%={6MGML6FaH$IX1|$dUcK`qY literal 0 HcmV?d00001 diff --git a/stable/cert-manager/00-crds.yaml b/stable/cert-manager/00-crds.yaml new file mode 100644 index 0000000..1991301 --- /dev/null +++ b/stable/cert-manager/00-crds.yaml @@ -0,0 +1,5354 @@ + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: challenges.acme.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.dnsName + name: Domain + type: string + - JSONPath: .status.reason + name: Reason + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: acme.cert-manager.io + names: + kind: Challenge + listKind: ChallengeList + plural: challenges + singular: challenge + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Challenge is a type to represent a Challenge request with an ACME + server + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + authzURL: + description: AuthzURL is the URL to the ACME Authorization resource + that this challenge is a part of. + type: string + dnsName: + description: DNSName is the identifier that this challenge is for, e.g. + example.com. + type: string + issuerRef: + description: IssuerRef references a properly configured ACME-type Issuer + which should be used to create this Challenge. If the Issuer does + not exist, processing will be retried. If the Issuer is not an 'ACME' + Issuer, an error will be returned and the Challenge will be marked + as failed. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + key: + description: Key is the ACME challenge key for this challenge + type: string + solver: + description: Solver contains the domain solving configuration that should + be used to solve this challenge resource. Only **one** of 'config' + or 'solver' may be specified, and if both are specified then no action + will be performed on the Challenge resource. + properties: + dns01: + properties: + acmedns: + description: ACMEIssuerDNS01ProviderAcmeDNS is a structure containing + the configuration for ACME-DNS servers + properties: + accountSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: ACMEIssuerDNS01ProviderAkamai is a structure containing + the DNS configuration for Akamai DNS—Zone Record Management + API + properties: + accessTokenSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + clientTokenSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azuredns: + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + properties: + clientID: + type: string + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + type: string + required: + - clientID + - clientSecretSecretRef + - resourceGroupName + - subscriptionID + - tenantID + type: object + clouddns: + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + properties: + project: + type: string + serviceAccountSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - project + - serviceAccountSecretRef + type: object + cloudflare: + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + properties: + apiKeySecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + email: + type: string + required: + - apiKeySecretRef + - email + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: ACMEIssuerDNS01ProviderDigitalOcean is a structure + containing the DNS configuration for DigitalOcean Domains + properties: + tokenSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: ACMEIssuerDNS01ProviderRFC2136 is a structure containing + the configuration for RFC2136 DNS + properties: + nameserver: + description: 'The IP address of the DNS supporting RFC2136. + Required. Note: FQDN is not a valid value, only IP.' + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the DNS supporting + RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` + are defined. Supported values are (case-insensitive): + ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or + ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. If + ``tsigSecretSecretRef`` is defined, this field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the TSIG + value. If ``tsigKeyName`` is defined, this field is required. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: ACMEIssuerDNS01ProviderRoute53 is a structure containing + the Route 53 configuration for AWS + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only this + zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName + api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 provider + will assume using either the explicit credentials AccessKeyID/SecretAccessKey + or the inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: ACMEIssuerDNS01ProviderWebhook specifies configuration + for a webhook DNS01 provider, including where to POST ChallengePayload + resources. + properties: + config: + description: Additional configuration that should be passed + to the webhook apiserver when challenges are processed. + This can contain arbitrary JSON data. Secret values should + not be specified in this stanza. If secret values are + needed (e.g. credentials for a DNS service), you should + use a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult the webhook + provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used when + POSTing ChallengePayload resources to the webhook apiserver. + This should be the same as the GroupName specified in + the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined in + the webhook provider implementation. This will typically + be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: ACMEChallengeSolverHTTP01 contains configuration detailing + how to solve HTTP01 challenges within a Kubernetes cluster. Typically + this is accomplished through creating 'routes' of some description + that configure ingress controllers to direct traffic to 'solver + pods', which are responsible for responding to the ACME server's + HTTP requests. + properties: + ingress: + description: The ingress based HTTP01 challenge solver will + solve challenges by creating or modifying Ingress resources + in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating Ingress + resources to solve ACME challenges that use this challenge + solver. Only one of 'class' or 'name' may be specified. + type: string + name: + description: The name of the ingress resource that should + have ACME challenge solving routes inserted into it in + order to solve HTTP01 challenges. This is typically used + in conjunction with ingress controllers like ingress-gce, + which maintains a 1:1 mapping between external IPs and + ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure the + ACME challenge solver pods used for HTTP01 challenges + properties: + metadata: + description: ObjectMeta overrides for the pod used to + solve HTTP01 challenges. Only the 'labels' and 'annotations' + fields may be set. If labels or annotations overlap + with in-built values, the values here will override + the in-built values. + type: object + spec: + description: PodSpec defines overrides for the HTTP01 + challenge solver pod. Only the 'nodeSelector', 'affinity' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + affinity expressions specified by this + field, but it may choose a node that violates + one or more of the expressions. The node + that is most preferred is the one with + the greatest sum of weights, i.e. for + each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" to the + sum if the node matches the corresponding + matchExpressions; the node(s) with the + highest sum are the most preferred. + items: + description: An empty preferred scheduling + term matches all objects with implicit + weight 0 (i.e. it's a no-op). A null + preferred scheduling term matches no + objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, + associated with the corresponding + weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with + matching the corresponding nodeSelectorTerm, + in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to an update), the system may or may + not try to eventually evict the pod from + its node. + properties: + nodeSelectorTerms: + description: Required. A list of node + selector terms. The terms are ORed. + items: + description: A null or empty node + selector term matches no objects. + The requirements of them are ANDed. + The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + affinity expressions specified by this + field, but it may choose a node that violates + one or more of the expressions. The node + that is most preferred is the one with + the greatest sum of weights, i.e. for + each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" to the + sum if the node has pods which matches + the corresponding podAffinityTerm; the + node(s) with the highest sum are the most + preferred. + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key and + values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to a + set of values. Valid + operators are In, + NotIn, Exists and + DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, the + values array must + be non-empty. If the + operator is Exists + or DoesNotExist, the + values array must + be empty. This array + is replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in + the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not + co-located (anti-affinity) with + the pods matching the labelSelector + in the specified namespaces, + where co-located is defined + as running on a node whose value + of the label with key topologyKey + matches that of any node on + which any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to a pod label update), the system + may or may not try to eventually evict + the pod from its node. When there are + multiple elements, the lists of nodes + corresponding to each podAffinityTerm + are intersected, i.e. all terms must be + satisfied. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) with, + where co-located is defined as running + on a node whose value of the label with + key matches that of any + node on which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); null + or empty list means "this pod's + namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the + same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + anti-affinity expressions specified by + this field, but it may choose a node that + violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of the + scheduling requirements (resource request, + requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by iterating + through the elements of this field and + adding "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with the + highest sum are the most preferred. + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key and + values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to a + set of values. Valid + operators are In, + NotIn, Exists and + DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, the + values array must + be non-empty. If the + operator is Exists + or DoesNotExist, the + values array must + be empty. This array + is replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in + the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not + co-located (anti-affinity) with + the pods matching the labelSelector + in the specified namespaces, + where co-located is defined + as running on a node whose value + of the label with key topologyKey + matches that of any node on + which any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the anti-affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to a pod label update), the system + may or may not try to eventually evict + the pod from its node. When there are + multiple elements, the lists of nodes + corresponding to each podAffinityTerm + are intersected, i.e. all terms must be + satisfied. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) with, + where co-located is defined as running + on a node whose value of the label with + key matches that of any + node on which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); null + or empty list means "this pod's + namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must + be true for the pod to fit on a node. Selector + which must match a node''s labels for the pod + to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached + to tolerates any taint that matches the triple + using the matching operator + . + properties: + effect: + description: Effect indicates the taint effect + to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, + PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the + toleration applies to. Empty means match + all taint keys. If the key is empty, operator + must be Exists; this combination means to + match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists + and Equal. Defaults to Equal. Exists is + equivalent to wildcard for value, so that + a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration (which + must be of effect NoExecute, otherwise this + field is ignored) tolerates the taint. By + default, it is not set, which means tolerate + the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the + toleration matches to. If the operator is + Exists, the value should be empty, otherwise + just a regular string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes solver + service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + properties: + dnsNames: + description: List of DNSNames that this solver will be used + to solve. If specified and a match is found, a dnsNames selector + will take precedence over a dnsZones selector. If multiple + solvers match with the same dnsNames value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier in + the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be used + to solve. The most specific DNS zone match specified here + will take precedence over other DNS zone matches, so a solver + specifying sys.example.com will be selected over one specifying + example.com for the domain www.sys.example.com. If multiple + solvers match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier in + the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine the set + of certificate's that this challenge solver will apply to. + type: object + type: object + type: object + token: + description: Token is the ACME challenge token for this challenge. + type: string + type: + description: Type is the type of ACME challenge this resource represents, + e.g. "dns01" or "http01" + type: string + url: + description: URL is the URL of the ACME Challenge resource for this + challenge. This can be used to lookup details about the status of + this challenge. + type: string + wildcard: + description: Wildcard will be true if this challenge is for a wildcard + identifier, for example '*.example.com' + type: boolean + required: + - authzURL + - dnsName + - issuerRef + - key + - token + - type + - url + type: object + status: + properties: + presented: + description: Presented will be set to true if the challenge values for + this challenge are currently 'presented'. This *does not* imply the + self check is passing. Only that the values have been 'submitted' + for the appropriate challenge mechanism (i.e. the DNS01 TXT record + has been presented, or the HTTP01 configuration has been configured). + type: boolean + processing: + description: Processing is used to denote whether this challenge should + be processed or not. This field will only be set to true by the 'scheduling' + component. It will only be set to false by the 'challenges' controller, + after the challenge has reached a final state or timed out. If this + field is set to false, the challenge controller will not take any + more action. + type: boolean + reason: + description: Reason contains human readable information on why the Challenge + is in the current state. + type: string + state: + description: State contains the current 'state' of the challenge. If + not set, the state of the challenge is unknown. + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + type: object + required: + - metadata + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: orders.acme.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - JSONPath: .status.reason + name: Reason + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: acme.cert-manager.io + names: + kind: Order + listKind: OrderList + plural: orders + singular: order + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Order is a type to represent an Order with an ACME server + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + commonName: + description: CommonName is the common name as specified on the DER encoded + CSR. If CommonName is not specified, the first DNSName specified will + be used as the CommonName. At least one of CommonName or a DNSNames + must be set. This field must match the corresponding field on the + DER encoded CSR. + type: string + csr: + description: Certificate signing request bytes in DER encoding. This + will be used when finalizing the order. This field must be set on + the order. + format: byte + type: string + dnsNames: + description: DNSNames is a list of DNS names that should be included + as part of the Order validation process. If CommonName is not specified, + the first DNSName specified will be used as the CommonName. At least + one of CommonName or a DNSNames must be set. This field must match + the corresponding field on the DER encoded CSR. + items: + type: string + type: array + issuerRef: + description: IssuerRef references a properly configured ACME-type Issuer + which should be used to create this Order. If the Issuer does not + exist, processing will be retried. If the Issuer is not an 'ACME' + Issuer, an error will be returned and the Order will be marked as + failed. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + required: + - csr + - issuerRef + type: object + status: + properties: + authorizations: + description: Authorizations contains data returned from the ACME server + on what authoriations must be completed in order to validate the DNS + names specified on the Order. + items: + description: ACMEAuthorization contains data returned from the ACME + server on an authorization that must be completed in order validate + a DNS name on an ACME Order resource. + properties: + challenges: + description: Challenges specifies the challenge types offered + by the ACME server. One of these challenge types will be selected + when validating the DNS name and an appropriate Challenge resource + will be created to perform the ACME challenge process. + items: + description: Challenge specifies a challenge offered by the + ACME server for an Order. An appropriate Challenge resource + can be created to perform the ACME challenge process. + properties: + token: + description: Token is the token that must be presented for + this challenge. This is used to compute the 'key' that + must also be presented. + type: string + type: + description: Type is the type of challenge being offered, + e.g. http-01, dns-01 + type: string + url: + description: URL is the URL of this challenge. It can be + used to retrieve additional metadata about the Challenge + from the ACME server. + type: string + required: + - token + - type + - url + type: object + type: array + identifier: + description: Identifier is the DNS name to be validated as part + of this authorization + type: string + url: + description: URL is the URL of the Authorization that must be + completed + type: string + wildcard: + description: Wildcard will be true if this authorization is for + a wildcard DNS name. If this is true, the identifier will be + the *non-wildcard* version of the DNS name. For example, if + '*.example.com' is the DNS name being validated, this field + will be 'true' and the 'identifier' field will be 'example.com'. + type: boolean + required: + - url + type: object + type: array + certificate: + description: Certificate is a copy of the PEM encoded certificate for + this Order. This field will be populated after the order has been + successfully finalized with the ACME server, and the order has transitioned + to the 'valid' state. + format: byte + type: string + failureTime: + description: FailureTime stores the time that this order failed. This + is used to influence garbage collection and back-off. + format: date-time + type: string + finalizeURL: + description: FinalizeURL of the Order. This is used to obtain certificates + for this order once it has been completed. + type: string + reason: + description: Reason optionally provides more information about a why + the order is in the current state. + type: string + state: + description: State contains the current state of this Order resource. + States 'success' and 'expired' are 'final' + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + url: + description: URL of the Order. This will initially be empty when the + resource is first created. The Order controller will populate this + field when the Order is first processed. This field will be immutable + after it is initially set. + type: string + type: object + required: + - metadata + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: certificaterequests.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: cert-manager.io + names: + kind: CertificateRequest + listKind: CertificateRequestList + plural: certificaterequests + shortNames: + - cr + - crs + singular: certificaterequest + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: CertificateRequest is a type to represent a Certificate Signing + Request + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CertificateRequestSpec defines the desired state of CertificateRequest + properties: + csr: + description: Byte slice containing the PEM encoded CertificateSigningRequest + format: byte + type: string + duration: + description: Requested certificate default Duration + type: string + isCA: + description: IsCA will mark the resulting certificate as valid for signing. + This implies that the 'cert sign' usage is set + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this CertificateRequest. If + the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the CertificateRequest + will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer + with the provided name will be used. The 'name' field in this stanza + is required at all times. The group field refers to the API group + of the issuer which defaults to 'cert-manager.io' if empty. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + usages: + description: Usages is the set of x509 actions that are enabled for + a given key. Defaults are ('digital signature', 'key encipherment') + if empty + items: + description: 'KeyUsage specifies valid usage contexts for keys. See: + https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12' + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + type: string + type: array + required: + - issuerRef + type: object + status: + description: CertificateStatus defines the observed state of CertificateRequest + and resulting signed certificate. + properties: + ca: + description: Byte slice containing the PEM encoded certificate authority + of the signed certificate. + format: byte + type: string + certificate: + description: Byte slice containing a PEM encoded signed certificate + resulting from the given certificate signing request. + format: byte + type: string + conditions: + items: + description: CertificateRequestCondition contains condition information + for a CertificateRequest. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, currently ('Ready'). + type: string + required: + - status + - type + type: object + type: array + failureTime: + description: FailureTime stores the time that this CertificateRequest + failed. This is used to influence garbage collection and back-off. + format: date-time + type: string + type: object + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: certificates.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .spec.secretName + name: Secret + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: cert-manager.io + names: + kind: Certificate + listKind: CertificateList + plural: certificates + shortNames: + - cert + - certs + singular: certificate + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Certificate is a type to represent a Certificate from ACME + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CertificateSpec defines the desired state of Certificate. A + valid Certificate requires at least one of a CommonName, DNSName, or URISAN + to be valid. + properties: + commonName: + description: CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to avoid + generating invalid CSRs. + type: string + dnsNames: + description: DNSNames is a list of subject alt names to be used on the + Certificate. + items: + type: string + type: array + duration: + description: Certificate default Duration + type: string + ipAddresses: + description: IPAddresses is a list of IP addresses to be used on the + Certificate + items: + type: string + type: array + isCA: + description: IsCA will mark this Certificate as valid for signing. This + implies that the 'cert sign' usage is set + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this certificate. + If the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the Certificate will + be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer + with the provided name will be used. The 'name' field in this stanza + is required at all times. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + keyAlgorithm: + description: KeyAlgorithm is the private key algorithm of the corresponding + private key for this certificate. If provided, allowed values are + either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize is + not provided, key size of 256 will be used for "ecdsa" key algorithm + and key size of 2048 will be used for "rsa" key algorithm. + enum: + - rsa + - ecdsa + type: string + keyEncoding: + description: KeyEncoding is the private key cryptography standards (PKCS) + for this certificate's private key to be encoded in. If provided, + allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8, + respectively. If KeyEncoding is not specified, then PKCS#1 will be + used by default. + enum: + - pkcs1 + - pkcs8 + type: string + keySize: + description: KeySize is the key bit size of the corresponding private + key for this certificate. If provided, value must be between 2048 + and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa", + and value must be one of (256, 384, 521) when KeyAlgorithm is set + to "ecdsa". + type: integer + organization: + description: Organization is the organization to be used on the Certificate + items: + type: string + type: array + renewBefore: + description: Certificate renew before expiration duration + type: string + secretName: + description: SecretName is the name of the secret resource to store + this secret in + type: string + uriSANs: + description: URISANs is a list of URI Subject Alternative Names to be + set on this Certificate. + items: + type: string + type: array + usages: + description: Usages is the set of x509 actions that are enabled for + a given key. Defaults are ('digital signature', 'key encipherment') + if empty + items: + description: 'KeyUsage specifies valid usage contexts for keys. See: + https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12' + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + type: string + type: array + required: + - issuerRef + - secretName + type: object + status: + description: CertificateStatus defines the observed state of Certificate + properties: + conditions: + items: + description: CertificateCondition contains condition information for + an Certificate. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, currently ('Ready'). + type: string + required: + - status + - type + type: object + type: array + lastFailureTime: + format: date-time + type: string + notAfter: + description: The expiration time of the certificate stored in the secret + named by this resource in spec.secretName. + format: date-time + type: string + type: object + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: clusterissuers.cert-manager.io +spec: + group: cert-manager.io + names: + kind: ClusterIssuer + listKind: ClusterIssuerList + plural: clusterissuers + singular: clusterissuer + scope: Cluster + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IssuerSpec is the specification of an Issuer. This includes + any configuration required for the issuer. + properties: + acme: + description: ACMEIssuer contains the specification for an ACME issuer + properties: + email: + description: Email is the email for this account + type: string + privateKeySecretRef: + description: PrivateKey is the name of a secret containing the private + key for this user account. + properties: + key: + description: The key of the secret to select from. Must be a + valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + server: + description: Server is the ACME server URL + type: string + skipTLSVerify: + description: If true, skip verifying the ACME server TLS certificate + type: boolean + solvers: + description: Solvers is a list of challenge solvers that will be + used to solve ACME challenges for the matching domains. + items: + properties: + dns01: + properties: + acmedns: + description: ACMEIssuerDNS01ProviderAcmeDNS is a structure + containing the configuration for ACME-DNS servers + properties: + accountSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: ACMEIssuerDNS01ProviderAkamai is a structure + containing the DNS configuration for Akamai DNS—Zone + Record Management API + properties: + accessTokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + clientTokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azuredns: + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + properties: + clientID: + type: string + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + type: string + required: + - clientID + - clientSecretSecretRef + - resourceGroupName + - subscriptionID + - tenantID + type: object + clouddns: + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + properties: + project: + type: string + serviceAccountSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - project + - serviceAccountSecretRef + type: object + cloudflare: + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + properties: + apiKeySecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + email: + type: string + required: + - apiKeySecretRef + - email + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: ACMEIssuerDNS01ProviderDigitalOcean is a + structure containing the DNS configuration for DigitalOcean + Domains + properties: + tokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: ACMEIssuerDNS01ProviderRFC2136 is a structure + containing the configuration for RFC2136 DNS + properties: + nameserver: + description: 'The IP address of the DNS supporting + RFC2136. Required. Note: FQDN is not a valid value, + only IP.' + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, + ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field + is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + field is required. + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: ACMEIssuerDNS01ProviderRoute53 is a structure + containing the Route 53 configuration for AWS + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup using + the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit credentials + AccessKeyID/SecretAccessKey or the inferred credentials + from environment variables, shared credentials file + or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: ACMEIssuerDNS01ProviderWebhook specifies + configuration for a webhook DNS01 provider, including + where to POST ChallengePayload resources. + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON data. + Secret values should not be specified in this stanza. + If secret values are needed (e.g. credentials for + a DNS service), you should use a SecretKeySelector + to reference a Secret resource. For details on the + schema of this field, consult the webhook provider + implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the webhook + apiserver. This should be the same as the GroupName + specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: ACMEChallengeSolverHTTP01 contains configuration + detailing how to solve HTTP01 challenges within a Kubernetes + cluster. Typically this is accomplished through creating + 'routes' of some description that configure ingress controllers + to direct traffic to 'solver pods', which are responsible + for responding to the ACME server's HTTP requests. + properties: + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' or + 'name' may be specified. + type: string + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress controllers + like ingress-gce, which maintains a 1:1 mapping + between external IPs and ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 challenges + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels + or annotations overlap with in-built values, + the values here will override the in-built values. + type: object + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches the + corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + items: + description: An empty preferred + scheduling term matches all objects + with implicit weight 0 (i.e. it's + a no-op). A null preferred scheduling + term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements + by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the range + 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to an update), the system + may or may not try to eventually + evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of + the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements + by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the + same node, zone, etc. as some other + pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to a pod label update), + the system may or may not try to + eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and adding + "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this field + are not met at scheduling time, + the pod will not be scheduled onto + the node. If the anti-affinity requirements + specified by this field cease to + be met at some point during pod + execution (e.g. due to a pod label + update), the system may or may not + try to eventually evict the pod + from its node. When there are multiple + elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. + Selector which must match a node''s labels + for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is + attached to tolerates any taint that matches + the triple using the + matching operator . + properties: + effect: + description: Effect indicates the taint + effect to match. Empty means match + all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that + the toleration applies to. Empty means + match all taint keys. If the key is + empty, operator must be Exists; this + combination means to match all values + and all keys. + type: string + operator: + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to + Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) tolerates + the taint. By default, it is not set, + which means tolerate the taint forever + (do not evict). Zero and negative + values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes + solver service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + properties: + dnsNames: + description: List of DNSNames that this solver will be + used to solve. If specified and a match is found, a + dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same dnsNames + value, the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be + used to solve. The most specific DNS zone match specified + here will take precedence over other DNS zone matches, + so a solver specifying sys.example.com will be selected + over one specifying example.com for the domain www.sys.example.com. + If multiple solvers match with the same dnsZones value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine the + set of certificate's that this challenge solver will + apply to. + type: object + type: object + type: object + type: array + required: + - privateKeySecretRef + - server + type: object + ca: + properties: + secretName: + description: SecretName is the name of the secret used to sign Certificates + issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + type: object + vault: + properties: + auth: + description: Vault authentication + properties: + appRole: + description: This Secret contains a AppRole and Secret + properties: + path: + description: Where the authentication path is mounted in + Vault. + type: string + roleId: + type: string + secretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - path + - roleId + - secretRef + type: object + kubernetes: + description: This contains a Role and Secret with a ServiceAccount + token to authenticate with vault. + properties: + mountPath: + description: The value here will be used as part of the + path used when authenticating with vault, for example + if you set a value of "foo", the path used will be `/v1/auth/foo/login`. + If unspecified, the default value "kubernetes" will be + used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount with + a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - role + - secretRef + type: object + tokenSecretRef: + description: This Secret contains the Vault token key + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + type: object + caBundle: + description: Base64 encoded CA bundle to validate Vault server certificate. + Only used if the Server URL is using HTTPS protocol. This parameter + is ignored for plain HTTP protocol connection. If not set the + system root certificates are used to validate the TLS connection. + format: byte + type: string + path: + description: Vault URL path to the certificate role + type: string + server: + description: Server is the vault connection address + type: string + required: + - auth + - path + - server + type: object + venafi: + description: VenafiIssuer describes issuer configuration details for + Venafi Cloud. + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + url: + description: URL is the base URL for Venafi Cloud + type: string + required: + - apiTokenSecretRef + - url + type: object + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + properties: + caBundle: + description: CABundle is a PEM encoded TLS certifiate to use + to verify connections to the TPP instance. If specified, system + roots will not be used and the issuing CA for the TPP instance + must be verifiable using the provided root. If not specified, + the connection will be verified using the cert-manager system + root certificates. + format: byte + type: string + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret must + contain two keys, 'username' and 'password'. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + url: + description: URL is the base URL for the Venafi TPP instance + type: string + required: + - credentialsRef + - url + type: object + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted by + the named zone policy. This field is required. + type: string + required: + - zone + type: object + type: object + status: + description: IssuerStatus contains status information about an Issuer + properties: + acme: + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the + latest registered ACME account, in order to track changes made + to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + type: object + conditions: + items: + description: IssuerCondition contains condition information for an + Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, currently ('Ready'). + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: issuers.cert-manager.io +spec: + group: cert-manager.io + names: + kind: Issuer + listKind: IssuerList + plural: issuers + singular: issuer + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IssuerSpec is the specification of an Issuer. This includes + any configuration required for the issuer. + properties: + acme: + description: ACMEIssuer contains the specification for an ACME issuer + properties: + email: + description: Email is the email for this account + type: string + privateKeySecretRef: + description: PrivateKey is the name of a secret containing the private + key for this user account. + properties: + key: + description: The key of the secret to select from. Must be a + valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + server: + description: Server is the ACME server URL + type: string + skipTLSVerify: + description: If true, skip verifying the ACME server TLS certificate + type: boolean + solvers: + description: Solvers is a list of challenge solvers that will be + used to solve ACME challenges for the matching domains. + items: + properties: + dns01: + properties: + acmedns: + description: ACMEIssuerDNS01ProviderAcmeDNS is a structure + containing the configuration for ACME-DNS servers + properties: + accountSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: ACMEIssuerDNS01ProviderAkamai is a structure + containing the DNS configuration for Akamai DNS—Zone + Record Management API + properties: + accessTokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + clientTokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azuredns: + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + properties: + clientID: + type: string + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + type: string + required: + - clientID + - clientSecretSecretRef + - resourceGroupName + - subscriptionID + - tenantID + type: object + clouddns: + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + properties: + project: + type: string + serviceAccountSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - project + - serviceAccountSecretRef + type: object + cloudflare: + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + properties: + apiKeySecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + email: + type: string + required: + - apiKeySecretRef + - email + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: ACMEIssuerDNS01ProviderDigitalOcean is a + structure containing the DNS configuration for DigitalOcean + Domains + properties: + tokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: ACMEIssuerDNS01ProviderRFC2136 is a structure + containing the configuration for RFC2136 DNS + properties: + nameserver: + description: 'The IP address of the DNS supporting + RFC2136. Required. Note: FQDN is not a valid value, + only IP.' + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, + ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field + is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + field is required. + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: ACMEIssuerDNS01ProviderRoute53 is a structure + containing the Route 53 configuration for AWS + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup using + the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit credentials + AccessKeyID/SecretAccessKey or the inferred credentials + from environment variables, shared credentials file + or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: ACMEIssuerDNS01ProviderWebhook specifies + configuration for a webhook DNS01 provider, including + where to POST ChallengePayload resources. + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON data. + Secret values should not be specified in this stanza. + If secret values are needed (e.g. credentials for + a DNS service), you should use a SecretKeySelector + to reference a Secret resource. For details on the + schema of this field, consult the webhook provider + implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the webhook + apiserver. This should be the same as the GroupName + specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: ACMEChallengeSolverHTTP01 contains configuration + detailing how to solve HTTP01 challenges within a Kubernetes + cluster. Typically this is accomplished through creating + 'routes' of some description that configure ingress controllers + to direct traffic to 'solver pods', which are responsible + for responding to the ACME server's HTTP requests. + properties: + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' or + 'name' may be specified. + type: string + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress controllers + like ingress-gce, which maintains a 1:1 mapping + between external IPs and ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 challenges + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels + or annotations overlap with in-built values, + the values here will override the in-built values. + type: object + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches the + corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + items: + description: An empty preferred + scheduling term matches all objects + with implicit weight 0 (i.e. it's + a no-op). A null preferred scheduling + term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements + by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the range + 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to an update), the system + may or may not try to eventually + evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of + the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements + by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the + same node, zone, etc. as some other + pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to a pod label update), + the system may or may not try to + eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and adding + "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this field + are not met at scheduling time, + the pod will not be scheduled onto + the node. If the anti-affinity requirements + specified by this field cease to + be met at some point during pod + execution (e.g. due to a pod label + update), the system may or may not + try to eventually evict the pod + from its node. When there are multiple + elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. + Selector which must match a node''s labels + for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is + attached to tolerates any taint that matches + the triple using the + matching operator . + properties: + effect: + description: Effect indicates the taint + effect to match. Empty means match + all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that + the toleration applies to. Empty means + match all taint keys. If the key is + empty, operator must be Exists; this + combination means to match all values + and all keys. + type: string + operator: + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to + Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) tolerates + the taint. By default, it is not set, + which means tolerate the taint forever + (do not evict). Zero and negative + values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes + solver service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + properties: + dnsNames: + description: List of DNSNames that this solver will be + used to solve. If specified and a match is found, a + dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same dnsNames + value, the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be + used to solve. The most specific DNS zone match specified + here will take precedence over other DNS zone matches, + so a solver specifying sys.example.com will be selected + over one specifying example.com for the domain www.sys.example.com. + If multiple solvers match with the same dnsZones value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine the + set of certificate's that this challenge solver will + apply to. + type: object + type: object + type: object + type: array + required: + - privateKeySecretRef + - server + type: object + ca: + properties: + secretName: + description: SecretName is the name of the secret used to sign Certificates + issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + type: object + vault: + properties: + auth: + description: Vault authentication + properties: + appRole: + description: This Secret contains a AppRole and Secret + properties: + path: + description: Where the authentication path is mounted in + Vault. + type: string + roleId: + type: string + secretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - path + - roleId + - secretRef + type: object + kubernetes: + description: This contains a Role and Secret with a ServiceAccount + token to authenticate with vault. + properties: + mountPath: + description: The value here will be used as part of the + path used when authenticating with vault, for example + if you set a value of "foo", the path used will be `/v1/auth/foo/login`. + If unspecified, the default value "kubernetes" will be + used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount with + a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - role + - secretRef + type: object + tokenSecretRef: + description: This Secret contains the Vault token key + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + type: object + caBundle: + description: Base64 encoded CA bundle to validate Vault server certificate. + Only used if the Server URL is using HTTPS protocol. This parameter + is ignored for plain HTTP protocol connection. If not set the + system root certificates are used to validate the TLS connection. + format: byte + type: string + path: + description: Vault URL path to the certificate role + type: string + server: + description: Server is the vault connection address + type: string + required: + - auth + - path + - server + type: object + venafi: + description: VenafiIssuer describes issuer configuration details for + Venafi Cloud. + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + url: + description: URL is the base URL for Venafi Cloud + type: string + required: + - apiTokenSecretRef + - url + type: object + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + properties: + caBundle: + description: CABundle is a PEM encoded TLS certifiate to use + to verify connections to the TPP instance. If specified, system + roots will not be used and the issuing CA for the TPP instance + must be verifiable using the provided root. If not specified, + the connection will be verified using the cert-manager system + root certificates. + format: byte + type: string + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret must + contain two keys, 'username' and 'password'. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + url: + description: URL is the base URL for the Venafi TPP instance + type: string + required: + - credentialsRef + - url + type: object + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted by + the named zone policy. This field is required. + type: string + required: + - zone + type: object + type: object + status: + description: IssuerStatus contains status information about an Issuer + properties: + acme: + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the + latest registered ACME account, in order to track changes made + to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + type: object + conditions: + items: + description: IssuerCondition contains condition information for an + Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, currently ('Ready'). + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- diff --git a/stable/cert-manager/BUILD.bazel b/stable/cert-manager/BUILD.bazel new file mode 100644 index 0000000..be9a5da --- /dev/null +++ b/stable/cert-manager/BUILD.bazel @@ -0,0 +1,67 @@ +package(default_visibility = ["//visibility:public"]) + +load("@io_k8s_repo_infra//defs:pkg.bzl", "pkg_tar") +load("//build:helm.bzl", "helm_pkg") + +pkg_tar( + name = "release-tar", + srcs = [ + ":cert-manager", + ], + extension = "tar.gz", + mode = "0644", + package_dir = "chart", + strip_prefix = ".", +) + +helm_pkg( + name = "cert-manager", + srcs = ["//deploy/charts/cert-manager/templates:chart-srcs"], + chart_name = "cert-manager", + chart_yaml = ":Chart.yaml", + readme_file = ":README.md", + tpl_files = [ + "//deploy/charts/cert-manager/templates:_helpers.tpl", + ], + values_yaml = ":values.yaml", +) + +genrule( + name = "README", + srcs = [ + "README.template.md", + "//:version", + ], + outs = ["README.md"], + cmd = "cat $(location README.template.md) | sed -e \"s:{{RELEASE_VERSION}}:$$(cat $(location //:version)):g\" > $@", + stamp = 1, + visibility = ["//visibility:public"], +) + +filegroup( + name = "chart-srcs", + srcs = ["//deploy/charts/cert-manager/templates:chart-srcs"] + glob( + [ + ".helmignore", + "Chart.yaml", + "README.md", + "values.yaml", + ], + ), +) + +filegroup( + name = "package-srcs", + srcs = glob(["**"]), + tags = ["automanaged"], + visibility = ["//visibility:private"], +) + +filegroup( + name = "all-srcs", + srcs = [ + ":package-srcs", + "//deploy/charts/cert-manager/templates:all-srcs", + ], + tags = ["automanaged"], +) diff --git a/stable/cert-manager/Chart.yaml b/stable/cert-manager/Chart.yaml new file mode 100644 index 0000000..877acaa --- /dev/null +++ b/stable/cert-manager/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +name: cert-manager +# The version and appVersion fields are set automatically by the release tool +version: v0.1.0 +appVersion: v0.1.0 +description: A Helm chart for cert-manager +home: https://github.com/jetstack/cert-manager +icon: https://raw.githubusercontent.com/jetstack/cert-manager/master/logo/logo.png +keywords: + - cert-manager + - kube-lego + - letsencrypt + - tls +sources: + - https://github.com/jetstack/cert-manager +maintainers: + - name: munnerz + email: james@jetstack.io diff --git a/stable/cert-manager/IRONBANK.md.gotmpl b/stable/cert-manager/IRONBANK.md.gotmpl new file mode 100644 index 0000000..5d1b08b --- /dev/null +++ b/stable/cert-manager/IRONBANK.md.gotmpl @@ -0,0 +1,28 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +Version: {{ template "chart.version" . }} + +## Introduction + +This repository tracks the upstream [stable/cert-manager](https://github.com/jetstack/cert-manager/tree/master/deploy/charts/cert-manager) Helm chart. + +A `values-ironbank.yaml` file is included with required parameters for deployment. + +- Uses Ironbank images + +Reference the original [README](./README-original.md) for additional instructions. + +## Prerequisites + +* Install cert-manager CRDs **before** installing the cert-manager Helm chart. `kubectl apply -f ./00-crds.yaml` + +## Installation + +```shell +helm install ./ --generate-name --namespace cert-manager -f values-ironbank.yaml +``` + +## Configuration + +{{ template "chart.valuesTable" . }} diff --git a/stable/cert-manager/README-original.md b/stable/cert-manager/README-original.md new file mode 100644 index 0000000..3416642 --- /dev/null +++ b/stable/cert-manager/README-original.md @@ -0,0 +1,153 @@ +# cert-manager + +cert-manager is a Kubernetes addon to automate the management and issuance of +TLS certificates from various issuing sources. + +It will ensure certificates are valid and up to date periodically, and attempt +to renew certificates at an appropriate time before expiry. + +## Prerequisites + +- Kubernetes 1.7+ + +## Installing the Chart + +Full installation instructions, including details on how to configure extra +functionality in cert-manager can be found in the [getting started docs](https://docs.cert-manager.io/en/latest/getting-started/). + +To install the chart with the release name `my-release`: + +```console +## IMPORTANT: you MUST install the cert-manager CRDs **before** installing the +## cert-manager Helm chart +$ kubectl apply \ + -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml + +## If you are installing on openshift : +$ oc create \ + -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml + +## Add the Jetstack Helm repository +$ helm repo add jetstack https://charts.jetstack.io + + +## Install the cert-manager helm chart +$ helm install --name my-release --namespace cert-manager jetstack/cert-manager +``` + +In order to begin issuing certificates, you will need to set up a ClusterIssuer +or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer). + +More information on the different types of issuers and how to configure them +can be found in our documentation: + +https://docs.cert-manager.io/en/latest/tasks/issuers/index.html + +For information on how to configure cert-manager to automatically provision +Certificates for Ingress resources, take a look at the `ingress-shim` +documentation: + +https://docs.cert-manager.io/en/latest/tasks/issuing-certificates/ingress-shim.html + +> **Tip**: List all releases using `helm list` + +## Upgrading the Chart + +Special considerations may be required when upgrading the Helm chart, and these +are documented in our full [upgrading guide](https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html). +Please check here before perform upgrades! + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +$ helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +The following table lists the configurable parameters of the cert-manager chart and their default values. + +| Parameter | Description | Default | +| --------- | ----------- | ------- | +| `global.imagePullSecrets` | Reference to one or more secrets to be used when pulling images | `[]` | +| `global.rbac.create` | If `true`, create and use RBAC resources (includes sub-charts) | `true` | +| `global.priorityClassName`| Priority class name for cert-manager and webhook pods | `""` | +| `global.podSecurityPolicy.enabled` | If `true`, create and use PodSecurityPolicy (includes sub-charts) | `false` | +| `global.leaderElection.namespace` | Override the namespace used to store the ConfigMap for leader election | `kube-system` | +| `image.repository` | Image repository | `quay.io/jetstack/cert-manager-controller` | +| `image.tag` | Image tag | `v0.11.0` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `replicaCount` | Number of cert-manager replicas | `1` | +| `clusterResourceNamespace` | Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources | Same namespace as cert-manager pod | +| `extraArgs` | Optional flags for cert-manager | `[]` | +| `extraEnv` | Optional environment variables for cert-manager | `[]` | +| `serviceAccount.create` | If `true`, create a new service account | `true` | +| `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template | | +| `serviceAccount.annotations` | Annotations to add to the service account | | +| `resources` | CPU/memory resource requests/limits | `{}` | +| `securityContext.enabled` | Enable security context | `false` | +| `securityContext.fsGroup` | Group ID for the container | `1001` | +| `securityContext.runAsUser` | User ID for the container | `1001` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `affinity` | Node affinity for pod assignment | `{}` | +| `tolerations` | Node tolerations for pod assignment | `[]` | +| `ingressShim.defaultIssuerName` | Optional default issuer to use for ingress resources | | +| `ingressShim.defaultIssuerKind` | Optional default issuer kind to use for ingress resources | | +| `ingressShim.defaultACMEChallengeType` | Optional default challenge type to use for ingresses using ACME issuers | | +| `ingressShim.defaultACMEDNS01ChallengeProvider` | Optional default DNS01 challenge provider to use for ingresses using ACME issuers with DNS01 | | +| `prometheus.enabled` | Enable Prometheus monitoring | `true` | +| `prometheus.servicemonitor.enabled` | Enable Prometheus Operator ServiceMonitor monitoring | `false` | +| `prometheus.servicemonitor.namespace` | Define namespace where to deploy the ServiceMonitor resource | (namespace where you are deploying) | +| `prometheus.servicemonitor.prometheusInstance` | Prometheus Instance definition | `default` | +| `prometheus.servicemonitor.targetPort` | Prometheus scrape port | `9402` | +| `prometheus.servicemonitor.path` | Prometheus scrape path | `/metrics` | +| `prometheus.servicemonitor.interval` | Prometheus scrape interval | `60s` | +| `prometheus.servicemonitor.labels` | Add custom labels to ServiceMonitor | | +| `prometheus.servicemonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` | +| `podAnnotations` | Annotations to add to the cert-manager pod | `{}` | +| `podDnsPolicy` | Optional cert-manager pod [DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-policy) | | +| `podDnsConfig` | Optional cert-manager pod [DNS configurations](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-config) | | +| `podLabels` | Labels to add to the cert-manager pod | `{}` | +| `http_proxy` | Value of the `HTTP_PROXY` environment variable in the cert-manager pod | | +| `https_proxy` | Value of the `HTTPS_PROXY` environment variable in the cert-manager pod | | +| `no_proxy` | Value of the `NO_PROXY` environment variable in the cert-manager pod | | +| `webhook.enabled` | Toggles whether the validating webhook component should be installed | `true` | +| `webhook.replicaCount` | Number of cert-manager webhook replicas | `1` | +| `webhook.podAnnotations` | Annotations to add to the webhook pods | `{}` | +| `webhook.extraArgs` | Optional flags for cert-manager webhook component | `[]` | +| `webhook.resources` | CPU/memory resource requests/limits for the webhook pods | `{}` | +| `webhook.nodeSelector` | Node labels for webhook pod assignment | `{}` | +| `webhook.affinity` | Node affinity for webhook pod assignment | `{}` | +| `webhook.tolerations` | Node tolerations for webhook pod assignment | `[]` | +| `webhook.image.repository` | Webhook image repository | `quay.io/jetstack/cert-manager-webhook` | +| `webhook.image.tag` | Webhook image tag | `v0.11.0` | +| `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` | +| `webhook.injectAPIServerCA` | if true, the apiserver's CABundle will be automatically injected into the ValidatingWebhookConfiguration resource | `true` | +| `cainjector.enabled` | Toggles whether the cainjector component should be installed (required for the webhook component to work) | `true` | +| `cainjector.replicaCount` | Number of cert-manager cainjector replicas | `1` | +| `cainjector.podAnnotations` | Annotations to add to the cainjector pods | `{}` | +| `cainjector.extraArgs` | Optional flags for cert-manager cainjector component | `[]` | +| `cainjector.resources` | CPU/memory resource requests/limits for the cainjector pods | `{}` | +| `cainjector.nodeSelector` | Node labels for cainjector pod assignment | `{}` | +| `cainjector.affinity` | Node affinity for cainjector pod assignment | `{}` | +| `cainjector.tolerations` | Node tolerations for cainjector pod assignment | `[]` | +| `cainjector.image.repository` | cainjector image repository | `quay.io/jetstack/cert-manager-cainjector` | +| `cainjector.image.tag` | cainjector image tag | `v0.11.0` | +| `cainjector.image.pullPolicy` | cainjector image pull policy | `IfNotPresent` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. + +Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, + +```console +$ helm install --name my-release -f values.yaml . +``` +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Contributing + +This chart is maintained at [github.com/jetstack/cert-manager](https://github.com/jetstack/cert-manager/tree/master/deploy/charts/cert-manager). diff --git a/stable/cert-manager/README.md b/stable/cert-manager/README.md new file mode 100644 index 0000000..d3735e6 --- /dev/null +++ b/stable/cert-manager/README.md @@ -0,0 +1,92 @@ +cert-manager +============ +A Helm chart for cert-manager + +Version: v0.1.0 + +## Introduction + +This repository tracks the upstream [stable/cert-manager](https://github.com/jetstack/cert-manager/tree/master/deploy/charts/cert-manager) Helm chart. + +A `values-ironbank.yaml` file is included with required parameters for deployment. + +- Uses Ironbank images + +Reference the original [README](./README-original.md) for additional instructions. + +## Prerequisites + +* Install cert-manager CRDs **before** installing the cert-manager Helm chart. `kubectl apply -f ./00-crds.yaml` + +## Installation + +```shell +helm install ./ --generate-name --namespace cert-manager -f values-ironbank.yaml +``` + +## Configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| cainjector.affinity | object | `{}` | | +| cainjector.containerSecurityContext | object | `{}` | | +| cainjector.enabled | bool | `true` | | +| cainjector.extraArgs | list | `[]` | | +| cainjector.image.pullPolicy | string | `"IfNotPresent"` | | +| cainjector.image.repository | string | `"quay.io/jetstack/cert-manager-cainjector"` | | +| cainjector.nodeSelector | object | `{}` | | +| cainjector.replicaCount | int | `1` | | +| cainjector.resources | object | `{}` | | +| cainjector.securityContext | object | `{}` | | +| cainjector.serviceAccount.create | bool | `true` | | +| cainjector.strategy | object | `{}` | | +| cainjector.tolerations | list | `[]` | | +| clusterResourceNamespace | string | `""` | | +| containerSecurityContext | object | `{}` | | +| extraArgs | list | `[]` | | +| extraEnv | list | `[]` | | +| featureGates | string | `""` | | +| global.imagePullSecrets | list | `[]` | | +| global.leaderElection.namespace | string | `"kube-system"` | | +| global.logLevel | int | `2` | | +| global.podSecurityPolicy.enabled | bool | `false` | | +| global.podSecurityPolicy.useAppArmor | bool | `true` | | +| global.priorityClassName | string | `""` | | +| global.rbac.create | bool | `true` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `"quay.io/jetstack/cert-manager-controller"` | | +| ingressShim | object | `{}` | | +| installCRDs | bool | `false` | | +| nodeSelector | object | `{}` | | +| podLabels | object | `{}` | | +| prometheus.enabled | bool | `true` | | +| prometheus.servicemonitor.enabled | bool | `false` | | +| prometheus.servicemonitor.interval | string | `"60s"` | | +| prometheus.servicemonitor.labels | object | `{}` | | +| prometheus.servicemonitor.path | string | `"/metrics"` | | +| prometheus.servicemonitor.prometheusInstance | string | `"default"` | | +| prometheus.servicemonitor.scrapeTimeout | string | `"30s"` | | +| prometheus.servicemonitor.targetPort | int | `9402` | | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| securityContext | object | `{}` | | +| serviceAccount.create | bool | `true` | | +| strategy | object | `{}` | | +| tolerations | list | `[]` | | +| volumeMounts | list | `[]` | | +| volumes | list | `[]` | | +| webhook.affinity | object | `{}` | | +| webhook.containerSecurityContext | object | `{}` | | +| webhook.extraArgs | list | `[]` | | +| webhook.hostNetwork | bool | `false` | | +| webhook.image.pullPolicy | string | `"IfNotPresent"` | | +| webhook.image.repository | string | `"quay.io/jetstack/cert-manager-webhook"` | | +| webhook.nodeSelector | object | `{}` | | +| webhook.replicaCount | int | `1` | | +| webhook.resources | object | `{}` | | +| webhook.securePort | int | `10250` | | +| webhook.securityContext | object | `{}` | | +| webhook.serviceAccount.create | bool | `true` | | +| webhook.strategy | object | `{}` | | +| webhook.tolerations | list | `[]` | | diff --git a/stable/cert-manager/README.template.md b/stable/cert-manager/README.template.md new file mode 100644 index 0000000..6dbaed1 --- /dev/null +++ b/stable/cert-manager/README.template.md @@ -0,0 +1,184 @@ +# cert-manager + +cert-manager is a Kubernetes addon to automate the management and issuance of +TLS certificates from various issuing sources. + +It will ensure certificates are valid and up to date periodically, and attempt +to renew certificates at an appropriate time before expiry. + +## Prerequisites + +- Kubernetes 1.11+ + +## Installing the Chart + +Full installation instructions, including details on how to configure extra +functionality in cert-manager can be found in the [installation docs](https://cert-manager.io/docs/installation/kubernetes/). + +Before installing the chart, you must first install the cert-manager CustomResourceDefinition resources. +This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources. + +```bash +# Kubernetes 1.15+ +$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/{{RELEASE_VERSION}}/cert-manager.crds.yaml + +# Kubernetes <1.15 +$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/{{RELEASE_VERSION}}/cert-manager-legacy.crds.yaml +``` + +> **Note**: If you're using a Kubernetes version below `v1.15` you will need to install the legacy version of the custom resource definitions. +> This version does not have API version conversion enabled and only supports `cert-manager.io/v1alpha2` API resources. + +To install the chart with the release name `my-release`: + +```console +## Add the Jetstack Helm repository +$ helm repo add jetstack https://charts.jetstack.io + +## Install the cert-manager helm chart +$ helm install --name my-release --namespace cert-manager jetstack/cert-manager +``` + +In order to begin issuing certificates, you will need to set up a ClusterIssuer +or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer). + +More information on the different types of issuers and how to configure them +can be found in [our documentation](https://cert-manager.io/docs/configuration/). + +For information on how to configure cert-manager to automatically provision +Certificates for Ingress resources, take a look at the +[Securing Ingresses documentation](https://cert-manager.io/docs/usage/ingress/). + +> **Tip**: List all releases using `helm list` + +## Upgrading the Chart + +Special considerations may be required when upgrading the Helm chart, and these +are documented in our full [upgrading guide](https://cert-manager.io/docs/installation/upgrading/). + +**Please check here before performing upgrades!** + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +$ helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +If you want to completely uninstall cert-manager from your cluster, you will also need to +delete the previously installed CustomResourceDefinition resources: + +```console +# Kubernetes 1.15+ +$ kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/{{RELEASE_VERSION}}/cert-manager.crds.yaml + +# Kubernetes <1.15 +$ kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/{{RELEASE_VERSION}}/cert-manager-legacy.crds.yaml +``` + +## Configuration + +The following table lists the configurable parameters of the cert-manager chart and their default values. + +| Parameter | Description | Default | +| --------- | ----------- | ------- | +| `global.imagePullSecrets` | Reference to one or more secrets to be used when pulling images | `[]` | +| `global.rbac.create` | If `true`, create and use RBAC resources (includes sub-charts) | `true` | +| `global.priorityClassName`| Priority class name for cert-manager and webhook pods | `""` | +| `global.podSecurityPolicy.enabled` | If `true`, create and use PodSecurityPolicy (includes sub-charts) | `false` | +| `global.podSecurityPolicy.useAppArmor` | If `true`, use Apparmor seccomp profile in PSP | `true` | +| `global.leaderElection.namespace` | Override the namespace used to store the ConfigMap for leader election | `kube-system` | +| `installCRDs` | If true, CRD resources will be installed as part of the Helm chart. If enabled, when uninstalling CRD resources will be deleted causing all installed custom resources to be DELETED | `false` | +| `image.repository` | Image repository | `quay.io/jetstack/cert-manager-controller` | +| `image.tag` | Image tag | `{{RELEASE_VERSION}}` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `replicaCount` | Number of cert-manager replicas | `1` | +| `clusterResourceNamespace` | Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources | Same namespace as cert-manager pod | +| `featureGates` | Comma-separated list of feature gates to enable on the controller pod | `` | +| `extraArgs` | Optional flags for cert-manager | `[]` | +| `extraEnv` | Optional environment variables for cert-manager | `[]` | +| `serviceAccount.create` | If `true`, create a new service account | `true` | +| `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template | | +| `serviceAccount.annotations` | Annotations to add to the service account | | +| `volumes` | Optional volumes for cert-manager | `[]` | +| `volumeMounts` | Optional volume mounts for cert-manager | `[]` | +| `resources` | CPU/memory resource requests/limits | `{}` | +| `securityContext` | Optional security context. The yaml block should adhere to the [SecurityContext spec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#securitycontext-v1-core) | `{}` | +| `securityContext.enabled` | Deprecated (use `securityContext`) - Enable security context | `false` | +| `containerSecurityContext` | Security context to be set on the controller component container | `{}` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `affinity` | Node affinity for pod assignment | `{}` | +| `tolerations` | Node tolerations for pod assignment | `[]` | +| `ingressShim.defaultIssuerName` | Optional default issuer to use for ingress resources | | +| `ingressShim.defaultIssuerKind` | Optional default issuer kind to use for ingress resources | | +| `ingressShim.defaultIssuerGroup` | Optional default issuer group to use for ingress resources | | +| `prometheus.enabled` | Enable Prometheus monitoring | `true` | +| `prometheus.servicemonitor.enabled` | Enable Prometheus Operator ServiceMonitor monitoring | `false` | +| `prometheus.servicemonitor.namespace` | Define namespace where to deploy the ServiceMonitor resource | (namespace where you are deploying) | +| `prometheus.servicemonitor.prometheusInstance` | Prometheus Instance definition | `default` | +| `prometheus.servicemonitor.targetPort` | Prometheus scrape port | `9402` | +| `prometheus.servicemonitor.path` | Prometheus scrape path | `/metrics` | +| `prometheus.servicemonitor.interval` | Prometheus scrape interval | `60s` | +| `prometheus.servicemonitor.labels` | Add custom labels to ServiceMonitor | | +| `prometheus.servicemonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` | +| `podAnnotations` | Annotations to add to the cert-manager pod | `{}` | +| `deploymentAnnotations` | Annotations to add to the cert-manager deployment | `{}` | +| `podDnsPolicy` | Optional cert-manager pod [DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-policy) | | +| `podDnsConfig` | Optional cert-manager pod [DNS configurations](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-config) | | +| `podLabels` | Labels to add to the cert-manager pod | `{}` | +| `http_proxy` | Value of the `HTTP_PROXY` environment variable in the cert-manager pod | | +| `https_proxy` | Value of the `HTTPS_PROXY` environment variable in the cert-manager pod | | +| `no_proxy` | Value of the `NO_PROXY` environment variable in the cert-manager pod | | +| `webhook.replicaCount` | Number of cert-manager webhook replicas | `1` | +| `webhook.podAnnotations` | Annotations to add to the webhook pods | `{}` | +| `webhook.deploymentAnnotations` | Annotations to add to the webhook deployment | `{}` | +| `webhook.mutatingWebhookConfigurationAnnotations` | Annotations to add to the mutating webhook configuration | `{}` | +| `webhook.validatingWebhookConfigurationAnnotations` | Annotations to add to the validating webhook configuration | `{}` | +| `webhook.extraArgs` | Optional flags for cert-manager webhook component | `[]` | +| `webhook.serviceAccount.create` | If `true`, create a new service account for the webhook component | `true` | +| `webhook.serviceAccount.name` | Service account for the webhook component to be used. If not set and `webhook.serviceAccount.create` is `true`, a name is generated using the fullname template | | +| `webhook.serviceAccount.annotations` | Annotations to add to the service account for the webhook component | | +| `webhook.resources` | CPU/memory resource requests/limits for the webhook pods | `{}` | +| `webhook.nodeSelector` | Node labels for webhook pod assignment | `{}` | +| `webhook.affinity` | Node affinity for webhook pod assignment | `{}` | +| `webhook.tolerations` | Node tolerations for webhook pod assignment | `[]` | +| `webhook.image.repository` | Webhook image repository | `quay.io/jetstack/cert-manager-webhook` | +| `webhook.image.tag` | Webhook image tag | `{{RELEASE_VERSION}}` | +| `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` | +| `webhook.securePort` | The port that the webhook should listen on for requests. | `10250` | +| `webhook.securityContext` | Security context for webhook pod assignment | `{}` | +| `webhook.containerSecurityContext` | Security context to be set on the webhook component container | `{}` | +| `webhook.hostNetwork` | If `true`, run the Webhook on the host network. | `false` | +| `cainjector.enabled` | Toggles whether the cainjector component should be installed (required for the webhook component to work) | `true` | +| `cainjector.replicaCount` | Number of cert-manager cainjector replicas | `1` | +| `cainjector.podAnnotations` | Annotations to add to the cainjector pods | `{}` | +| `cainjector.deploymentAnnotations` | Annotations to add to the cainjector deployment | `{}` | +| `cainjector.extraArgs` | Optional flags for cert-manager cainjector component | `[]` | +| `cainjector.serviceAccount.create` | If `true`, create a new service account for the cainjector component | `true` | +| `cainjector.serviceAccount.name` | Service account for the cainjector component to be used. If not set and `cainjector.serviceAccount.create` is `true`, a name is generated using the fullname template | | +| `cainjector.serviceAccount.annotations` | Annotations to add to the service account for the cainjector component | | +| `cainjector.resources` | CPU/memory resource requests/limits for the cainjector pods | `{}` | +| `cainjector.nodeSelector` | Node labels for cainjector pod assignment | `{}` | +| `cainjector.affinity` | Node affinity for cainjector pod assignment | `{}` | +| `cainjector.tolerations` | Node tolerations for cainjector pod assignment | `[]` | +| `cainjector.image.repository` | cainjector image repository | `quay.io/jetstack/cert-manager-cainjector` | +| `cainjector.image.tag` | cainjector image tag | `{{RELEASE_VERSION}}` | +| `cainjector.image.pullPolicy` | cainjector image pull policy | `IfNotPresent` | +| `cainjector.securityContext` | Security context for cainjector pod assignment | `{}` | +| `cainjector.containerSecurityContext` | Security context to be set on cainjector component container | `{}` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. + +Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, + +```console +$ helm install --name my-release -f values.yaml . +``` +> **Tip**: You can use the default [values.yaml](https://github.com/jetstack/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml) + +## Contributing + +This chart is maintained at [github.com/jetstack/cert-manager](https://github.com/jetstack/cert-manager/tree/master/deploy/charts/cert-manager). diff --git a/stable/cert-manager/templates/BUILD.bazel b/stable/cert-manager/templates/BUILD.bazel new file mode 100644 index 0000000..b70d36d --- /dev/null +++ b/stable/cert-manager/templates/BUILD.bazel @@ -0,0 +1,52 @@ +package(default_visibility = ["//visibility:public"]) + +load("//build:files.bzl", "modify_file") + +modify_file( + name = "crds", + src = "//deploy/crds:templates.regular", + out = "crds.yaml", + prefix = """{{- if (semverCompare ">=1.15-0" .Capabilities.KubeVersion.GitVersion) }} +{{- if .Values.installCRDs }}""", + suffix = """{{- end }} +{{- end }}""", + visibility = ["//visibility:private"], +) + +modify_file( + name = "crds.legacy", + src = "//deploy/crds:templates.legacy", + out = "crds.legacy.yaml", + prefix = """{{- if (semverCompare "<1.15-0" .Capabilities.KubeVersion.GitVersion) }} +{{- if .Values.installCRDs }}""", + suffix = """{{- end }} +{{- end }}""", + visibility = ["//visibility:private"], +) + +filegroup( + name = "chart-srcs", + srcs = [ + "crds.yaml", + "crds.legacy.yaml", + ] + glob( + [ + "*.yaml", + "*.txt", + ], + ), +) + +filegroup( + name = "package-srcs", + srcs = glob(["**"]), + tags = ["automanaged"], + visibility = ["//visibility:private"], +) + +filegroup( + name = "all-srcs", + srcs = [":package-srcs"], + tags = ["automanaged"], + visibility = ["//visibility:public"], +) diff --git a/stable/cert-manager/templates/NOTES.txt b/stable/cert-manager/templates/NOTES.txt new file mode 100644 index 0000000..716adb2 --- /dev/null +++ b/stable/cert-manager/templates/NOTES.txt @@ -0,0 +1,15 @@ +cert-manager has been deployed successfully! + +In order to begin issuing certificates, you will need to set up a ClusterIssuer +or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer). + +More information on the different types of issuers and how to configure them +can be found in our documentation: + +https://cert-manager.io/docs/configuration/ + +For information on how to configure cert-manager to automatically provision +Certificates for Ingress resources, take a look at the `ingress-shim` +documentation: + +https://cert-manager.io/docs/usage/ingress/ diff --git a/stable/cert-manager/templates/_helpers.tpl b/stable/cert-manager/templates/_helpers.tpl new file mode 100644 index 0000000..8951437 --- /dev/null +++ b/stable/cert-manager/templates/_helpers.tpl @@ -0,0 +1,128 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "cert-manager.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "cert-manager.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cert-manager.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "cert-manager.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "cert-manager.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Webhook templates +*/}} + +{{/* +Expand the name of the chart. +Manually fix the 'app' and 'name' labels to 'webhook' to maintain +compatibility with the v0.9 deployment selector. +*/}} +{{- define "webhook.name" -}} +{{- printf "webhook" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "webhook.fullname" -}} +{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 55 | trimSuffix "-" -}} +{{- printf "%s-webhook" $trimmedName | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "webhook.caRef" -}} +{{ .Release.Namespace}}/{{ template "webhook.fullname" . }}-ca +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "webhook.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "webhook.serviceAccountName" -}} +{{- if .Values.webhook.serviceAccount.create -}} + {{ default (include "webhook.fullname" .) .Values.webhook.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.webhook.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +cainjector templates +*/}} + +{{/* +Expand the name of the chart. +Manually fix the 'app' and 'name' labels to 'cainjector' to maintain +compatibility with the v0.9 deployment selector. +*/}} +{{- define "cainjector.name" -}} +{{- printf "cainjector" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cainjector.fullname" -}} +{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}} +{{- printf "%s-cainjector" $trimmedName | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cainjector.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "cainjector.serviceAccountName" -}} +{{- if .Values.cainjector.serviceAccount.create -}} + {{ default (include "cainjector.fullname" .) .Values.cainjector.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.cainjector.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/stable/cert-manager/templates/cainjector-deployment.yaml b/stable/cert-manager/templates/cainjector-deployment.yaml new file mode 100644 index 0000000..682d057 --- /dev/null +++ b/stable/cert-manager/templates/cainjector-deployment.yaml @@ -0,0 +1,86 @@ +{{- if .Values.cainjector.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "cainjector.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "cainjector.name" . }} + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "cainjector" + helm.sh/chart: {{ include "cainjector.chart" . }} + {{- if .Values.cainjector.deploymentAnnotations }} + annotations: +{{ toYaml .Values.cainjector.deploymentAnnotations | indent 4 }} + {{- end }} +spec: + replicas: {{ .Values.cainjector.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "cainjector" + {{- with .Values.cainjector.strategy }} + strategy: + {{- . | toYaml | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app: {{ include "cainjector.name" . }} + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "cainjector" + helm.sh/chart: {{ include "cainjector.chart" . }} + {{- if .Values.cainjector.podAnnotations }} + annotations: +{{ toYaml .Values.cainjector.podAnnotations | indent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "cainjector.serviceAccountName" . }} + {{- if .Values.global.priorityClassName }} + priorityClassName: {{ .Values.global.priorityClassName | quote }} + {{- end }} + {{- if .Values.cainjector.securityContext}} + securityContext: +{{ toYaml .Values.cainjector.securityContext | indent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.cainjector.image.repository }}:{{ default .Chart.AppVersion .Values.cainjector.image.tag }}" + imagePullPolicy: {{ .Values.cainjector.image.pullPolicy }} + args: + {{- if .Values.global.logLevel }} + - --v={{ .Values.global.logLevel }} + {{- end }} + - --leader-election-namespace={{ .Values.global.leaderElection.namespace }} + {{- if .Values.cainjector.extraArgs }} +{{ toYaml .Values.cainjector.extraArgs | indent 10 }} + {{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.cainjector.containerSecurityContext }} + securityContext: + {{- toYaml .Values.cainjector.containerSecurityContext | nindent 12 }} + {{- end }} + resources: +{{ toYaml .Values.cainjector.resources | indent 12 }} + {{- with .Values.cainjector.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.cainjector.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.cainjector.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{- end -}} diff --git a/stable/cert-manager/templates/cainjector-psp-clusterrole.yaml b/stable/cert-manager/templates/cainjector-psp-clusterrole.yaml new file mode 100644 index 0000000..714ce92 --- /dev/null +++ b/stable/cert-manager/templates/cainjector-psp-clusterrole.yaml @@ -0,0 +1,21 @@ +{{- if .Values.cainjector.enabled -}} +{{- if .Values.global.podSecurityPolicy.enabled }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "cainjector.fullname" . }}-psp + labels: + app: {{ include "cainjector.name" . }} + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "cainjector" + helm.sh/chart: {{ include "cainjector.chart" . }} +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "cainjector.fullname" . }} +{{- end }} +{{- end }} diff --git a/stable/cert-manager/templates/cainjector-psp-clusterrolebinding.yaml b/stable/cert-manager/templates/cainjector-psp-clusterrolebinding.yaml new file mode 100644 index 0000000..fe523f7 --- /dev/null +++ b/stable/cert-manager/templates/cainjector-psp-clusterrolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.cainjector.enabled -}} +{{- if .Values.global.podSecurityPolicy.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "cainjector.fullname" . }}-psp + labels: + app: {{ include "cainjector.name" . }} + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "cainjector" + helm.sh/chart: {{ include "cainjector.chart" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "cainjector.fullname" . }}-psp +subjects: + - kind: ServiceAccount + name: {{ template "cainjector.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/stable/cert-manager/templates/cainjector-psp.yaml b/stable/cert-manager/templates/cainjector-psp.yaml new file mode 100644 index 0000000..cbc4d04 --- /dev/null +++ b/stable/cert-manager/templates/cainjector-psp.yaml @@ -0,0 +1,52 @@ +{{- if .Values.cainjector.enabled -}} +{{- if .Values.global.podSecurityPolicy.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "cainjector.fullname" . }} + labels: + app: {{ include "cainjector.name" . }} + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "cainjector" + helm.sh/chart: {{ include "cainjector.chart" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + {{- if .Values.global.podSecurityPolicy.useAppArmor }} + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + {{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + allowedCapabilities: [] # default set of capabilities are implicitly allowed + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 +{{- end -}} +{{- end -}} diff --git a/stable/cert-manager/templates/cainjector-rbac.yaml b/stable/cert-manager/templates/cainjector-rbac.yaml new file mode 100644 index 0000000..ec5b971 --- /dev/null +++ b/stable/cert-manager/templates/cainjector-rbac.yaml @@ -0,0 +1,111 @@ +{{- if .Values.cainjector.enabled -}} +{{- if .Values.global.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ template "cainjector.fullname" . }} + labels: + app: {{ include "cainjector.name" . }} + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "cainjector" + helm.sh/chart: {{ include "cainjector.chart" . }} +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "create", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["apiregistration.k8s.io"] + resources: ["apiservices"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["auditregistration.k8s.io"] + resources: ["auditsinks"] + verbs: ["get", "list", "watch", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ template "cainjector.fullname" . }} + labels: + app: {{ include "cainjector.name" . }} + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "cainjector" + helm.sh/chart: {{ include "cainjector.chart" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "cainjector.fullname" . }} +subjects: + - name: {{ template "cainjector.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + kind: ServiceAccount + +--- +# leader election rules +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ template "cainjector.fullname" . }}:leaderelection + namespace: {{ .Values.global.leaderElection.namespace }} + labels: + app: {{ include "cainjector.name" . }} + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "cainjector" + helm.sh/chart: {{ include "cainjector.chart" . }} +rules: + # Used for leader election by the controller + # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller + # see cmd/cainjector/start.go#L113 + # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller + # see cmd/cainjector/start.go#L137 + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"] + verbs: ["get", "update", "patch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create"] +--- + +# grant cert-manager permission to manage the leaderelection configmap in the +# leader election namespace +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ include "cainjector.fullname" . }}:leaderelection + namespace: {{ .Values.global.leaderElection.namespace }} + labels: + app: {{ include "cainjector.name" . }} + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "cainjector" + helm.sh/chart: {{ include "cainjector.chart" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "cainjector.fullname" . }}:leaderelection +subjects: + - kind: ServiceAccount + name: {{ template "cainjector.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + + +{{- end -}} +{{- end -}} diff --git a/stable/cert-manager/templates/cainjector-serviceaccount.yaml b/stable/cert-manager/templates/cainjector-serviceaccount.yaml new file mode 100644 index 0000000..3fcf69d --- /dev/null +++ b/stable/cert-manager/templates/cainjector-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.cainjector.enabled -}} +{{- if .Values.cainjector.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "cainjector.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + {{- if .Values.cainjector.serviceAccount.annotations }} + annotations: +{{ toYaml .Values.cainjector.serviceAccount.annotations | indent 4 }} + {{- end }} + labels: + app: {{ include "cainjector.name" . }} + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "cainjector" + helm.sh/chart: {{ include "cainjector.chart" . }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }} +{{- end }} +{{- end -}} +{{- end -}} diff --git a/stable/cert-manager/templates/deployment.yaml b/stable/cert-manager/templates/deployment.yaml new file mode 100644 index 0000000..d63f2d8 --- /dev/null +++ b/stable/cert-manager/templates/deployment.yaml @@ -0,0 +1,156 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "cert-manager.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "cert-manager.name" . }} + app.kubernetes.io/name: {{ template "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "controller" + helm.sh/chart: {{ template "cert-manager.chart" . }} + {{- if .Values.deploymentAnnotations }} + annotations: +{{ toYaml .Values.deploymentAnnotations | indent 4 }} + {{- end }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- with .Values.strategy }} + strategy: + {{- . | toYaml | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app: {{ template "cert-manager.name" . }} + app.kubernetes.io/name: {{ template "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + app.kubernetes.io/managed-by: {{ .Release.Service }} + helm.sh/chart: {{ template "cert-manager.chart" . }} +{{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 8 }} +{{- end }} + {{- if .Values.podAnnotations }} + annotations: +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + {{- if and .Values.prometheus.enabled (not .Values.prometheus.servicemonitor.enabled) }} + {{- if not .Values.podAnnotations }} + annotations: + {{- end }} + prometheus.io/path: "/metrics" + prometheus.io/scrape: 'true' + prometheus.io/port: '9402' + {{- end }} + spec: + serviceAccountName: {{ template "cert-manager.serviceAccountName" . }} + {{- if .Values.global.priorityClassName }} + priorityClassName: {{ .Values.global.priorityClassName | quote }} + {{- end }} + {{- $enabledDefined := gt (len (keys (pick .Values.securityContext "enabled"))) 0 }} + {{- $legacyEnabledExplicitlyOff := and $enabledDefined (not .Values.securityContext.enabled) }} + {{- if and .Values.securityContext (not $legacyEnabledExplicitlyOff) }} + securityContext: + {{- if .Values.securityContext.enabled -}} + {{/* support legacy securityContext.enabled and its two parameters */}} + fsGroup: {{ default 1001 .Values.securityContext.fsGroup }} + runAsUser: {{ default 1001 .Values.securityContext.runAsUser }} + {{- else -}} + {{/* this is the way forward: support an arbitrary yaml block */}} +{{ toYaml .Values.securityContext | indent 8 }} + {{- end }} + {{- end }} + {{- if .Values.volumes }} + volumes: +{{ toYaml .Values.volumes | indent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + {{- if .Values.global.logLevel }} + - --v={{ .Values.global.logLevel }} + {{- end }} + {{- if .Values.clusterResourceNamespace }} + - --cluster-resource-namespace={{ .Values.clusterResourceNamespace }} + {{- else }} + - --cluster-resource-namespace=$(POD_NAMESPACE) + {{- end }} + - --leader-election-namespace={{ .Values.global.leaderElection.namespace }} + {{- if .Values.extraArgs }} +{{ toYaml .Values.extraArgs | indent 10 }} + {{- end }} + {{- with .Values.ingressShim }} + {{- if .defaultIssuerName }} + - --default-issuer-name={{ .defaultIssuerName }} + {{- end }} + {{- if .defaultIssuerKind }} + - --default-issuer-kind={{ .defaultIssuerKind }} + {{- end }} + {{- if .defaultIssuerGroup }} + - --default-issuer-group={{ .defaultIssuerGroup }} + {{- end }} + {{- end }} + {{- if .Values.featureGates }} + - --feature-gates={{ .Values.featureGates }} + {{- end }} + ports: + - containerPort: 9402 + protocol: TCP + {{- if .Values.containerSecurityContext }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- end }} + {{- if .Values.volumeMounts }} + volumeMounts: +{{ toYaml .Values.volumeMounts | indent 12 }} + {{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.extraEnv }} +{{ toYaml .Values.extraEnv | indent 10 }} + {{- end }} + {{- if .Values.http_proxy }} + - name: HTTP_PROXY + value: {{ .Values.http_proxy }} + {{- end }} + {{- if .Values.https_proxy }} + - name: HTTPS_PROXY + value: {{ .Values.https_proxy }} + {{- end }} + {{- if .Values.no_proxy }} + - name: NO_PROXY + value: {{ .Values.no_proxy }} + {{- end }} + resources: +{{ toYaml .Values.resources | indent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{- if .Values.podDnsPolicy }} + dnsPolicy: {{ .Values.podDnsPolicy }} +{{- end }} +{{- if .Values.podDnsConfig }} + dnsConfig: +{{ toYaml .Values.podDnsConfig | indent 8 }} +{{- end }} diff --git a/stable/cert-manager/templates/psp-clusterrole.yaml b/stable/cert-manager/templates/psp-clusterrole.yaml new file mode 100644 index 0000000..b53af09 --- /dev/null +++ b/stable/cert-manager/templates/psp-clusterrole.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.podSecurityPolicy.enabled }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "cert-manager.fullname" . }}-psp + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "controller" + helm.sh/chart: {{ include "cert-manager.chart" . }} +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "cert-manager.fullname" . }} +{{- end }} diff --git a/stable/cert-manager/templates/psp-clusterrolebinding.yaml b/stable/cert-manager/templates/psp-clusterrolebinding.yaml new file mode 100644 index 0000000..d20835e --- /dev/null +++ b/stable/cert-manager/templates/psp-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{- if .Values.global.podSecurityPolicy.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "cert-manager.fullname" . }}-psp + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "controller" + helm.sh/chart: {{ include "cert-manager.chart" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "cert-manager.fullname" . }}-psp +subjects: + - kind: ServiceAccount + name: {{ template "cert-manager.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/stable/cert-manager/templates/psp.yaml b/stable/cert-manager/templates/psp.yaml new file mode 100644 index 0000000..3c70dad --- /dev/null +++ b/stable/cert-manager/templates/psp.yaml @@ -0,0 +1,50 @@ +{{- if .Values.global.podSecurityPolicy.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "cert-manager.fullname" . }} + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "controller" + helm.sh/chart: {{ include "cert-manager.chart" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + {{- if .Values.global.podSecurityPolicy.useAppArmor }} + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + {{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + allowedCapabilities: [] # default set of capabilities are implicitly allowed + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 +{{- end }} diff --git a/stable/cert-manager/templates/rbac.yaml b/stable/cert-manager/templates/rbac.yaml new file mode 100644 index 0000000..d3241c9 --- /dev/null +++ b/stable/cert-manager/templates/rbac.yaml @@ -0,0 +1,450 @@ +{{- if .Values.global.rbac.create -}} + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ template "cert-manager.fullname" . }}:leaderelection + namespace: {{ .Values.global.leaderElection.namespace }} + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "controller" + helm.sh/chart: {{ include "cert-manager.chart" . }} +rules: + # Used for leader election by the controller + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["cert-manager-controller"] + verbs: ["get", "update", "patch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create"] + +--- + +# grant cert-manager permission to manage the leaderelection configmap in the +# leader election namespace +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ include "cert-manager.fullname" . }}:leaderelection + namespace: {{ .Values.global.leaderElection.namespace }} + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "controller" + helm.sh/chart: {{ include "cert-manager.chart" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "cert-manager.fullname" . }}:leaderelection +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ template "cert-manager.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + +--- + +# Issuer controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-issuers + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "controller" + helm.sh/chart: {{ include "cert-manager.chart" . }} +rules: + - apiGroups: ["cert-manager.io"] + resources: ["issuers", "issuers/status"] + verbs: ["update"] + - apiGroups: ["cert-manager.io"] + resources: ["issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + +--- + +# ClusterIssuer controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "controller" + helm.sh/chart: {{ include "cert-manager.chart" . }} +rules: + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers", "clusterissuers/status"] + verbs: ["update"] + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + +--- + +# Certificates controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-certificates + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "controller" + helm.sh/chart: {{ include "cert-manager.chart" . }} +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] + verbs: ["update"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] + verbs: ["get", "list", "watch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["cert-manager.io"] + resources: ["certificates/finalizers", "certificaterequests/finalizers"] + verbs: ["update"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders"] + verbs: ["create", "delete", "get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + +--- + +# Orders controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-orders + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "controller" + helm.sh/chart: {{ include "cert-manager.chart" . }} +rules: + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders", "orders/status"] + verbs: ["update"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders", "challenges"] + verbs: ["get", "list", "watch"] + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers", "issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges"] + verbs: ["create", "delete"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + +--- + +# Challenges controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-challenges + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "controller" + helm.sh/chart: {{ include "cert-manager.chart" . }} +rules: + # Use to update challenge resource status + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges", "challenges/status"] + verbs: ["update"] + # Used to watch challenge resources + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges"] + verbs: ["get", "list", "watch"] + # Used to watch challenges, issuer and clusterissuer resources + - apiGroups: ["cert-manager.io"] + resources: ["issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + # Need to be able to retrieve ACME account private key to complete challenges + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + # Used to create events + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + # HTTP01 rules + - apiGroups: [""] + resources: ["pods", "services"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["get", "list", "watch", "create", "delete", "update"] + # We require the ability to specify a custom hostname when we are creating + # new ingress resources. + # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148 + - apiGroups: ["route.openshift.io"] + resources: ["routes/custom-host"] + verbs: ["create"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges/finalizers"] + verbs: ["update"] + # DNS01 rules (duplicated above) + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + +--- + +# ingress-shim controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "controller" + helm.sh/chart: {{ include "cert-manager.chart" . }} +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests"] + verbs: ["create", "update", "delete"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["extensions"] + resources: ["ingresses/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-issuers + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "controller" + helm.sh/chart: {{ include "cert-manager.chart" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "cert-manager.fullname" . }}-controller-issuers +subjects: + - name: {{ template "cert-manager.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + kind: ServiceAccount + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "controller" + helm.sh/chart: {{ include "cert-manager.chart" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers +subjects: + - name: {{ template "cert-manager.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + kind: ServiceAccount + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-certificates + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "controller" + helm.sh/chart: {{ include "cert-manager.chart" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "cert-manager.fullname" . }}-controller-certificates +subjects: + - name: {{ template "cert-manager.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + kind: ServiceAccount + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-orders + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "controller" + helm.sh/chart: {{ include "cert-manager.chart" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "cert-manager.fullname" . }}-controller-orders +subjects: + - name: {{ template "cert-manager.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + kind: ServiceAccount + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-challenges + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "controller" + helm.sh/chart: {{ include "cert-manager.chart" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "cert-manager.fullname" . }}-controller-challenges +subjects: + - name: {{ template "cert-manager.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + kind: ServiceAccount + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "controller" + helm.sh/chart: {{ include "cert-manager.chart" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim +subjects: + - name: {{ template "cert-manager.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + kind: ServiceAccount + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "cert-manager.fullname" . }}-view + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "controller" + helm.sh/chart: {{ include "cert-manager.chart" . }} + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers"] + verbs: ["get", "list", "watch"] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "cert-manager.fullname" . }}-edit + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "controller" + helm.sh/chart: {{ include "cert-manager.chart" . }} + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] + +{{- end }} diff --git a/stable/cert-manager/templates/service.yaml b/stable/cert-manager/templates/service.yaml new file mode 100644 index 0000000..d0ef612 --- /dev/null +++ b/stable/cert-manager/templates/service.yaml @@ -0,0 +1,24 @@ +{{- if .Values.prometheus.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "cert-manager.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "controller" + helm.sh/chart: {{ include "cert-manager.chart" . }} +spec: + type: ClusterIP + ports: + - protocol: TCP + port: 9402 + targetPort: 9402 + selector: + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" +{{- end }} diff --git a/stable/cert-manager/templates/serviceaccount.yaml b/stable/cert-manager/templates/serviceaccount.yaml new file mode 100644 index 0000000..59c2f75 --- /dev/null +++ b/stable/cert-manager/templates/serviceaccount.yaml @@ -0,0 +1,21 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }} +{{- end }} +metadata: + name: {{ template "cert-manager.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + {{- if .Values.serviceAccount.annotations }} + annotations: +{{ toYaml .Values.serviceAccount.annotations | indent 4 }} + {{- end }} + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "controller" + helm.sh/chart: {{ include "cert-manager.chart" . }} +{{- end }} diff --git a/stable/cert-manager/templates/servicemonitor.yaml b/stable/cert-manager/templates/servicemonitor.yaml new file mode 100644 index 0000000..e3b3748 --- /dev/null +++ b/stable/cert-manager/templates/servicemonitor.yaml @@ -0,0 +1,37 @@ +{{- if and .Values.prometheus.enabled .Values.prometheus.servicemonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "cert-manager.fullname" . }} +{{- if .Values.prometheus.servicemonitor.namespace }} + namespace: {{ .Values.prometheus.servicemonitor.namespace }} +{{- else }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "controller" + helm.sh/chart: {{ include "cert-manager.chart" . }} + prometheus: {{ .Values.prometheus.servicemonitor.prometheusInstance }} +{{- if .Values.prometheus.servicemonitor.labels }} +{{ toYaml .Values.prometheus.servicemonitor.labels | indent 4}} +{{- end }} +spec: + jobLabel: {{ template "cert-manager.fullname" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + endpoints: + - targetPort: {{ .Values.prometheus.servicemonitor.targetPort }} + path: {{ .Values.prometheus.servicemonitor.path }} + interval: {{ .Values.prometheus.servicemonitor.interval }} + scrapeTimeout: {{ .Values.prometheus.servicemonitor.scrapeTimeout }} +{{- end }} diff --git a/stable/cert-manager/templates/webhook-deployment.yaml b/stable/cert-manager/templates/webhook-deployment.yaml new file mode 100644 index 0000000..ade6a32 --- /dev/null +++ b/stable/cert-manager/templates/webhook-deployment.yaml @@ -0,0 +1,108 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "webhook.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "webhook" + helm.sh/chart: {{ include "webhook.chart" . }} + {{- if .Values.webhook.deploymentAnnotations }} + annotations: +{{ toYaml .Values.webhook.deploymentAnnotations | indent 4 }} + {{- end }} +spec: + replicas: {{ .Values.webhook.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "webhook" + {{- with .Values.webhook.strategy }} + strategy: + {{- . | toYaml | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "webhook" + helm.sh/chart: {{ include "webhook.chart" . }} + {{- if .Values.webhook.podAnnotations }} + annotations: +{{ toYaml .Values.webhook.podAnnotations | indent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "webhook.serviceAccountName" . }} + {{- if .Values.global.priorityClassName }} + priorityClassName: {{ .Values.global.priorityClassName | quote }} + {{- end }} + {{- if .Values.webhook.securityContext}} + securityContext: +{{ toYaml .Values.webhook.securityContext | indent 8 }} + {{- end }} + {{- if .Values.webhook.hostNetwork }} + hostNetwork: true + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.webhook.image.repository }}:{{ default .Chart.AppVersion .Values.webhook.image.tag }}" + imagePullPolicy: {{ .Values.webhook.image.pullPolicy }} + args: + {{- if .Values.global.logLevel }} + - --v={{ .Values.global.logLevel }} + {{- end }} + - --secure-port={{ .Values.webhook.securePort }} + - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) + - --dynamic-serving-ca-secret-name={{ template "webhook.fullname" . }}-ca + - --dynamic-serving-dns-names={{ template "webhook.fullname" . }},{{ template "webhook.fullname" . }}.{{ .Release.Namespace }},{{ template "webhook.fullname" . }}.{{ .Release.Namespace }}.svc + {{- if .Values.webhook.extraArgs }} +{{ toYaml .Values.webhook.extraArgs | indent 10 }} + {{- end }} + ports: + - name: https + containerPort: {{ .Values.webhook.securePort }} + livenessProbe: + httpGet: + path: /livez + port: 6080 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /healthz + port: 6080 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 5 + {{- if .Values.webhook.containerSecurityContext }} + securityContext: + {{- toYaml .Values.webhook.containerSecurityContext | nindent 12 }} + {{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: +{{ toYaml .Values.webhook.resources | indent 12 }} + {{- with .Values.webhook.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.webhook.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.webhook.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + diff --git a/stable/cert-manager/templates/webhook-mutating-webhook.yaml b/stable/cert-manager/templates/webhook-mutating-webhook.yaml new file mode 100644 index 0000000..5113718 --- /dev/null +++ b/stable/cert-manager/templates/webhook-mutating-webhook.yaml @@ -0,0 +1,44 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ include "webhook.fullname" . }} + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "webhook" + helm.sh/chart: {{ include "webhook.chart" . }} + annotations: + cert-manager.io/inject-ca-from-secret: "{{ .Release.Namespace }}/{{ template "webhook.fullname" . }}-ca" + {{- if .Values.webhook.mutatingWebhookConfigurationAnnotations }} +{{ toYaml .Values.webhook.mutatingWebhookConfigurationAnnotations | indent 4 }} + {{- end }} +webhooks: + - name: webhook.cert-manager.io + rules: + - apiGroups: + - "cert-manager.io" + - "acme.cert-manager.io" + apiVersions: + - "*" + operations: + - CREATE + - UPDATE + resources: + - "*/*" + failurePolicy: Fail +{{- if (semverCompare ">=1.12-0" .Capabilities.KubeVersion.GitVersion) }} + # Only include 'sideEffects' field in Kubernetes 1.12+ + sideEffects: None +{{- end }} + clientConfig: +{{- if (semverCompare "<=1.12-0" .Capabilities.KubeVersion.GitVersion) }} + # Set caBundle to empty to avoid https://github.com/kubernetes/kubernetes/pull/70138 + # in Kubernetes 1.12 and below. + caBundle: "" +{{- end }} + service: + name: {{ template "webhook.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + path: /mutate diff --git a/stable/cert-manager/templates/webhook-psp-clusterrole.yaml b/stable/cert-manager/templates/webhook-psp-clusterrole.yaml new file mode 100644 index 0000000..e68d6ac --- /dev/null +++ b/stable/cert-manager/templates/webhook-psp-clusterrole.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.podSecurityPolicy.enabled }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "webhook.fullname" . }}-psp + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "webhook" + helm.sh/chart: {{ include "webhook.chart" . }} +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "webhook.fullname" . }} +{{- end }} diff --git a/stable/cert-manager/templates/webhook-psp-clusterrolebinding.yaml b/stable/cert-manager/templates/webhook-psp-clusterrolebinding.yaml new file mode 100644 index 0000000..9250944 --- /dev/null +++ b/stable/cert-manager/templates/webhook-psp-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{- if .Values.global.podSecurityPolicy.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "webhook.fullname" . }}-psp + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "webhook" + helm.sh/chart: {{ include "webhook.chart" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "webhook.fullname" . }}-psp +subjects: + - kind: ServiceAccount + name: {{ template "webhook.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/stable/cert-manager/templates/webhook-psp.yaml b/stable/cert-manager/templates/webhook-psp.yaml new file mode 100644 index 0000000..b9011be --- /dev/null +++ b/stable/cert-manager/templates/webhook-psp.yaml @@ -0,0 +1,50 @@ +{{- if .Values.global.podSecurityPolicy.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "webhook.fullname" . }} + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "webhook" + helm.sh/chart: {{ include "webhook.chart" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + {{- if .Values.global.podSecurityPolicy.useAppArmor }} + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + {{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + allowedCapabilities: [] # default set of capabilities are implicitly allowed + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 +{{- end }} diff --git a/stable/cert-manager/templates/webhook-rbac.yaml b/stable/cert-manager/templates/webhook-rbac.yaml new file mode 100644 index 0000000..20fef98 --- /dev/null +++ b/stable/cert-manager/templates/webhook-rbac.yaml @@ -0,0 +1,49 @@ +{{- if .Values.global.rbac.create -}} + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ template "webhook.fullname" . }}:dynamic-serving + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "webhook" + helm.sh/chart: {{ include "webhook.chart" . }} +rules: +- apiGroups: [""] + resources: ["secrets"] + resourceNames: + - '{{ template "webhook.fullname" . }}-ca' + verbs: ["get", "list", "watch", "update"] +# It's not possible to grant CREATE permission on a single resourceName. +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ template "webhook.fullname" . }}:dynamic-serving + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "webhook" + helm.sh/chart: {{ include "webhook.chart" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "webhook.fullname" . }}:dynamic-serving +subjects: +- apiGroup: "" + kind: ServiceAccount + name: {{ template "webhook.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + +{{- end -}} diff --git a/stable/cert-manager/templates/webhook-service.yaml b/stable/cert-manager/templates/webhook-service.yaml new file mode 100644 index 0000000..8f96f51 --- /dev/null +++ b/stable/cert-manager/templates/webhook-service.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "webhook.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "webhook" + helm.sh/chart: {{ include "webhook.chart" . }} +spec: + type: ClusterIP + ports: + - name: https + port: 443 + targetPort: {{ .Values.webhook.securePort }} + selector: + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "webhook" diff --git a/stable/cert-manager/templates/webhook-serviceaccount.yaml b/stable/cert-manager/templates/webhook-serviceaccount.yaml new file mode 100644 index 0000000..128651c --- /dev/null +++ b/stable/cert-manager/templates/webhook-serviceaccount.yaml @@ -0,0 +1,21 @@ +{{- if .Values.webhook.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "webhook.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + {{- if .Values.webhook.serviceAccount.annotations }} + annotations: +{{ toYaml .Values.webhook.serviceAccount.annotations | indent 4 }} + {{- end }} + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "webhook" + helm.sh/chart: {{ include "webhook.chart" . }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }} +{{- end -}} +{{- end -}} diff --git a/stable/cert-manager/templates/webhook-validating-webhook.yaml b/stable/cert-manager/templates/webhook-validating-webhook.yaml new file mode 100644 index 0000000..9184c65 --- /dev/null +++ b/stable/cert-manager/templates/webhook-validating-webhook.yaml @@ -0,0 +1,54 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ include "webhook.fullname" . }} + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: "webhook" + helm.sh/chart: {{ include "webhook.chart" . }} + annotations: + cert-manager.io/inject-ca-from-secret: "{{ .Release.Namespace }}/{{ template "webhook.fullname" . }}-ca" + {{- if .Values.webhook.validatingWebhookConfigurationAnnotations }} +{{ toYaml .Values.webhook.validatingWebhookConfigurationAnnotations | indent 4 }} + {{- end }} +webhooks: + - name: webhook.cert-manager.io + namespaceSelector: + matchExpressions: + - key: "cert-manager.io/disable-validation" + operator: "NotIn" + values: + - "true" + - key: "name" + operator: "NotIn" + values: + - {{ .Release.Namespace }} + rules: + - apiGroups: + - "cert-manager.io" + - "acme.cert-manager.io" + apiVersions: + - "*" + operations: + - CREATE + - UPDATE + resources: + - "*/*" + failurePolicy: Fail +{{- if (semverCompare ">=1.12-0" .Capabilities.KubeVersion.GitVersion) }} + # Only include 'sideEffects' field in Kubernetes 1.12+ + sideEffects: None +{{- end }} + clientConfig: +{{- if (semverCompare "<=1.12-0" .Capabilities.KubeVersion.GitVersion) }} + # Set caBundle to empty to avoid https://github.com/kubernetes/kubernetes/pull/70138 + # in Kubernetes 1.12 and below. + caBundle: "" +{{- end }} + service: + name: {{ template "webhook.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + path: /validate diff --git a/stable/cert-manager/values-ironbank.yaml b/stable/cert-manager/values-ironbank.yaml new file mode 100644 index 0000000..84ee6f2 --- /dev/null +++ b/stable/cert-manager/values-ironbank.yaml @@ -0,0 +1,311 @@ +# Default values for cert-manager. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +global: + ## Reference to one or more secrets to be used when pulling images + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + imagePullSecrets: [] + # - name: "image-pull-secret" + + # Optional priority class to be used for the cert-manager pods + priorityClassName: "" + rbac: + create: true + + podSecurityPolicy: + enabled: false + useAppArmor: true + + # Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose. + logLevel: 2 + + leaderElection: + # Override the namespace used to store the ConfigMap for leader election + namespace: "kube-system" + +installCRDs: false + +replicaCount: 1 + +strategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 0 + # maxUnavailable: 1 + +# Comma separated list of feature gates that should be enabled on the +# controller pod. +featureGates: "" + +image: + repository: registry1.dsop.io/jetstack/cert-manager-controller + tag: v0.11.0 + # Override the image tag to deploy by setting this variable. + # If no value is set, the chart's appVersion will be used. + # tag: canary + pullPolicy: IfNotPresent + +# Override the namespace used to store DNS provider credentials etc. for ClusterIssuer +# resources. By default, the same namespace as cert-manager is deployed within is +# used. This namespace will not be automatically created by the Helm chart. +clusterResourceNamespace: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + # name: "" + # Optional additional annotations to add to the controller's ServiceAccount + # annotations: {} + +# Optional additional arguments +extraArgs: [] + # Use this flag to set a namespace that cert-manager will use to store + # supporting resources required for each ClusterIssuer (default is kube-system) + # - --cluster-resource-namespace=kube-system + # When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted + # - --enable-certificate-owner-ref=true + +extraEnv: [] +# - name: SOME_VAR +# value: 'some value' + +resources: {} + # requests: + # cpu: 10m + # memory: 32Mi + +# Pod Security Context +# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +securityContext: {} +# legacy securityContext parameter format: if enabled is set to true, only fsGroup and runAsUser are supported +# securityContext: +# enabled: false +# fsGroup: 1001 +# runAsUser: 1001 +# to support additional securityContext parameters, omit the `enabled` parameter and simply specify the parameters +# you want to set, e.g. +# securityContext: +# fsGroup: 1000 +# runAsUser: 1000 +# runAsNonRoot: true + +# Container Security Context to be set on the controller component container +# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +containerSecurityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + + +volumes: [] + +volumeMounts: [] + +# Optional additional annotations to add to the controller Deployment +# deploymentAnnotations: {} + +# Optional additional annotations to add to the controller Pods +# podAnnotations: {} + +podLabels: {} + +# Optional DNS settings, useful if you have a public and private DNS zone for +# the same domain on Route 53. What follows is an example of ensuring +# cert-manager can access an ingress or DNS TXT records at all times. +# NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for +# the cluster to work. +# podDnsPolicy: "None" +# podDnsConfig: +# nameservers: +# - "1.1.1.1" +# - "8.8.8.8" + +nodeSelector: {} + +ingressShim: {} + # defaultIssuerName: "" + # defaultIssuerKind: "" + # defaultIssuerGroup: "" + +prometheus: + enabled: true + servicemonitor: + enabled: false + prometheusInstance: default + targetPort: 9402 + path: /metrics + interval: 60s + scrapeTimeout: 30s + labels: {} + +# Use these variables to configure the HTTP_PROXY environment variables +# http_proxy: "http://proxy:8080" +# http_proxy: "http://proxy:8080" +# no_proxy: 127.0.0.1,localhost + +# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core +# for example: +# affinity: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: foo.bar.com/role +# operator: In +# values: +# - master +affinity: {} + +# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core +# for example: +# tolerations: +# - key: foo.bar.com/role +# operator: Equal +# value: master +# effect: NoSchedule +tolerations: [] + +webhook: + replicaCount: 1 + + strategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 0 + # maxUnavailable: 1 + + securityContext: {} + + # Container Security Context to be set on the webhook component container + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + containerSecurityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + + # Optional additional annotations to add to the webhook Deployment + # deploymentAnnotations: {} + + # Optional additional annotations to add to the webhook Pods + # podAnnotations: {} + + # Optional additional annotations to add to the webhook MutatingWebhookConfiguration + # mutatingWebhookConfigurationAnnotations: {} + + # Optional additional annotations to add to the webhook ValidatingWebhookConfiguration + # validatingWebhookConfigurationAnnotations: {} + + # Optional additional arguments for webhook + extraArgs: [] + + resources: {} + # requests: + # cpu: 10m + # memory: 32Mi + + nodeSelector: {} + + affinity: {} + + tolerations: [] + + image: + repository: registry1.dsop.io/jetstack/cert-manager-webhook + tag: v0.11.0 + # Override the image tag to deploy by setting this variable. + # If no value is set, the chart's appVersion will be used. + # tag: canary + pullPolicy: IfNotPresent + + serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + # name: "" + # Optional additional annotations to add to the controller's ServiceAccount + # annotations: {} + + # The port that the webhook should listen on for requests. + # In GKE private clusters, by default kubernetes apiservers are allowed to + # talk to the cluster nodes only on 443 and 10250. so configuring + # securePort: 10250, will work out of the box without needing to add firewall + # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000 + securePort: 10250 + + # Specifies if the webhook should be started in hostNetwork mode. + # + # Required for use in some managed kubernetes clusters (such as AWS EKS) with custom + # CNI (such as calico), because control-plane managed by AWS cannot communicate + # with pods' IP CIDR and admission webhooks are not working + # + # Since the default port for the webhook conflicts with kubelet on the host + # network, `webhook.securePort` should be changed to an available port if + # running in hostNetwork mode. + hostNetwork: false + +cainjector: + enabled: true + replicaCount: 1 + + strategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 0 + # maxUnavailable: 1 + + securityContext: {} + + # Container Security Context to be set on the cainjector component container + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + containerSecurityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + + + # Optional additional annotations to add to the cainjector Deployment + # deploymentAnnotations: {} + + # Optional additional annotations to add to the cainjector Pods + # podAnnotations: {} + + # Optional additional arguments for cainjector + extraArgs: [] + + resources: {} + # requests: + # cpu: 10m + # memory: 32Mi + + nodeSelector: {} + + affinity: {} + + tolerations: [] + + image: + repository: registry1.dsop.io/jetstack/cert-manager-cainjector + tag: v0.11.0 + # Override the image tag to deploy by setting this variable. + # If no value is set, the chart's appVersion will be used. + # tag: canary + pullPolicy: IfNotPresent + + serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + # name: "" + # Optional additional annotations to add to the controller's ServiceAccount + # annotations: {} diff --git a/stable/cert-manager/values.yaml b/stable/cert-manager/values.yaml new file mode 100644 index 0000000..6b2913b --- /dev/null +++ b/stable/cert-manager/values.yaml @@ -0,0 +1,308 @@ +# Default values for cert-manager. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +global: + ## Reference to one or more secrets to be used when pulling images + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + imagePullSecrets: [] + # - name: "image-pull-secret" + + # Optional priority class to be used for the cert-manager pods + priorityClassName: "" + rbac: + create: true + + podSecurityPolicy: + enabled: false + useAppArmor: true + + # Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose. + logLevel: 2 + + leaderElection: + # Override the namespace used to store the ConfigMap for leader election + namespace: "kube-system" + +installCRDs: false + +replicaCount: 1 + +strategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 0 + # maxUnavailable: 1 + +# Comma separated list of feature gates that should be enabled on the +# controller pod. +featureGates: "" + +image: + repository: quay.io/jetstack/cert-manager-controller + # Override the image tag to deploy by setting this variable. + # If no value is set, the chart's appVersion will be used. + # tag: canary + pullPolicy: IfNotPresent + +# Override the namespace used to store DNS provider credentials etc. for ClusterIssuer +# resources. By default, the same namespace as cert-manager is deployed within is +# used. This namespace will not be automatically created by the Helm chart. +clusterResourceNamespace: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + # name: "" + # Optional additional annotations to add to the controller's ServiceAccount + # annotations: {} + +# Optional additional arguments +extraArgs: [] + # Use this flag to set a namespace that cert-manager will use to store + # supporting resources required for each ClusterIssuer (default is kube-system) + # - --cluster-resource-namespace=kube-system + # When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted + # - --enable-certificate-owner-ref=true + +extraEnv: [] +# - name: SOME_VAR +# value: 'some value' + +resources: {} + # requests: + # cpu: 10m + # memory: 32Mi + +# Pod Security Context +# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +securityContext: {} +# legacy securityContext parameter format: if enabled is set to true, only fsGroup and runAsUser are supported +# securityContext: +# enabled: false +# fsGroup: 1001 +# runAsUser: 1001 +# to support additional securityContext parameters, omit the `enabled` parameter and simply specify the parameters +# you want to set, e.g. +# securityContext: +# fsGroup: 1000 +# runAsUser: 1000 +# runAsNonRoot: true + +# Container Security Context to be set on the controller component container +# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +containerSecurityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + + +volumes: [] + +volumeMounts: [] + +# Optional additional annotations to add to the controller Deployment +# deploymentAnnotations: {} + +# Optional additional annotations to add to the controller Pods +# podAnnotations: {} + +podLabels: {} + +# Optional DNS settings, useful if you have a public and private DNS zone for +# the same domain on Route 53. What follows is an example of ensuring +# cert-manager can access an ingress or DNS TXT records at all times. +# NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for +# the cluster to work. +# podDnsPolicy: "None" +# podDnsConfig: +# nameservers: +# - "1.1.1.1" +# - "8.8.8.8" + +nodeSelector: {} + +ingressShim: {} + # defaultIssuerName: "" + # defaultIssuerKind: "" + # defaultIssuerGroup: "" + +prometheus: + enabled: true + servicemonitor: + enabled: false + prometheusInstance: default + targetPort: 9402 + path: /metrics + interval: 60s + scrapeTimeout: 30s + labels: {} + +# Use these variables to configure the HTTP_PROXY environment variables +# http_proxy: "http://proxy:8080" +# http_proxy: "http://proxy:8080" +# no_proxy: 127.0.0.1,localhost + +# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core +# for example: +# affinity: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: foo.bar.com/role +# operator: In +# values: +# - master +affinity: {} + +# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core +# for example: +# tolerations: +# - key: foo.bar.com/role +# operator: Equal +# value: master +# effect: NoSchedule +tolerations: [] + +webhook: + replicaCount: 1 + + strategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 0 + # maxUnavailable: 1 + + securityContext: {} + + # Container Security Context to be set on the webhook component container + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + containerSecurityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + + # Optional additional annotations to add to the webhook Deployment + # deploymentAnnotations: {} + + # Optional additional annotations to add to the webhook Pods + # podAnnotations: {} + + # Optional additional annotations to add to the webhook MutatingWebhookConfiguration + # mutatingWebhookConfigurationAnnotations: {} + + # Optional additional annotations to add to the webhook ValidatingWebhookConfiguration + # validatingWebhookConfigurationAnnotations: {} + + # Optional additional arguments for webhook + extraArgs: [] + + resources: {} + # requests: + # cpu: 10m + # memory: 32Mi + + nodeSelector: {} + + affinity: {} + + tolerations: [] + + image: + repository: quay.io/jetstack/cert-manager-webhook + # Override the image tag to deploy by setting this variable. + # If no value is set, the chart's appVersion will be used. + # tag: canary + pullPolicy: IfNotPresent + + serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + # name: "" + # Optional additional annotations to add to the controller's ServiceAccount + # annotations: {} + + # The port that the webhook should listen on for requests. + # In GKE private clusters, by default kubernetes apiservers are allowed to + # talk to the cluster nodes only on 443 and 10250. so configuring + # securePort: 10250, will work out of the box without needing to add firewall + # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000 + securePort: 10250 + + # Specifies if the webhook should be started in hostNetwork mode. + # + # Required for use in some managed kubernetes clusters (such as AWS EKS) with custom + # CNI (such as calico), because control-plane managed by AWS cannot communicate + # with pods' IP CIDR and admission webhooks are not working + # + # Since the default port for the webhook conflicts with kubelet on the host + # network, `webhook.securePort` should be changed to an available port if + # running in hostNetwork mode. + hostNetwork: false + +cainjector: + enabled: true + replicaCount: 1 + + strategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 0 + # maxUnavailable: 1 + + securityContext: {} + + # Container Security Context to be set on the cainjector component container + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + containerSecurityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + + + # Optional additional annotations to add to the cainjector Deployment + # deploymentAnnotations: {} + + # Optional additional annotations to add to the cainjector Pods + # podAnnotations: {} + + # Optional additional arguments for cainjector + extraArgs: [] + + resources: {} + # requests: + # cpu: 10m + # memory: 32Mi + + nodeSelector: {} + + affinity: {} + + tolerations: [] + + image: + repository: quay.io/jetstack/cert-manager-cainjector + # Override the image tag to deploy by setting this variable. + # If no value is set, the chart's appVersion will be used. + # tag: canary + pullPolicy: IfNotPresent + + serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + # name: "" + # Optional additional annotations to add to the controller's ServiceAccount + # annotations: {} -- GitLab From d2bb0c1b55fb152897d8688c7a5f5d0244e87dfe Mon Sep 17 00:00:00 2001 From: Michael Simmons Date: Tue, 11 Aug 2020 17:43:06 +0000 Subject: [PATCH 2/7] Delete .DS_Store --- .DS_Store | Bin 6148 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 .DS_Store diff --git a/.DS_Store b/.DS_Store deleted file mode 100644 index 75397b431e5086fc81704bb7e91b8ad64901ce61..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeHKO>Wab6n@i&)Cr2n0;yekgTx|=QVJ~yRdUmG(FGF12o``^8(YN4^;EV~tAteE z^bUm^a1>6!K{x<>^OLG}UHo~Yq2eQMtihFBYFbt<6H@9j4w4t z2Q!EGDo!U@C5PXq_mrWX)R+JWqa@(PkWZ2zlk>Q0z_MCa>!7DJbuXW!r0oXuL+ z>YerN{llZv57Upcvrk9}#&BRuyQOgspW#%JJaN+`=E*zs&pGp0gV$OC{c~D3uXPsY zke_QXxiQOi_V~%JdV1DLVRX z9p`8)6)HM0{rF&dWu{*!OsRW2q25F!M)1%3vy^ Iz+YA1C(B8qNB{r; -- GitLab From acac992257d959f83e75629ccc358ed1d490f813 Mon Sep 17 00:00:00 2001 From: Michael Simmons Date: Tue, 11 Aug 2020 17:43:22 +0000 Subject: [PATCH 3/7] Delete .DS_Store --- stable/.DS_Store | Bin 6148 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 stable/.DS_Store diff --git a/stable/.DS_Store b/stable/.DS_Store deleted file mode 100644 index 4f2d5025376f082c716f08cf8fdd86cdcf0980b2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeHK!EVz)5S?vO;-pkW6;gBb1&KoJ^m{}sFbWt2)=dHacCS*Od`c*z{P&BI<1p^KVeEp#3&ef+&0o^c z`$wERNk=;FyE_VlG;6nih>cQt^Ge0CYF2H#_OdsKC%w$c#%b3{p7YgXCmXoB|0IsX zzkSDj8u*iw`t^r#lsQ4 z-8-|UJv}^ZH|^W|2eVn#+P$&&;P`a-?)~(`?Bf?XB@$T3q+Qea2fm`SQYbI&hb~HH z@=DU%UJ`|I#495|qyp7rsP2=86*Dbp{SAz~)+MlfI$vao-2$tEbvME4`%10C1@@-` zdxzf8m|Wy-QHo#RfpdR|Hbb5O6&C6eKMOfF!46P=K=IgJonyV1&jihuK=$PHk`4eajsA<9cbhc09eMbH1zqe z0>{`II~wN-aR(+;C{Tq8eZ&wd9OJg;bu`Wus&Eqe@FDb*g+8GO`E=yBC7nb^p=pf* zMu9~IO6s!C`~RcW=l{hZb7d4T3j9|Ji1JbIsEaA-y>)4Fyw}?BQ#c#*<_cv98oeFM g4sXQ`xHR0exdZHIoGZi#%={6MGML6FaH$IX1|$dUcK`qY -- GitLab From 9188e7cce5d9981c767bdb868e4df97b8a744a49 Mon Sep 17 00:00:00 2001 From: Michael Simmons Date: Wed, 12 Aug 2020 08:52:59 -0600 Subject: [PATCH 4/7] values.yaml edits --- stable/cert-manager/values-ironbank.yaml | 295 +-------------- stable/cert-manager/values.yaml | 18 +- stable/haproxy/.DS_Store | Bin 0 -> 6148 bytes stable/haproxy/Chart.yaml | 35 ++ stable/haproxy/IRONBANK.md.gotmpl | 37 ++ stable/haproxy/README-original.md | 190 ++++++++++ .../ci/daemonset-customconfig-values.yaml | 4 + .../ci/daemonset-customnodeport-values.yaml | 7 + .../haproxy/ci/daemonset-default-values.yaml | 2 + ...daemonset-disabledsecretconfig-values.yaml | 4 + .../ci/daemonset-enableports-values.yaml | 7 + .../ci/daemonset-extraargs-values.yaml | 4 + .../haproxy/ci/daemonset-hostport-values.yaml | 8 + .../haproxy/ci/daemonset-nodeport-values.yaml | 4 + .../ci/daemonset-publishservice-values.yaml | 5 + .../daemonset-serviceannotation-values.yaml | 5 + .../ci/deployment-customconfig-values.yaml | 3 + .../ci/deployment-customnodeport-values.yaml | 6 + .../haproxy/ci/deployment-default-values.yaml | 1 + ...eployment-disabledsecretconfig-values.yaml | 3 + .../ci/deployment-enableports-values.yaml | 6 + .../ci/deployment-extraargs-values.yaml | 3 + .../ci/deployment-nodeport-values.yaml | 3 + .../ci/deployment-publishservice-values.yaml | 4 + .../ci/deployment-replicacount-unset.yaml | 5 + .../deployment-serviceannotation-values.yaml | 4 + stable/haproxy/templates/NOTES.txt | 67 ++++ stable/haproxy/templates/_helpers.tpl | 123 ++++++ stable/haproxy/templates/clusterrole.yaml | 61 +++ .../haproxy/templates/clusterrolebinding.yaml | 37 ++ .../templates/controller-configmap.yaml | 34 ++ .../templates/controller-daemonset.yaml | 153 ++++++++ .../controller-defaultcertsecret.yaml | 33 ++ .../templates/controller-deployment.yaml | 141 +++++++ .../controller-podsecuritypolicy.yaml | 75 ++++ .../templates/controller-pullsecret.yaml | 32 ++ stable/haproxy/templates/controller-role.yaml | 38 ++ .../templates/controller-rolebinding.yaml | 37 ++ .../haproxy/templates/controller-service.yaml | 100 +++++ .../templates/controller-serviceaccount.yaml | 29 ++ .../templates/default-backend-deployment.yaml | 71 ++++ .../default-backend-podsecuritypolicy.yaml | 59 +++ .../templates/default-backend-role.yaml | 38 ++ .../default-backend-rolebinding.yaml | 37 ++ .../templates/default-backend-service.yaml | 38 ++ .../default-backend-serviceaccount.yaml | 29 ++ stable/haproxy/values-ironbank.yaml | 352 ++++++++++++++++++ stable/haproxy/values.yaml | 352 ++++++++++++++++++ 48 files changed, 2293 insertions(+), 306 deletions(-) create mode 100644 stable/haproxy/.DS_Store create mode 100644 stable/haproxy/Chart.yaml create mode 100644 stable/haproxy/IRONBANK.md.gotmpl create mode 100644 stable/haproxy/README-original.md create mode 100644 stable/haproxy/ci/daemonset-customconfig-values.yaml create mode 100644 stable/haproxy/ci/daemonset-customnodeport-values.yaml create mode 100644 stable/haproxy/ci/daemonset-default-values.yaml create mode 100644 stable/haproxy/ci/daemonset-disabledsecretconfig-values.yaml create mode 100644 stable/haproxy/ci/daemonset-enableports-values.yaml create mode 100644 stable/haproxy/ci/daemonset-extraargs-values.yaml create mode 100644 stable/haproxy/ci/daemonset-hostport-values.yaml create mode 100644 stable/haproxy/ci/daemonset-nodeport-values.yaml create mode 100644 stable/haproxy/ci/daemonset-publishservice-values.yaml create mode 100644 stable/haproxy/ci/daemonset-serviceannotation-values.yaml create mode 100644 stable/haproxy/ci/deployment-customconfig-values.yaml create mode 100644 stable/haproxy/ci/deployment-customnodeport-values.yaml create mode 100644 stable/haproxy/ci/deployment-default-values.yaml create mode 100644 stable/haproxy/ci/deployment-disabledsecretconfig-values.yaml create mode 100644 stable/haproxy/ci/deployment-enableports-values.yaml create mode 100644 stable/haproxy/ci/deployment-extraargs-values.yaml create mode 100644 stable/haproxy/ci/deployment-nodeport-values.yaml create mode 100644 stable/haproxy/ci/deployment-publishservice-values.yaml create mode 100644 stable/haproxy/ci/deployment-replicacount-unset.yaml create mode 100644 stable/haproxy/ci/deployment-serviceannotation-values.yaml create mode 100644 stable/haproxy/templates/NOTES.txt create mode 100644 stable/haproxy/templates/_helpers.tpl create mode 100644 stable/haproxy/templates/clusterrole.yaml create mode 100644 stable/haproxy/templates/clusterrolebinding.yaml create mode 100644 stable/haproxy/templates/controller-configmap.yaml create mode 100644 stable/haproxy/templates/controller-daemonset.yaml create mode 100644 stable/haproxy/templates/controller-defaultcertsecret.yaml create mode 100644 stable/haproxy/templates/controller-deployment.yaml create mode 100644 stable/haproxy/templates/controller-podsecuritypolicy.yaml create mode 100644 stable/haproxy/templates/controller-pullsecret.yaml create mode 100644 stable/haproxy/templates/controller-role.yaml create mode 100644 stable/haproxy/templates/controller-rolebinding.yaml create mode 100644 stable/haproxy/templates/controller-service.yaml create mode 100644 stable/haproxy/templates/controller-serviceaccount.yaml create mode 100644 stable/haproxy/templates/default-backend-deployment.yaml create mode 100644 stable/haproxy/templates/default-backend-podsecuritypolicy.yaml create mode 100644 stable/haproxy/templates/default-backend-role.yaml create mode 100644 stable/haproxy/templates/default-backend-rolebinding.yaml create mode 100644 stable/haproxy/templates/default-backend-service.yaml create mode 100644 stable/haproxy/templates/default-backend-serviceaccount.yaml create mode 100644 stable/haproxy/values-ironbank.yaml create mode 100644 stable/haproxy/values.yaml diff --git a/stable/cert-manager/values-ironbank.yaml b/stable/cert-manager/values-ironbank.yaml index 84ee6f2..34cd158 100644 --- a/stable/cert-manager/values-ironbank.yaml +++ b/stable/cert-manager/values-ironbank.yaml @@ -1,311 +1,18 @@ -# Default values for cert-manager. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -global: - ## Reference to one or more secrets to be used when pulling images - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - imagePullSecrets: [] - # - name: "image-pull-secret" - - # Optional priority class to be used for the cert-manager pods - priorityClassName: "" - rbac: - create: true - - podSecurityPolicy: - enabled: false - useAppArmor: true - - # Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose. - logLevel: 2 - - leaderElection: - # Override the namespace used to store the ConfigMap for leader election - namespace: "kube-system" - -installCRDs: false - -replicaCount: 1 - -strategy: {} - # type: RollingUpdate - # rollingUpdate: - # maxSurge: 0 - # maxUnavailable: 1 - -# Comma separated list of feature gates that should be enabled on the -# controller pod. -featureGates: "" image: repository: registry1.dsop.io/jetstack/cert-manager-controller tag: v0.11.0 - # Override the image tag to deploy by setting this variable. - # If no value is set, the chart's appVersion will be used. - # tag: canary pullPolicy: IfNotPresent -# Override the namespace used to store DNS provider credentials etc. for ClusterIssuer -# resources. By default, the same namespace as cert-manager is deployed within is -# used. This namespace will not be automatically created by the Helm chart. -clusterResourceNamespace: "" - -serviceAccount: - # Specifies whether a service account should be created - create: true - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - # name: "" - # Optional additional annotations to add to the controller's ServiceAccount - # annotations: {} - -# Optional additional arguments -extraArgs: [] - # Use this flag to set a namespace that cert-manager will use to store - # supporting resources required for each ClusterIssuer (default is kube-system) - # - --cluster-resource-namespace=kube-system - # When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted - # - --enable-certificate-owner-ref=true - -extraEnv: [] -# - name: SOME_VAR -# value: 'some value' - -resources: {} - # requests: - # cpu: 10m - # memory: 32Mi - -# Pod Security Context -# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -securityContext: {} -# legacy securityContext parameter format: if enabled is set to true, only fsGroup and runAsUser are supported -# securityContext: -# enabled: false -# fsGroup: 1001 -# runAsUser: 1001 -# to support additional securityContext parameters, omit the `enabled` parameter and simply specify the parameters -# you want to set, e.g. -# securityContext: -# fsGroup: 1000 -# runAsUser: 1000 -# runAsNonRoot: true - -# Container Security Context to be set on the controller component container -# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -containerSecurityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - - -volumes: [] - -volumeMounts: [] - -# Optional additional annotations to add to the controller Deployment -# deploymentAnnotations: {} - -# Optional additional annotations to add to the controller Pods -# podAnnotations: {} - -podLabels: {} - -# Optional DNS settings, useful if you have a public and private DNS zone for -# the same domain on Route 53. What follows is an example of ensuring -# cert-manager can access an ingress or DNS TXT records at all times. -# NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for -# the cluster to work. -# podDnsPolicy: "None" -# podDnsConfig: -# nameservers: -# - "1.1.1.1" -# - "8.8.8.8" - -nodeSelector: {} - -ingressShim: {} - # defaultIssuerName: "" - # defaultIssuerKind: "" - # defaultIssuerGroup: "" - -prometheus: - enabled: true - servicemonitor: - enabled: false - prometheusInstance: default - targetPort: 9402 - path: /metrics - interval: 60s - scrapeTimeout: 30s - labels: {} - -# Use these variables to configure the HTTP_PROXY environment variables -# http_proxy: "http://proxy:8080" -# http_proxy: "http://proxy:8080" -# no_proxy: 127.0.0.1,localhost - -# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core -# for example: -# affinity: -# nodeAffinity: -# requiredDuringSchedulingIgnoredDuringExecution: -# nodeSelectorTerms: -# - matchExpressions: -# - key: foo.bar.com/role -# operator: In -# values: -# - master -affinity: {} - -# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core -# for example: -# tolerations: -# - key: foo.bar.com/role -# operator: Equal -# value: master -# effect: NoSchedule -tolerations: [] - -webhook: - replicaCount: 1 - - strategy: {} - # type: RollingUpdate - # rollingUpdate: - # maxSurge: 0 - # maxUnavailable: 1 - - securityContext: {} - - # Container Security Context to be set on the webhook component container - # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - containerSecurityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - - # Optional additional annotations to add to the webhook Deployment - # deploymentAnnotations: {} - - # Optional additional annotations to add to the webhook Pods - # podAnnotations: {} - - # Optional additional annotations to add to the webhook MutatingWebhookConfiguration - # mutatingWebhookConfigurationAnnotations: {} - - # Optional additional annotations to add to the webhook ValidatingWebhookConfiguration - # validatingWebhookConfigurationAnnotations: {} - - # Optional additional arguments for webhook - extraArgs: [] - - resources: {} - # requests: - # cpu: 10m - # memory: 32Mi - - nodeSelector: {} - - affinity: {} - - tolerations: [] - image: repository: registry1.dsop.io/jetstack/cert-manager-webhook tag: v0.11.0 - # Override the image tag to deploy by setting this variable. - # If no value is set, the chart's appVersion will be used. - # tag: canary pullPolicy: IfNotPresent - serviceAccount: - # Specifies whether a service account should be created - create: true - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - # name: "" - # Optional additional annotations to add to the controller's ServiceAccount - # annotations: {} - - # The port that the webhook should listen on for requests. - # In GKE private clusters, by default kubernetes apiservers are allowed to - # talk to the cluster nodes only on 443 and 10250. so configuring - # securePort: 10250, will work out of the box without needing to add firewall - # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000 - securePort: 10250 - - # Specifies if the webhook should be started in hostNetwork mode. - # - # Required for use in some managed kubernetes clusters (such as AWS EKS) with custom - # CNI (such as calico), because control-plane managed by AWS cannot communicate - # with pods' IP CIDR and admission webhooks are not working - # - # Since the default port for the webhook conflicts with kubelet on the host - # network, `webhook.securePort` should be changed to an available port if - # running in hostNetwork mode. - hostNetwork: false - cainjector: enabled: true replicaCount: 1 - - strategy: {} - # type: RollingUpdate - # rollingUpdate: - # maxSurge: 0 - # maxUnavailable: 1 - - securityContext: {} - - # Container Security Context to be set on the cainjector component container - # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - containerSecurityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - - - # Optional additional annotations to add to the cainjector Deployment - # deploymentAnnotations: {} - - # Optional additional annotations to add to the cainjector Pods - # podAnnotations: {} - - # Optional additional arguments for cainjector - extraArgs: [] - - resources: {} - # requests: - # cpu: 10m - # memory: 32Mi - - nodeSelector: {} - - affinity: {} - - tolerations: [] - image: repository: registry1.dsop.io/jetstack/cert-manager-cainjector tag: v0.11.0 - # Override the image tag to deploy by setting this variable. - # If no value is set, the chart's appVersion will be used. - # tag: canary - pullPolicy: IfNotPresent - - serviceAccount: - # Specifies whether a service account should be created - create: true - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - # name: "" - # Optional additional annotations to add to the controller's ServiceAccount - # annotations: {} + pullPolicy: IfNotPresent \ No newline at end of file diff --git a/stable/cert-manager/values.yaml b/stable/cert-manager/values.yaml index 6b2913b..b06d2ae 100644 --- a/stable/cert-manager/values.yaml +++ b/stable/cert-manager/values.yaml @@ -39,10 +39,8 @@ strategy: {} featureGates: "" image: - repository: quay.io/jetstack/cert-manager-controller - # Override the image tag to deploy by setting this variable. - # If no value is set, the chart's appVersion will be used. - # tag: canary + repository: registry1.dsop.io/jetstack/cert-manager-controller + tag: v0.11.0 pullPolicy: IfNotPresent # Override the namespace used to store DNS provider credentials etc. for ClusterIssuer @@ -216,10 +214,8 @@ webhook: tolerations: [] image: - repository: quay.io/jetstack/cert-manager-webhook - # Override the image tag to deploy by setting this variable. - # If no value is set, the chart's appVersion will be used. - # tag: canary + repository: registry1.dsop.io/jetstack/cert-manager-webhook + tag: v0.11.0 pullPolicy: IfNotPresent serviceAccount: @@ -292,10 +288,8 @@ cainjector: tolerations: [] image: - repository: quay.io/jetstack/cert-manager-cainjector - # Override the image tag to deploy by setting this variable. - # If no value is set, the chart's appVersion will be used. - # tag: canary + repository: registry1.dsop.io/jetstack/cert-manager-cainjector + tag: v0.11.0 pullPolicy: IfNotPresent serviceAccount: diff --git a/stable/haproxy/.DS_Store b/stable/haproxy/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..5663e92392f08e36ce7e0923b62edaadca5ca2b0 GIT binary patch literal 6148 zcmeHK%}T>S5dO9nZ0)5KL613lQSj^~*7i_D1$_Z+D;i82saEioi|^no_mF2oC9yn@mi?UVTL}VdpIHPGH!;1@d>7U<5V-2bGY})do)?=TB|We z`VZv@U$r>9O+5MRbMa->gjF+E9MU?)-PbO!%MzMUGIMh7vW@ zg)4^BaN48b7YEE0H5@KnK3u5m!VSgw>dYT`ceq&5v@u`|lo?pl$F`jR{qOJpsy@ivr4E!nspB*f7!~g&Q literal 0 HcmV?d00001 diff --git a/stable/haproxy/Chart.yaml b/stable/haproxy/Chart.yaml new file mode 100644 index 0000000..3528ebb --- /dev/null +++ b/stable/haproxy/Chart.yaml @@ -0,0 +1,35 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +name: kubernetes-ingress +version: 1.4.3 +kubeVersion: ">=1.12.0-0" +description: A Helm chart for HAProxy Kubernetes Ingress Controller +keywords: + - ingress + - haproxy +home: https://github.com/haproxytech/helm-charts/tree/master/kubernetes-ingress +sources: + - https://github.com/haproxytech/kubernetes-ingress +icon: http://www.haproxy.org/img/HAProxyCommunityEdition_60px.png +maintainers: + - name: Moemen Mhedhbi + email: mmhedhbi@haproxy.com + - name: Baptiste Assmann + email: bassmann@haproxy.com + - name: Dinko Korunic + email: dkorunic@haproxy.com +appVersion: 1.4.6 +tillerVersion: ">=2.9.0" diff --git a/stable/haproxy/IRONBANK.md.gotmpl b/stable/haproxy/IRONBANK.md.gotmpl new file mode 100644 index 0000000..ed5f43b --- /dev/null +++ b/stable/haproxy/IRONBANK.md.gotmpl @@ -0,0 +1,37 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +Version: {{ template "chart.version" . }} + +## Introduction + +This repository tracks the upstream [stable/minio](https://github.com/helm/charts/tree/master/stable/minio) Helm chart. + +A `values-ironbank.yaml` file is included with required parameters for deployment. + +- Uses Ironbank images +- Enables TLS + +Reference the original [README](./README-original.md) for additional instructions. + +## Prerequisites + +* TLS certificate + +``` +kubectl create secret generic tls-ssl-minio --from-file=path/to/private.key --from-file=path/to/public.crt +``` + +The `Installation` below shows how to enable TLS with the new certificates. + +> Note the default secretNames defined in the `values-ironbank.yaml` file for certificates + +## Installation + +```shell +helm install ./ --name harbor --set tls.enabled=true,tls.certSecret=tls-ssl-minio -f values-ironbank.yaml +``` + +## Configuration + +{{ template "chart.valuesTable" . }} diff --git a/stable/haproxy/README-original.md b/stable/haproxy/README-original.md new file mode 100644 index 0000000..73e4e2f --- /dev/null +++ b/stable/haproxy/README-original.md @@ -0,0 +1,190 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/hapee/2-0r1/traffic-management/kubernetes-ingress-controller/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + + - Kubernetes 1.12+ + - Helm 2.9+ + +## Before you begin + +### Setup a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Add Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts +helm repo update +``` + +## Install the chart + +To install the chart with Helm v3 as *my-release* deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +***NOTE***: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace *prod*. + +***NOTE***: Helm v3 requires namespace to be precreated (eg. with ```kubectl create namespace prod```) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress2 haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress3 haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +***NOTE***: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress3 haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +***NOTE***: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count. Therefore we want to unset default replicaCount for controller and defaultBackend by setting corresponding key values to null: + +```console +helm install my-ingress4 haproxytech/kubernetes-ingress \ + --set controller.replicaCount=null \ + --set defaultBackend.replicaCount=null +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +*mylb.yaml*: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress4 -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +## Upgrading the chart + +To upgrade the *my-release* deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +## Uninstalling the chart + +To uninstall/delete the *my-release* deployment: + +```console +helm delete kubernetes-ingress +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/stable/haproxy/ci/daemonset-customconfig-values.yaml b/stable/haproxy/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000..116158a --- /dev/null +++ b/stable/haproxy/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/stable/haproxy/ci/daemonset-customnodeport-values.yaml b/stable/haproxy/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000..c9de04c --- /dev/null +++ b/stable/haproxy/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/stable/haproxy/ci/daemonset-default-values.yaml b/stable/haproxy/ci/daemonset-default-values.yaml new file mode 100644 index 0000000..ddb2562 --- /dev/null +++ b/stable/haproxy/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/stable/haproxy/ci/daemonset-disabledsecretconfig-values.yaml b/stable/haproxy/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000..362fbb9 --- /dev/null +++ b/stable/haproxy/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/stable/haproxy/ci/daemonset-enableports-values.yaml b/stable/haproxy/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000..9a41dac --- /dev/null +++ b/stable/haproxy/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/stable/haproxy/ci/daemonset-extraargs-values.yaml b/stable/haproxy/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000..691acbc --- /dev/null +++ b/stable/haproxy/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/stable/haproxy/ci/daemonset-hostport-values.yaml b/stable/haproxy/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000..45042ea --- /dev/null +++ b/stable/haproxy/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/stable/haproxy/ci/daemonset-nodeport-values.yaml b/stable/haproxy/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000..ebc8f10 --- /dev/null +++ b/stable/haproxy/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/stable/haproxy/ci/daemonset-publishservice-values.yaml b/stable/haproxy/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000..b538cb5 --- /dev/null +++ b/stable/haproxy/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/stable/haproxy/ci/daemonset-serviceannotation-values.yaml b/stable/haproxy/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000..b538cb5 --- /dev/null +++ b/stable/haproxy/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/stable/haproxy/ci/deployment-customconfig-values.yaml b/stable/haproxy/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000..12c48d2 --- /dev/null +++ b/stable/haproxy/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/stable/haproxy/ci/deployment-customnodeport-values.yaml b/stable/haproxy/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000..f044362 --- /dev/null +++ b/stable/haproxy/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/stable/haproxy/ci/deployment-default-values.yaml b/stable/haproxy/ci/deployment-default-values.yaml new file mode 100644 index 0000000..792d600 --- /dev/null +++ b/stable/haproxy/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/stable/haproxy/ci/deployment-disabledsecretconfig-values.yaml b/stable/haproxy/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000..7676459 --- /dev/null +++ b/stable/haproxy/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/stable/haproxy/ci/deployment-enableports-values.yaml b/stable/haproxy/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000..03ff297 --- /dev/null +++ b/stable/haproxy/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/stable/haproxy/ci/deployment-extraargs-values.yaml b/stable/haproxy/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000..d0e1dbe --- /dev/null +++ b/stable/haproxy/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/stable/haproxy/ci/deployment-nodeport-values.yaml b/stable/haproxy/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000..ffdc47b --- /dev/null +++ b/stable/haproxy/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/stable/haproxy/ci/deployment-publishservice-values.yaml b/stable/haproxy/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000..6d8bf9b --- /dev/null +++ b/stable/haproxy/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/stable/haproxy/ci/deployment-replicacount-unset.yaml b/stable/haproxy/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000..78ee300 --- /dev/null +++ b/stable/haproxy/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/stable/haproxy/ci/deployment-serviceannotation-values.yaml b/stable/haproxy/ci/deployment-serviceannotation-values.yaml new file mode 100644 index 0000000..c103bd6 --- /dev/null +++ b/stable/haproxy/ci/deployment-serviceannotation-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/stable/haproxy/templates/NOTES.txt b/stable/haproxy/templates/NOTES.txt new file mode 100644 index 0000000..522e230 --- /dev/null +++ b/stable/haproxy/templates/NOTES.txt @@ -0,0 +1,67 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if and .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ .Release.Namespace }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1beta1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/master/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/hapee/2-0r1/traffic-management/kubernetes-ingress-controller/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + + + diff --git a/stable/haproxy/templates/_helpers.tpl b/stable/haproxy/templates/_helpers.tpl new file mode 100644 index 0000000..23a9063 --- /dev/null +++ b/stable/haproxy/templates/_helpers.tpl @@ -0,0 +1,123 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{kubernetes-ingress.publishServicePath{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name .Release.Namespace -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" .Release.Namespace (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/stable/haproxy/templates/clusterrole.yaml b/stable/haproxy/templates/clusterrole.yaml new file mode 100644 index 0000000..89cb9f8 --- /dev/null +++ b/stable/haproxy/templates/clusterrole.yaml @@ -0,0 +1,61 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - services + - namespaces + - events + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + resources: + - ingresses + - ingresses/status + verbs: + - get + - list + - watch + - update +- apiGroups: + - "networking.k8s.io/v1beta1" + resources: + - ingresses + - ingresses/status + verbs: + - get + - list + - watch +{{- end -}} diff --git a/stable/haproxy/templates/clusterrolebinding.yaml b/stable/haproxy/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..cfd2260 --- /dev/null +++ b/stable/haproxy/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} + diff --git a/stable/haproxy/templates/controller-configmap.yaml b/stable/haproxy/templates/controller-configmap.yaml new file mode 100644 index 0000000..94aa9c5 --- /dev/null +++ b/stable/haproxy/templates/controller-configmap.yaml @@ -0,0 +1,34 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ template "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/stable/haproxy/templates/controller-daemonset.yaml b/stable/haproxy/templates/controller-daemonset.yaml new file mode 100644 index 0000000..7260d32 --- /dev/null +++ b/stable/haproxy/templates/controller-daemonset.yaml @@ -0,0 +1,153 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + minReadySeconds: 0 + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + selector: + matchLabels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "kubernetes-ingress.serviceAccountName" . }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ template "kubernetes-ingress.fullname" . }} +{{- end }} + containers: + - name: {{ template "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if and .Values.controller.defaultTLSSecret.enabled -}} +{{- if .Values.controller.defaultTLSSecret.secret }} + - --default-ssl-certificate={{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ .Release.Namespace }}/{{ template "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ .Release.Namespace }}/{{ template "kubernetes-ingress.fullname" . }} + - --default-backend-service={{ .Release.Namespace }}/{{ template "kubernetes-ingress.defaultBackend.fullname" . }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ template "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- end }} + livenessProbe: + failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }} + httpGet: + path: {{ .Values.controller.livenessProbe.path }} + port: {{ .Values.controller.livenessProbe.port }} + scheme: {{ .Values.controller.livenessProbe.scheme }} + initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.controller.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }} + readinessProbe: + failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }} + httpGet: + path: {{ .Values.controller.readinessProbe.path }} + port: {{ .Values.controller.readinessProbe.port }} + scheme: {{ .Values.controller.readinessProbe.scheme }} + initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.controller.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/stable/haproxy/templates/controller-defaultcertsecret.yaml b/stable/haproxy/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000..bb97b1e --- /dev/null +++ b/stable/haproxy/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,33 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ template "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} diff --git a/stable/haproxy/templates/controller-deployment.yaml b/stable/haproxy/templates/controller-deployment.yaml new file mode 100644 index 0000000..7fd2aae --- /dev/null +++ b/stable/haproxy/templates/controller-deployment.yaml @@ -0,0 +1,141 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if not ( kindIs "invalid" .Values.controller.replicaCount) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "kubernetes-ingress.serviceAccountName" . }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ template "kubernetes-ingress.fullname" . }} +{{- end }} + containers: + - name: {{ template "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.secret }} + - --default-ssl-certificate={{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ .Release.Namespace }}/{{ template "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} + - --configmap={{ .Release.Namespace }}/{{ template "kubernetes-ingress.fullname" . }} + - --default-backend-service={{ .Release.Namespace }}/{{ template "kubernetes-ingress.defaultBackend.fullname" . }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ template "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- end }} + livenessProbe: + failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }} + httpGet: + path: {{ .Values.controller.livenessProbe.path }} + port: {{ .Values.controller.livenessProbe.port }} + scheme: {{ .Values.controller.livenessProbe.scheme }} + initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.controller.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }} + readinessProbe: + failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }} + httpGet: + path: {{ .Values.controller.readinessProbe.path }} + port: {{ .Values.controller.readinessProbe.port }} + scheme: {{ .Values.controller.readinessProbe.scheme }} + initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.controller.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/stable/haproxy/templates/controller-podsecuritypolicy.yaml b/stable/haproxy/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000..77d220f --- /dev/null +++ b/stable/haproxy/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,75 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ template "kubernetes-ingress.fullname" . }} +spec: + allowPrivilegeEscalation: false + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - downwardAPI + - secret +{{- end }} diff --git a/stable/haproxy/templates/controller-pullsecret.yaml b/stable/haproxy/templates/controller-pullsecret.yaml new file mode 100644 index 0000000..8825239 --- /dev/null +++ b/stable/haproxy/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ template "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/stable/haproxy/templates/controller-role.yaml b/stable/haproxy/templates/controller-role.yaml new file mode 100644 index 0000000..3e41df6 --- /dev/null +++ b/stable/haproxy/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/stable/haproxy/templates/controller-rolebinding.yaml b/stable/haproxy/templates/controller-rolebinding.yaml new file mode 100644 index 0000000..40404a4 --- /dev/null +++ b/stable/haproxy/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/stable/haproxy/templates/controller-service.yaml b/stable/haproxy/templates/controller-service.yaml new file mode 100644 index 0000000..2fa1641 --- /dev/null +++ b/stable/haproxy/templates/controller-service.yaml @@ -0,0 +1,100 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- end }} + diff --git a/stable/haproxy/templates/controller-serviceaccount.yaml b/stable/haproxy/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000..c907109 --- /dev/null +++ b/stable/haproxy/templates/controller-serviceaccount.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/stable/haproxy/templates/default-backend-deployment.yaml b/stable/haproxy/templates/default-backend-deployment.yaml new file mode 100644 index 0000000..3dd04e0 --- /dev/null +++ b/stable/haproxy/templates/default-backend-deployment.yaml @@ -0,0 +1,71 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if not (kindIs "invalid" .Values.defaultBackend.replicaCount) }} + replicas: {{ .Values.defaultBackend.replicaCount }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.defaultBackend.podLabels }} +{{ toYaml .Values.defaultBackend.podLabels | indent 8 }} + {{- end }} + {{- if .Values.defaultBackend.podAnnotations }} + annotations: +{{ toYaml .Values.defaultBackend.podAnnotations | indent 8 }} + {{- end }} + spec: + containers: + - name: {{ template "kubernetes-ingress.name" . }}-{{ .Values.defaultBackend.name }} + image: "{{ .Values.defaultBackend.image.repository }}:{{ .Values.defaultBackend.image.tag }}" + imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.defaultBackend.containerPort }} + protocol: TCP + resources: + {{- toYaml .Values.defaultBackend.resources | nindent 12 }} + {{- with .Values.defaultBackend.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.defaultBackend.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "kubernetes-ingress.defaultBackend.serviceAccountName" . }} + {{- with .Values.defaultBackend.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/stable/haproxy/templates/default-backend-podsecuritypolicy.yaml b/stable/haproxy/templates/default-backend-podsecuritypolicy.yaml new file mode 100644 index 0000000..a31d60e --- /dev/null +++ b/stable/haproxy/templates/default-backend-podsecuritypolicy.yaml @@ -0,0 +1,59 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} +spec: + allowPrivilegeEscalation: false + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + hostNetwork: false + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - downwardAPI + - secret +{{- end }} diff --git a/stable/haproxy/templates/default-backend-role.yaml b/stable/haproxy/templates/default-backend-role.yaml new file mode 100644 index 0000000..8ca2416 --- /dev/null +++ b/stable/haproxy/templates/default-backend-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "kubernetes-ingress.defaultBackend.fullname" . }} +{{- end -}} diff --git a/stable/haproxy/templates/default-backend-rolebinding.yaml b/stable/haproxy/templates/default-backend-rolebinding.yaml new file mode 100644 index 0000000..a27f804 --- /dev/null +++ b/stable/haproxy/templates/default-backend-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "kubernetes-ingress.defaultBackend.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/stable/haproxy/templates/default-backend-service.yaml b/stable/haproxy/templates/default-backend-service.yaml new file mode 100644 index 0000000..b3108ad --- /dev/null +++ b/stable/haproxy/templates/default-backend-service.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + type: ClusterIP + clusterIP: None + ports: + - name: http + port: {{ .Values.defaultBackend.service.port }} + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/stable/haproxy/templates/default-backend-serviceaccount.yaml b/stable/haproxy/templates/default-backend-serviceaccount.yaml new file mode 100644 index 0000000..9a5e816 --- /dev/null +++ b/stable/haproxy/templates/default-backend-serviceaccount.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "kubernetes-ingress.defaultBackend.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/stable/haproxy/values-ironbank.yaml b/stable/haproxy/values-ironbank.yaml new file mode 100644 index 0000000..1663757 --- /dev/null +++ b/stable/haproxy/values-ironbank.yaml @@ -0,0 +1,352 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 # used only for Deployment mode. Unset if also using an HPA + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:1.31.1-musl" + # command: + # - /bin/sh + # - -xc + # - |- + # sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + containerPort: + http: 80 + https: 443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + path: /healthz + periodSeconds: 10 + port: 1042 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + path: /healthz + periodSeconds: 10 + port: 1042 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + + ## Ingress Class used for ingress.class annotation in multi-ingress environments + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: null # typically "haproxy" or null to receive all events + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Ingress TLS secret, if enabled is true and secret is null then controller will use auto-generated secret otherwise provided secret is used + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + defaultTLSSecret: + enabled: true + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 100m + # memory: 64Mi + requests: + cpu: 100m + memory: 64Mi + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: false + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + type: NodePort # can be 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + stat: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + stat: stat + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + # ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false + useHostPort: false + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + strategy: {} + # rollingUpdate: + # maxSurge: 25% + # maxUnavailable: 25% + # type: RollingUpdate + + +## Default 404 backend +defaultBackend: + name: default-backend + replicaCount: 2 # unset if also using an HPA + + image: + repository: k8s.gcr.io/defaultbackend-amd64 + tag: 1.5 + pullPolicy: IfNotPresent + runAsUser: 65534 + + ## Compute Resources + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 10m + # memory: 16Mi + requests: + cpu: 10m + memory: 16Mi + + ## Listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + containerPort: 8080 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + service: + ## Service ports + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + port: 8080 + + ## Configure Service Account + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + serviceAccount: + create: true diff --git a/stable/haproxy/values.yaml b/stable/haproxy/values.yaml new file mode 100644 index 0000000..1663757 --- /dev/null +++ b/stable/haproxy/values.yaml @@ -0,0 +1,352 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 # used only for Deployment mode. Unset if also using an HPA + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:1.31.1-musl" + # command: + # - /bin/sh + # - -xc + # - |- + # sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + containerPort: + http: 80 + https: 443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + path: /healthz + periodSeconds: 10 + port: 1042 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + path: /healthz + periodSeconds: 10 + port: 1042 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + + ## Ingress Class used for ingress.class annotation in multi-ingress environments + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: null # typically "haproxy" or null to receive all events + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Ingress TLS secret, if enabled is true and secret is null then controller will use auto-generated secret otherwise provided secret is used + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + defaultTLSSecret: + enabled: true + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 100m + # memory: 64Mi + requests: + cpu: 100m + memory: 64Mi + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: false + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + type: NodePort # can be 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + stat: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + stat: stat + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + # ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false + useHostPort: false + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + strategy: {} + # rollingUpdate: + # maxSurge: 25% + # maxUnavailable: 25% + # type: RollingUpdate + + +## Default 404 backend +defaultBackend: + name: default-backend + replicaCount: 2 # unset if also using an HPA + + image: + repository: k8s.gcr.io/defaultbackend-amd64 + tag: 1.5 + pullPolicy: IfNotPresent + runAsUser: 65534 + + ## Compute Resources + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 10m + # memory: 16Mi + requests: + cpu: 10m + memory: 16Mi + + ## Listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + containerPort: 8080 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + service: + ## Service ports + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + port: 8080 + + ## Configure Service Account + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + serviceAccount: + create: true -- GitLab From e9f28ce88f48a1951fca47bef0c9fb2c0dab195d Mon Sep 17 00:00:00 2001 From: Michael Simmons Date: Wed, 12 Aug 2020 08:53:47 -0600 Subject: [PATCH 5/7] restructure --- stable/haproxy/.DS_Store => .DS_Store | Bin 6148 -> 6148 bytes stable/haproxy/Chart.yaml | 35 -- stable/haproxy/IRONBANK.md.gotmpl | 37 -- stable/haproxy/README-original.md | 190 ---------- .../ci/daemonset-customconfig-values.yaml | 4 - .../ci/daemonset-customnodeport-values.yaml | 7 - .../haproxy/ci/daemonset-default-values.yaml | 2 - ...daemonset-disabledsecretconfig-values.yaml | 4 - .../ci/daemonset-enableports-values.yaml | 7 - .../ci/daemonset-extraargs-values.yaml | 4 - .../haproxy/ci/daemonset-hostport-values.yaml | 8 - .../haproxy/ci/daemonset-nodeport-values.yaml | 4 - .../ci/daemonset-publishservice-values.yaml | 5 - .../daemonset-serviceannotation-values.yaml | 5 - .../ci/deployment-customconfig-values.yaml | 3 - .../ci/deployment-customnodeport-values.yaml | 6 - .../haproxy/ci/deployment-default-values.yaml | 1 - ...eployment-disabledsecretconfig-values.yaml | 3 - .../ci/deployment-enableports-values.yaml | 6 - .../ci/deployment-extraargs-values.yaml | 3 - .../ci/deployment-nodeport-values.yaml | 3 - .../ci/deployment-publishservice-values.yaml | 4 - .../ci/deployment-replicacount-unset.yaml | 5 - .../deployment-serviceannotation-values.yaml | 4 - stable/haproxy/templates/NOTES.txt | 67 ---- stable/haproxy/templates/_helpers.tpl | 123 ------ stable/haproxy/templates/clusterrole.yaml | 61 --- .../haproxy/templates/clusterrolebinding.yaml | 37 -- .../templates/controller-configmap.yaml | 34 -- .../templates/controller-daemonset.yaml | 153 -------- .../controller-defaultcertsecret.yaml | 33 -- .../templates/controller-deployment.yaml | 141 ------- .../controller-podsecuritypolicy.yaml | 75 ---- .../templates/controller-pullsecret.yaml | 32 -- stable/haproxy/templates/controller-role.yaml | 38 -- .../templates/controller-rolebinding.yaml | 37 -- .../haproxy/templates/controller-service.yaml | 100 ----- .../templates/controller-serviceaccount.yaml | 29 -- .../templates/default-backend-deployment.yaml | 71 ---- .../default-backend-podsecuritypolicy.yaml | 59 --- .../templates/default-backend-role.yaml | 38 -- .../default-backend-rolebinding.yaml | 37 -- .../templates/default-backend-service.yaml | 38 -- .../default-backend-serviceaccount.yaml | 29 -- stable/haproxy/values-ironbank.yaml | 352 ------------------ stable/haproxy/values.yaml | 352 ------------------ 46 files changed, 2286 deletions(-) rename stable/haproxy/.DS_Store => .DS_Store (73%) delete mode 100644 stable/haproxy/Chart.yaml delete mode 100644 stable/haproxy/IRONBANK.md.gotmpl delete mode 100644 stable/haproxy/README-original.md delete mode 100644 stable/haproxy/ci/daemonset-customconfig-values.yaml delete mode 100644 stable/haproxy/ci/daemonset-customnodeport-values.yaml delete mode 100644 stable/haproxy/ci/daemonset-default-values.yaml delete mode 100644 stable/haproxy/ci/daemonset-disabledsecretconfig-values.yaml delete mode 100644 stable/haproxy/ci/daemonset-enableports-values.yaml delete mode 100644 stable/haproxy/ci/daemonset-extraargs-values.yaml delete mode 100644 stable/haproxy/ci/daemonset-hostport-values.yaml delete mode 100644 stable/haproxy/ci/daemonset-nodeport-values.yaml delete mode 100644 stable/haproxy/ci/daemonset-publishservice-values.yaml delete mode 100644 stable/haproxy/ci/daemonset-serviceannotation-values.yaml delete mode 100644 stable/haproxy/ci/deployment-customconfig-values.yaml delete mode 100644 stable/haproxy/ci/deployment-customnodeport-values.yaml delete mode 100644 stable/haproxy/ci/deployment-default-values.yaml delete mode 100644 stable/haproxy/ci/deployment-disabledsecretconfig-values.yaml delete mode 100644 stable/haproxy/ci/deployment-enableports-values.yaml delete mode 100644 stable/haproxy/ci/deployment-extraargs-values.yaml delete mode 100644 stable/haproxy/ci/deployment-nodeport-values.yaml delete mode 100644 stable/haproxy/ci/deployment-publishservice-values.yaml delete mode 100644 stable/haproxy/ci/deployment-replicacount-unset.yaml delete mode 100644 stable/haproxy/ci/deployment-serviceannotation-values.yaml delete mode 100644 stable/haproxy/templates/NOTES.txt delete mode 100644 stable/haproxy/templates/_helpers.tpl delete mode 100644 stable/haproxy/templates/clusterrole.yaml delete mode 100644 stable/haproxy/templates/clusterrolebinding.yaml delete mode 100644 stable/haproxy/templates/controller-configmap.yaml delete mode 100644 stable/haproxy/templates/controller-daemonset.yaml delete mode 100644 stable/haproxy/templates/controller-defaultcertsecret.yaml delete mode 100644 stable/haproxy/templates/controller-deployment.yaml delete mode 100644 stable/haproxy/templates/controller-podsecuritypolicy.yaml delete mode 100644 stable/haproxy/templates/controller-pullsecret.yaml delete mode 100644 stable/haproxy/templates/controller-role.yaml delete mode 100644 stable/haproxy/templates/controller-rolebinding.yaml delete mode 100644 stable/haproxy/templates/controller-service.yaml delete mode 100644 stable/haproxy/templates/controller-serviceaccount.yaml delete mode 100644 stable/haproxy/templates/default-backend-deployment.yaml delete mode 100644 stable/haproxy/templates/default-backend-podsecuritypolicy.yaml delete mode 100644 stable/haproxy/templates/default-backend-role.yaml delete mode 100644 stable/haproxy/templates/default-backend-rolebinding.yaml delete mode 100644 stable/haproxy/templates/default-backend-service.yaml delete mode 100644 stable/haproxy/templates/default-backend-serviceaccount.yaml delete mode 100644 stable/haproxy/values-ironbank.yaml delete mode 100644 stable/haproxy/values.yaml diff --git a/stable/haproxy/.DS_Store b/.DS_Store similarity index 73% rename from stable/haproxy/.DS_Store rename to .DS_Store index 5663e92392f08e36ce7e0923b62edaadca5ca2b0..321c8077a7aafc3ffb26f6258cdb4b5a438b9893 100644 GIT binary patch delta 525 zcmZ8e%SyvQ6g^3_ofb-4sMVdi5JaRzEOsSWU!Wj}6%|x8V}gyOnVO^qja3(ZfRcr7 zU5VhXAK})WJAcEa-lQVbf#IHWALlT0Z`E7%t|<4V?@x>OrO^QfKmu}rh6cCv1boU^6gBAKoH7)C%K1zJb>a?92sq)5GQ5_;29{98 zBGxFD$UyHJ2u|AMi5I%#-|-;?WN6+XZGkh=@(7o30++ZQt}4UV3Bn##IJq0WTGHS@ zt)5=)yG?GzzHhu~nXad*ACj!}^(T^yrCB#!@VGkShj(Iyq7 delta 315 zcmYk2OH0E*6opTck)}RKQ)5sNN_T>^bnmJU7eTDxMz&o9TLc|;fLYqmuWU+Ex>d4FMCw>nqcQ?q;|g80&}6(IpWvSH5h>jg3?KuUMxjhYda(sQx!-^P z7c-zthjY>$T=J}u8zCkiqtC8VErq8Zgu7p)UvKS5UFT!t&oq&r({E_ zeLQpKL$wm_-p*#7R(Em6_9yF6a@Y1n_I8sOY{%x;@cv^d$7|YpM*fb-Z@q=}2g{2_ AJOBUy diff --git a/stable/haproxy/Chart.yaml b/stable/haproxy/Chart.yaml deleted file mode 100644 index 3528ebb..0000000 --- a/stable/haproxy/Chart.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright 2019 HAProxy Technologies LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -name: kubernetes-ingress -version: 1.4.3 -kubeVersion: ">=1.12.0-0" -description: A Helm chart for HAProxy Kubernetes Ingress Controller -keywords: - - ingress - - haproxy -home: https://github.com/haproxytech/helm-charts/tree/master/kubernetes-ingress -sources: - - https://github.com/haproxytech/kubernetes-ingress -icon: http://www.haproxy.org/img/HAProxyCommunityEdition_60px.png -maintainers: - - name: Moemen Mhedhbi - email: mmhedhbi@haproxy.com - - name: Baptiste Assmann - email: bassmann@haproxy.com - - name: Dinko Korunic - email: dkorunic@haproxy.com -appVersion: 1.4.6 -tillerVersion: ">=2.9.0" diff --git a/stable/haproxy/IRONBANK.md.gotmpl b/stable/haproxy/IRONBANK.md.gotmpl deleted file mode 100644 index ed5f43b..0000000 --- a/stable/haproxy/IRONBANK.md.gotmpl +++ /dev/null @@ -1,37 +0,0 @@ -{{ template "chart.header" . }} -{{ template "chart.description" . }} - -Version: {{ template "chart.version" . }} - -## Introduction - -This repository tracks the upstream [stable/minio](https://github.com/helm/charts/tree/master/stable/minio) Helm chart. - -A `values-ironbank.yaml` file is included with required parameters for deployment. - -- Uses Ironbank images -- Enables TLS - -Reference the original [README](./README-original.md) for additional instructions. - -## Prerequisites - -* TLS certificate - -``` -kubectl create secret generic tls-ssl-minio --from-file=path/to/private.key --from-file=path/to/public.crt -``` - -The `Installation` below shows how to enable TLS with the new certificates. - -> Note the default secretNames defined in the `values-ironbank.yaml` file for certificates - -## Installation - -```shell -helm install ./ --name harbor --set tls.enabled=true,tls.certSecret=tls-ssl-minio -f values-ironbank.yaml -``` - -## Configuration - -{{ template "chart.valuesTable" . }} diff --git a/stable/haproxy/README-original.md b/stable/haproxy/README-original.md deleted file mode 100644 index 73e4e2f..0000000 --- a/stable/haproxy/README-original.md +++ /dev/null @@ -1,190 +0,0 @@ -# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") - -## HAProxy Kubernetes Ingress Controller - -An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. - -Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/hapee/2-0r1/traffic-management/kubernetes-ingress-controller/). - -Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). - -## Introduction - -This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. - -### Prerequisites - - - Kubernetes 1.12+ - - Helm 2.9+ - -## Before you begin - -### Setup a Kubernetes Cluster - -The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. - -For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). - -### Install Helm - -Get the latest [Helm release](https://github.com/helm/helm#install). - -### Add Helm chart repo - -Once you have Helm installed, add the repo as follows: - -```console -helm repo add haproxytech https://haproxytech.github.io/helm-charts -helm repo update -``` - -## Install the chart - -To install the chart with Helm v3 as *my-release* deployment: - -```console -helm install my-release haproxytech/kubernetes-ingress -``` - -***NOTE***: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: - -```console -helm install haproxytech/kubernetes-ingress \ - --name my-release -``` - -### Installing with unique name - -To auto-generate controller and its resources names when installing, use the following: - -```console -helm install haproxytech/kubernetes-ingress \ - --generate-name -``` - -### Installing from a private registry - -To install the chart using a private registry for controller into a separate namespace *prod*. - -***NOTE***: Helm v3 requires namespace to be precreated (eg. with ```kubectl create namespace prod```) - -```console -helm install my-ingress haproxytech/kubernetes-ingress \ - --namespace prod \ - --set controller.image.tag=SOMETAG \ - --set controller.imageCredentials.registry=myregistry.domain.com \ - --set controller.imageCredentials.username=MYUSERNAME \ - --set controller.imageCredentials.password=MYPASSWORD -``` - -### Installing as DaemonSet - -Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: - -```console -helm install my-ingress2 haproxytech/kubernetes-ingress \ - --set controller.kind=DaemonSet -``` - -### Installing in multi-ingress environment - -It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): - -```console -helm install my-ingress3 haproxytech/kubernetes-ingress \ - --set controller.kind=DaemonSet \ - --set controller.ingressClass=haproxy -``` - -***NOTE***: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. - -### Installing with service annotations - -On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: - -```console -helm install my-ingress3 haproxytech/kubernetes-ingress \ - --set controller.kind=DaemonSet \ - --set controller.ingressClass=haproxy \ - --set controller.service.type=LoadBalancer \ - --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ - --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" -``` - -***NOTE***: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. - -### Installing with Horizontal Pod Autoscaler - -[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count. Therefore we want to unset default replicaCount for controller and defaultBackend by setting corresponding key values to null: - -```console -helm install my-ingress4 haproxytech/kubernetes-ingress \ - --set controller.replicaCount=null \ - --set defaultBackend.replicaCount=null -``` - -### Using values from YAML file - -As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: - -*mylb.yaml*: - -```yaml -controller: - kind: DaemonSet - ingressClass: haproxy - service: - type: LoadBalancer - annotations: - service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' - service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 -``` - -And invoking Helm becomes (compare to the previous example): - -```console -helm install my-ingress4 -f mylb.yml haproxytech/kubernetes-ingress -``` - -A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : - -```yaml -controller: - service: - tcpPorts: - - name: mysql - port: 3306 - targetPort: 3306 - extraArgs: - - --configmap-tcp-services=default/tcp -``` - -## Upgrading the chart - -To upgrade the *my-release* deployment: - -```console -helm upgrade my-release haproxytech/kubernetes-ingress -``` - -## Uninstalling the chart - -To uninstall/delete the *my-release* deployment: - -```console -helm delete kubernetes-ingress -``` - -## Debugging - -It is possible to generate a set of YAML files for testing/debugging: - -```console -helm install my-release haproxytech/kubernetes-ingress \ - --debug \ - --dry-run -``` - -## Contributing - -We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/stable/haproxy/ci/daemonset-customconfig-values.yaml b/stable/haproxy/ci/daemonset-customconfig-values.yaml deleted file mode 100644 index 116158a..0000000 --- a/stable/haproxy/ci/daemonset-customconfig-values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -controller: - kind: DaemonSet - config: - rate-limit: "ON" diff --git a/stable/haproxy/ci/daemonset-customnodeport-values.yaml b/stable/haproxy/ci/daemonset-customnodeport-values.yaml deleted file mode 100644 index c9de04c..0000000 --- a/stable/haproxy/ci/daemonset-customnodeport-values.yaml +++ /dev/null @@ -1,7 +0,0 @@ -controller: - kind: DaemonSet - service: - type: NodePort - ports: - 8000: 10000 - 8001: 10001 diff --git a/stable/haproxy/ci/daemonset-default-values.yaml b/stable/haproxy/ci/daemonset-default-values.yaml deleted file mode 100644 index ddb2562..0000000 --- a/stable/haproxy/ci/daemonset-default-values.yaml +++ /dev/null @@ -1,2 +0,0 @@ -controller: - kind: DaemonSet diff --git a/stable/haproxy/ci/daemonset-disabledsecretconfig-values.yaml b/stable/haproxy/ci/daemonset-disabledsecretconfig-values.yaml deleted file mode 100644 index 362fbb9..0000000 --- a/stable/haproxy/ci/daemonset-disabledsecretconfig-values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -controller: - kind: DaemonSet - defaultTLSSecret: - enabled: false diff --git a/stable/haproxy/ci/daemonset-enableports-values.yaml b/stable/haproxy/ci/daemonset-enableports-values.yaml deleted file mode 100644 index 9a41dac..0000000 --- a/stable/haproxy/ci/daemonset-enableports-values.yaml +++ /dev/null @@ -1,7 +0,0 @@ -controller: - kind: DaemonSet - service: - enablePorts: - http: false - https: true - stat: false diff --git a/stable/haproxy/ci/daemonset-extraargs-values.yaml b/stable/haproxy/ci/daemonset-extraargs-values.yaml deleted file mode 100644 index 691acbc..0000000 --- a/stable/haproxy/ci/daemonset-extraargs-values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -controller: - kind: DaemonSet - extraArgs: - - --namespace-whitelist=default diff --git a/stable/haproxy/ci/daemonset-hostport-values.yaml b/stable/haproxy/ci/daemonset-hostport-values.yaml deleted file mode 100644 index 45042ea..0000000 --- a/stable/haproxy/ci/daemonset-hostport-values.yaml +++ /dev/null @@ -1,8 +0,0 @@ -controller: - kind: DaemonSet - daemonset: - useHostPort: true - hostPorts: - http: 80 - https: 443 - stat: 1024 diff --git a/stable/haproxy/ci/daemonset-nodeport-values.yaml b/stable/haproxy/ci/daemonset-nodeport-values.yaml deleted file mode 100644 index ebc8f10..0000000 --- a/stable/haproxy/ci/daemonset-nodeport-values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -controller: - kind: DaemonSet - service: - type: NodePort diff --git a/stable/haproxy/ci/daemonset-publishservice-values.yaml b/stable/haproxy/ci/daemonset-publishservice-values.yaml deleted file mode 100644 index b538cb5..0000000 --- a/stable/haproxy/ci/daemonset-publishservice-values.yaml +++ /dev/null @@ -1,5 +0,0 @@ -controller: - kind: DaemonSet - service: - annotations: - service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/stable/haproxy/ci/daemonset-serviceannotation-values.yaml b/stable/haproxy/ci/daemonset-serviceannotation-values.yaml deleted file mode 100644 index b538cb5..0000000 --- a/stable/haproxy/ci/daemonset-serviceannotation-values.yaml +++ /dev/null @@ -1,5 +0,0 @@ -controller: - kind: DaemonSet - service: - annotations: - service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/stable/haproxy/ci/deployment-customconfig-values.yaml b/stable/haproxy/ci/deployment-customconfig-values.yaml deleted file mode 100644 index 12c48d2..0000000 --- a/stable/haproxy/ci/deployment-customconfig-values.yaml +++ /dev/null @@ -1,3 +0,0 @@ -controller: - config: - rate-limit: "ON" diff --git a/stable/haproxy/ci/deployment-customnodeport-values.yaml b/stable/haproxy/ci/deployment-customnodeport-values.yaml deleted file mode 100644 index f044362..0000000 --- a/stable/haproxy/ci/deployment-customnodeport-values.yaml +++ /dev/null @@ -1,6 +0,0 @@ -controller: - service: - type: NodePort - ports: - 8000: 10000 - 8001: 10001 diff --git a/stable/haproxy/ci/deployment-default-values.yaml b/stable/haproxy/ci/deployment-default-values.yaml deleted file mode 100644 index 792d600..0000000 --- a/stable/haproxy/ci/deployment-default-values.yaml +++ /dev/null @@ -1 +0,0 @@ -# diff --git a/stable/haproxy/ci/deployment-disabledsecretconfig-values.yaml b/stable/haproxy/ci/deployment-disabledsecretconfig-values.yaml deleted file mode 100644 index 7676459..0000000 --- a/stable/haproxy/ci/deployment-disabledsecretconfig-values.yaml +++ /dev/null @@ -1,3 +0,0 @@ -controller: - defaultTLSSecret: - enabled: false diff --git a/stable/haproxy/ci/deployment-enableports-values.yaml b/stable/haproxy/ci/deployment-enableports-values.yaml deleted file mode 100644 index 03ff297..0000000 --- a/stable/haproxy/ci/deployment-enableports-values.yaml +++ /dev/null @@ -1,6 +0,0 @@ -controller: - service: - enablePorts: - http: false - https: true - stat: false diff --git a/stable/haproxy/ci/deployment-extraargs-values.yaml b/stable/haproxy/ci/deployment-extraargs-values.yaml deleted file mode 100644 index d0e1dbe..0000000 --- a/stable/haproxy/ci/deployment-extraargs-values.yaml +++ /dev/null @@ -1,3 +0,0 @@ -controller: - extraArgs: - - --namespace-whitelist=default diff --git a/stable/haproxy/ci/deployment-nodeport-values.yaml b/stable/haproxy/ci/deployment-nodeport-values.yaml deleted file mode 100644 index ffdc47b..0000000 --- a/stable/haproxy/ci/deployment-nodeport-values.yaml +++ /dev/null @@ -1,3 +0,0 @@ -controller: - service: - type: NodePort diff --git a/stable/haproxy/ci/deployment-publishservice-values.yaml b/stable/haproxy/ci/deployment-publishservice-values.yaml deleted file mode 100644 index 6d8bf9b..0000000 --- a/stable/haproxy/ci/deployment-publishservice-values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -controller: - kind: DaemonSet - publishService: - enabled: true diff --git a/stable/haproxy/ci/deployment-replicacount-unset.yaml b/stable/haproxy/ci/deployment-replicacount-unset.yaml deleted file mode 100644 index 78ee300..0000000 --- a/stable/haproxy/ci/deployment-replicacount-unset.yaml +++ /dev/null @@ -1,5 +0,0 @@ -controller: - replicaCount: null - -defaultBackend: - replicaCount: null diff --git a/stable/haproxy/ci/deployment-serviceannotation-values.yaml b/stable/haproxy/ci/deployment-serviceannotation-values.yaml deleted file mode 100644 index c103bd6..0000000 --- a/stable/haproxy/ci/deployment-serviceannotation-values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -controller: - service: - annotations: - service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/stable/haproxy/templates/NOTES.txt b/stable/haproxy/templates/NOTES.txt deleted file mode 100644 index 522e230..0000000 --- a/stable/haproxy/templates/NOTES.txt +++ /dev/null @@ -1,67 +0,0 @@ -HAProxy Kubernetes Ingress Controller has been successfully installed. - -Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". -Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. -{{- if and .Values.rbac.create}} -RBAC authorization is enabled. -{{- else}} -RBAC authorization is disabled. -{{- end}} -{{- if .Values.controller.ingressClass}} -Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for -Ingress resource. -{{- end}} - -Service ports mapped are: -{{- if eq .Values.controller.kind "Deployment" }} -{{- range $key, $value := .Values.controller.containerPort }} - - name: {{ $key }} - containerPort: {{ $value }} - protocol: TCP -{{- end }} -{{- end }} -{{- if eq .Values.controller.kind "DaemonSet" }} -{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} -{{- range $key, $value := .Values.controller.containerPort }} - - name: {{ $key }} - containerPort: {{ $value }} - protocol: TCP - hostPort: {{ index $hostPorts $key | default $value }} -{{- end }} -{{- end }} - -Node IP can be found with: - $ kubectl --namespace {{ .Release.Namespace }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" - -The following ingress resource routes traffic to pods that match the following: - * service name: web - * client's Host header: webdemo.com - * path begins with / - - --- - apiVersion: networking.k8s.io/v1beta1 - kind: Ingress - metadata: - name: web-ingress - namespace: default - spec: - rules: - - host: webdemo.com - http: - paths: - - path: / - backend: - serviceName: web - servicePort: 80 - -In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it -with helm chart option controller.ingressClass. - -For more examples and up to date documentation, please visit: - * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/master/kubernetes-ingress - * Controller documentation: https://www.haproxy.com/documentation/hapee/2-0r1/traffic-management/kubernetes-ingress-controller/ - * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation - * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md - - - diff --git a/stable/haproxy/templates/_helpers.tpl b/stable/haproxy/templates/_helpers.tpl deleted file mode 100644 index 23a9063..0000000 --- a/stable/haproxy/templates/_helpers.tpl +++ /dev/null @@ -1,123 +0,0 @@ -{{/* -Copyright 2019 HAProxy Technologies LLC - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{/* -Expand the name of the chart. -*/}} -{{- define "kubernetes-ingress.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "kubernetes-ingress.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "kubernetes-ingress.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{kubernetes-ingress.publishServicePath{/* -Encode an imagePullSecret string. -*/}} -{{- define "kubernetes-ingress.imagePullSecret" }} -{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} -{{- end }} - -{{/* -Generate default certificate for HAProxy. -*/}} -{{- define "kubernetes-ingress.gen-certs" -}} -{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} -{{- $cn := printf "%s.%s" .Release.Name .Release.Namespace -}} -{{- $cert := genSignedCert $cn nil nil 365 $ca -}} -tls.crt: {{ $cert.Cert | b64enc }} -tls.key: {{ $cert.Key | b64enc }} -{{- end -}} - -{{/* -Create the name of the controller service account to use. -*/}} -{{- define "kubernetes-ingress.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{/* -Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled -*/}} -{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} -{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} - {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.defaultBackend.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{/* -Create a default fully qualified default backend name. -*/}} -{{- define "kubernetes-ingress.defaultBackend.fullname" -}} -{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified default cert secret name. -*/}} -{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} -{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Construct the path for the publish-service. -By default this will use the / matching the controller's service name. -Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` -*/}} -{{- define "kubernetes-ingress.publishServicePath" -}} -{{- $defServicePath := printf "%s/%s" .Release.Namespace (include "kubernetes-ingress.fullname" .) -}} -{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} -{{- print $servicePath | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Construct the syslog-server annotation -*/}} -{{- define "kubernetes-ingress.syslogServer" -}} -{{- range $key, $val := .Values.controller.logging.traffic -}} -{{- printf "%s:%s, " $key $val }} -{{- end -}} -{{- end -}} - -{{/* vim: set filetype=mustache: */}} diff --git a/stable/haproxy/templates/clusterrole.yaml b/stable/haproxy/templates/clusterrole.yaml deleted file mode 100644 index 89cb9f8..0000000 --- a/stable/haproxy/templates/clusterrole.yaml +++ /dev/null @@ -1,61 +0,0 @@ -{{/* -Copyright 2019 HAProxy Technologies LLC - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if and .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kubernetes-ingress.fullname" . }} - labels: - app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} - helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} -rules: -- apiGroups: - - "" - resources: - - configmaps - - endpoints - - services - - namespaces - - events - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "extensions" - resources: - - ingresses - - ingresses/status - verbs: - - get - - list - - watch - - update -- apiGroups: - - "networking.k8s.io/v1beta1" - resources: - - ingresses - - ingresses/status - verbs: - - get - - list - - watch -{{- end -}} diff --git a/stable/haproxy/templates/clusterrolebinding.yaml b/stable/haproxy/templates/clusterrolebinding.yaml deleted file mode 100644 index cfd2260..0000000 --- a/stable/haproxy/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{/* -Copyright 2019 HAProxy Technologies LLC - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if and .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "kubernetes-ingress.fullname" . }} - labels: - app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} - helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "kubernetes-ingress.fullname" . }} -subjects: -- kind: ServiceAccount - name: {{ template "kubernetes-ingress.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end -}} - diff --git a/stable/haproxy/templates/controller-configmap.yaml b/stable/haproxy/templates/controller-configmap.yaml deleted file mode 100644 index 94aa9c5..0000000 --- a/stable/haproxy/templates/controller-configmap.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -Copyright 2019 HAProxy Technologies LLC - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "kubernetes-ingress.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} - helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} -data: -{{- if .Values.controller.logging.traffic }} - syslog-server: {{ template "kubernetes-ingress.syslogServer" . }} -{{- end }} -{{- if .Values.controller.config }} -{{ toYaml .Values.controller.config | indent 2 }} -{{- end }} diff --git a/stable/haproxy/templates/controller-daemonset.yaml b/stable/haproxy/templates/controller-daemonset.yaml deleted file mode 100644 index 7260d32..0000000 --- a/stable/haproxy/templates/controller-daemonset.yaml +++ /dev/null @@ -1,153 +0,0 @@ -{{/* -Copyright 2019 HAProxy Technologies LLC - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if eq .Values.controller.kind "DaemonSet" }} -{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} -{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} -{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: {{ template "kubernetes-ingress.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} - helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} -spec: - minReadySeconds: 0 - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - selector: - matchLabels: - app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- if .Values.controller.podLabels }} -{{ toYaml .Values.controller.podLabels | indent 8 }} - {{- end }} - {{- if .Values.controller.podAnnotations }} - annotations: -{{ toYaml .Values.controller.podAnnotations | indent 8 }} - {{- end }} - spec: - serviceAccountName: {{ template "kubernetes-ingress.serviceAccountName" . }} - {{- if $useHostNetwork }} - hostNetwork: true - {{- end }} -{{- if .Values.controller.imageCredentials.registry }} - imagePullSecrets: - - name: {{ template "kubernetes-ingress.fullname" . }} -{{- end }} - containers: - - name: {{ template "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} - image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" - imagePullPolicy: {{ .Values.controller.image.pullPolicy }} - args: -{{- if and .Values.controller.defaultTLSSecret.enabled -}} -{{- if .Values.controller.defaultTLSSecret.secret }} - - --default-ssl-certificate={{ .Values.controller.defaultTLSSecret.secret }} -{{- else }} - - --default-ssl-certificate={{ .Release.Namespace }}/{{ template "kubernetes-ingress.defaultTLSSecret.fullname" . }} -{{- end }} -{{- end }} - - --configmap={{ .Release.Namespace }}/{{ template "kubernetes-ingress.fullname" . }} - - --default-backend-service={{ .Release.Namespace }}/{{ template "kubernetes-ingress.defaultBackend.fullname" . }} -{{- if .Values.controller.ingressClass }} - - --ingress.class={{ .Values.controller.ingressClass }} -{{- end }} -{{- if .Values.controller.publishService.enabled }} - - --publish-service={{ template "kubernetes-ingress.publishServicePath" . }} -{{- end }} -{{- if .Values.controller.logging.level }} - - --log={{ .Values.controller.logging.level }} -{{- end }} -{{- range .Values.controller.extraArgs }} - - {{ . }} -{{- end }} - ports: - {{- range $key, $value := .Values.controller.containerPort }} - - name: {{ $key }} - containerPort: {{ $value }} - protocol: TCP - {{- if $useHostPort }} - hostPort: {{ index $hostPorts $key | default $value }} - {{- end }} - {{- end }} - {{- range .Values.controller.service.tcpPorts }} - - name: {{ .name }}-tcp - containerPort: {{ .port }} - protocol: TCP - {{- if $useHostPort }} - hostPort: {{ .port }} - {{- end }} - {{- end }} - livenessProbe: - failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }} - httpGet: - path: {{ .Values.controller.livenessProbe.path }} - port: {{ .Values.controller.livenessProbe.port }} - scheme: {{ .Values.controller.livenessProbe.scheme }} - initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.controller.livenessProbe.periodSeconds }} - successThreshold: {{ .Values.controller.livenessProbe.successThreshold }} - timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }} - readinessProbe: - failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }} - httpGet: - path: {{ .Values.controller.readinessProbe.path }} - port: {{ .Values.controller.readinessProbe.port }} - scheme: {{ .Values.controller.readinessProbe.scheme }} - initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }} - successThreshold: {{ .Values.controller.readinessProbe.successThreshold }} - timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - resources: - {{- toYaml .Values.controller.resources | nindent 12 }} - {{- with.Values.controller.initContainers }} - initContainers: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.controller.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.controller.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.controller.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} -{{- end }} diff --git a/stable/haproxy/templates/controller-defaultcertsecret.yaml b/stable/haproxy/templates/controller-defaultcertsecret.yaml deleted file mode 100644 index bb97b1e..0000000 --- a/stable/haproxy/templates/controller-defaultcertsecret.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{/* -Copyright 2019 HAProxy Technologies LLC - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -type: kubernetes.io/tls -metadata: - name: {{ template "kubernetes-ingress.defaultTLSSecret.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} - helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - annotations: - "helm.sh/hook": "pre-install" - "helm.sh/hook-delete-policy": "before-hook-creation" -data: -{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} diff --git a/stable/haproxy/templates/controller-deployment.yaml b/stable/haproxy/templates/controller-deployment.yaml deleted file mode 100644 index 7fd2aae..0000000 --- a/stable/haproxy/templates/controller-deployment.yaml +++ /dev/null @@ -1,141 +0,0 @@ -{{/* -Copyright 2019 HAProxy Technologies LLC - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if eq .Values.controller.kind "Deployment" }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "kubernetes-ingress.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} - helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} -spec: - {{- if not ( kindIs "invalid" .Values.controller.replicaCount) }} - replicas: {{ .Values.controller.replicaCount }} - {{- end }} - selector: - matchLabels: - app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- with .Values.controller.strategy }} - strategy: - {{- toYaml . | nindent 4 }} - {{- end }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- if .Values.controller.podLabels }} -{{ toYaml .Values.controller.podLabels | indent 8 }} - {{- end }} - {{- if .Values.controller.podAnnotations }} - annotations: -{{ toYaml .Values.controller.podAnnotations | indent 8 }} - {{- end }} - spec: - serviceAccountName: {{ template "kubernetes-ingress.serviceAccountName" . }} -{{- if .Values.controller.imageCredentials.registry }} - imagePullSecrets: - - name: {{ template "kubernetes-ingress.fullname" . }} -{{- end }} - containers: - - name: {{ template "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} - image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" - imagePullPolicy: {{ .Values.controller.image.pullPolicy }} - args: -{{- if .Values.controller.defaultTLSSecret.secret }} - - --default-ssl-certificate={{ .Values.controller.defaultTLSSecret.secret }} -{{- else }} - - --default-ssl-certificate={{ .Release.Namespace }}/{{ template "kubernetes-ingress.defaultTLSSecret.fullname" . }} -{{- end }} - - --configmap={{ .Release.Namespace }}/{{ template "kubernetes-ingress.fullname" . }} - - --default-backend-service={{ .Release.Namespace }}/{{ template "kubernetes-ingress.defaultBackend.fullname" . }} -{{- if .Values.controller.ingressClass }} - - --ingress.class={{ .Values.controller.ingressClass }} -{{- end }} -{{- if .Values.controller.publishService.enabled }} - - --publish-service={{ template "kubernetes-ingress.publishServicePath" . }} -{{- end }} -{{- if .Values.controller.logging.level }} - - --log={{ .Values.controller.logging.level }} -{{- end }} -{{- range .Values.controller.extraArgs }} - - {{ . }} -{{- end }} - ports: - {{- range $key, $value := .Values.controller.containerPort }} - - name: {{ $key }} - containerPort: {{ $value }} - protocol: TCP - {{- end }} - {{- range .Values.controller.service.tcpPorts }} - - name: {{ .name }}-tcp - containerPort: {{ .port }} - protocol: TCP - {{- end }} - livenessProbe: - failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }} - httpGet: - path: {{ .Values.controller.livenessProbe.path }} - port: {{ .Values.controller.livenessProbe.port }} - scheme: {{ .Values.controller.livenessProbe.scheme }} - initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.controller.livenessProbe.periodSeconds }} - successThreshold: {{ .Values.controller.livenessProbe.successThreshold }} - timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }} - readinessProbe: - failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }} - httpGet: - path: {{ .Values.controller.readinessProbe.path }} - port: {{ .Values.controller.readinessProbe.port }} - scheme: {{ .Values.controller.readinessProbe.scheme }} - initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }} - successThreshold: {{ .Values.controller.readinessProbe.successThreshold }} - timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - resources: - {{- toYaml .Values.controller.resources | nindent 12 }} - {{- with.Values.controller.initContainers }} - initContainers: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.controller.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.controller.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.controller.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} -{{- end }} diff --git a/stable/haproxy/templates/controller-podsecuritypolicy.yaml b/stable/haproxy/templates/controller-podsecuritypolicy.yaml deleted file mode 100644 index 77d220f..0000000 --- a/stable/haproxy/templates/controller-podsecuritypolicy.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -Copyright 2019 HAProxy Technologies LLC - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} -{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} -{{- $useHostPort := .Values.controller.daemonset.useHostPort }} -{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: -{{- if .Values.podSecurityPolicy.annotations }} - annotations: -{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} -{{- end }} - labels: - app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} - helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - name: {{ template "kubernetes-ingress.fullname" . }} -spec: - allowPrivilegeEscalation: false - allowedCapabilities: - - NET_BIND_SERVICE - defaultAllowPrivilegeEscalation: false - fsGroup: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs -{{- if $useHostNetwork }} - hostNetwork: true -{{- end }} -{{- if or $useHostPort $useHostNetwork }} - hostPorts: -{{- range $key, $value := .Values.controller.containerPort }} - - min: {{ $value }} - max: {{ $value }} -{{- end }} -{{- range .Values.controller.service.tcpPorts }} - - min: {{ .port }} - max: {{ .port }} -{{- end }} -{{- end }} - hostIPC: false - hostPID: false - privileged: false - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - volumes: - - configMap - - downwardAPI - - secret -{{- end }} diff --git a/stable/haproxy/templates/controller-pullsecret.yaml b/stable/haproxy/templates/controller-pullsecret.yaml deleted file mode 100644 index 8825239..0000000 --- a/stable/haproxy/templates/controller-pullsecret.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{/* -Copyright 2019 HAProxy Technologies LLC - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.controller.imageCredentials.registry }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "kubernetes-ingress.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} - helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} -type: kubernetes.io/dockerconfigjson -data: - .dockerconfigjson: {{ template "kubernetes-ingress.imagePullSecret" . }} -{{- end }} diff --git a/stable/haproxy/templates/controller-role.yaml b/stable/haproxy/templates/controller-role.yaml deleted file mode 100644 index 3e41df6..0000000 --- a/stable/haproxy/templates/controller-role.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{/* -Copyright 2019 HAProxy Technologies LLC - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ template "kubernetes-ingress.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} - helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} -rules: -- apiGroups: - - "policy" - resources: - - podsecuritypolicies - verbs: - - use - resourceNames: - - {{ template "kubernetes-ingress.fullname" . }} -{{- end -}} diff --git a/stable/haproxy/templates/controller-rolebinding.yaml b/stable/haproxy/templates/controller-rolebinding.yaml deleted file mode 100644 index 40404a4..0000000 --- a/stable/haproxy/templates/controller-rolebinding.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{/* -Copyright 2019 HAProxy Technologies LLC - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "kubernetes-ingress.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} - helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "kubernetes-ingress.fullname" . }} -subjects: -- kind: ServiceAccount - name: {{ template "kubernetes-ingress.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end -}} diff --git a/stable/haproxy/templates/controller-service.yaml b/stable/haproxy/templates/controller-service.yaml deleted file mode 100644 index 2fa1641..0000000 --- a/stable/haproxy/templates/controller-service.yaml +++ /dev/null @@ -1,100 +0,0 @@ -{{/* -Copyright 2019 HAProxy Technologies LLC - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ template "kubernetes-ingress.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} - helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} -{{- if .Values.controller.service.labels }} -{{ toYaml .Values.controller.service.labels | indent 4 }} -{{- end }} - annotations: -{{- range $key, $value := .Values.controller.service.annotations }} - {{ $key }}: {{ $value | quote }} -{{- end }} -spec: - {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} - type: {{ .Values.controller.service.type }} - {{- if .Values.controller.service.externalTrafficPolicy }} - externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} - {{- end }} - {{- if .Values.controller.service.healthCheckNodePort }} - healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} - {{- end }} - ports: - {{- if .Values.controller.service.enablePorts.http }} - - name: http - port: {{ .Values.controller.service.ports.http }} - protocol: TCP - targetPort: {{ .Values.controller.service.targetPorts.http }} - {{- if .Values.controller.service.nodePorts.http }} - nodePort: {{ .Values.controller.service.nodePorts.http }} - {{- end }} - {{- end }} - {{- if .Values.controller.service.enablePorts.https }} - - name: https - port: {{ .Values.controller.service.ports.https }} - protocol: TCP - targetPort: {{ .Values.controller.service.targetPorts.https }} - {{- if .Values.controller.service.nodePorts.https }} - nodePort: {{ .Values.controller.service.nodePorts.https }} - {{- end }} - {{- end }} - {{- if .Values.controller.service.enablePorts.stat }} - - name: stat - port: {{ .Values.controller.service.ports.stat }} - protocol: TCP - targetPort: {{ .Values.controller.service.targetPorts.stat }} - {{- if .Values.controller.service.nodePorts.stat }} - nodePort: {{ .Values.controller.service.nodePorts.stat }} - {{- end }} - {{- end }} - {{- range .Values.controller.service.tcpPorts }} - - name: {{ .name }}-tcp - port: {{ .port }} - protocol: TCP - targetPort: {{ .targetPort }} - {{- if .nodePort }} - nodePort: {{ .nodePort }} - {{- end }} - {{- end }} - selector: - app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- if .Values.controller.service.sessionAffinity }} - sessionAffinity: {{ .Values.controller.service.sessionAffinity }} - {{- end }} - externalIPs: -{{- if .Values.controller.service.externalIPs }} -{{ toYaml .Values.controller.service.externalIPs | indent 4 }} -{{- end -}} -{{- if (eq .Values.controller.service.type "LoadBalancer") }} -{{- if .Values.controller.service.loadBalancerIP }} - loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" -{{- end }} -{{- if .Values.controller.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} -{{- end }} -{{- end }} - diff --git a/stable/haproxy/templates/controller-serviceaccount.yaml b/stable/haproxy/templates/controller-serviceaccount.yaml deleted file mode 100644 index c907109..0000000 --- a/stable/haproxy/templates/controller-serviceaccount.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -Copyright 2019 HAProxy Technologies LLC - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if or .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "kubernetes-ingress.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} - helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} -{{- end -}} diff --git a/stable/haproxy/templates/default-backend-deployment.yaml b/stable/haproxy/templates/default-backend-deployment.yaml deleted file mode 100644 index 3dd04e0..0000000 --- a/stable/haproxy/templates/default-backend-deployment.yaml +++ /dev/null @@ -1,71 +0,0 @@ -{{/* -Copyright 2019 HAProxy Technologies LLC - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} - helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} -spec: - {{- if not (kindIs "invalid" .Values.defaultBackend.replicaCount) }} - replicas: {{ .Values.defaultBackend.replicaCount }} - {{- end }} - selector: - matchLabels: - app.kubernetes.io/name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- if .Values.defaultBackend.podLabels }} -{{ toYaml .Values.defaultBackend.podLabels | indent 8 }} - {{- end }} - {{- if .Values.defaultBackend.podAnnotations }} - annotations: -{{ toYaml .Values.defaultBackend.podAnnotations | indent 8 }} - {{- end }} - spec: - containers: - - name: {{ template "kubernetes-ingress.name" . }}-{{ .Values.defaultBackend.name }} - image: "{{ .Values.defaultBackend.image.repository }}:{{ .Values.defaultBackend.image.tag }}" - imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }} - ports: - - name: http - containerPort: {{ .Values.defaultBackend.containerPort }} - protocol: TCP - resources: - {{- toYaml .Values.defaultBackend.resources | nindent 12 }} - {{- with .Values.defaultBackend.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.defaultBackend.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ template "kubernetes-ingress.defaultBackend.serviceAccountName" . }} - {{- with .Values.defaultBackend.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/stable/haproxy/templates/default-backend-podsecuritypolicy.yaml b/stable/haproxy/templates/default-backend-podsecuritypolicy.yaml deleted file mode 100644 index a31d60e..0000000 --- a/stable/haproxy/templates/default-backend-podsecuritypolicy.yaml +++ /dev/null @@ -1,59 +0,0 @@ -{{/* -Copyright 2019 HAProxy Technologies LLC - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: -{{- if .Values.podSecurityPolicy.annotations }} - annotations: -{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} -{{- end }} - labels: - app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} - helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} -spec: - allowPrivilegeEscalation: false - allowedCapabilities: - - NET_BIND_SERVICE - defaultAllowPrivilegeEscalation: false - fsGroup: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - hostNetwork: false - hostIPC: false - hostPID: false - privileged: false - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - volumes: - - configMap - - downwardAPI - - secret -{{- end }} diff --git a/stable/haproxy/templates/default-backend-role.yaml b/stable/haproxy/templates/default-backend-role.yaml deleted file mode 100644 index 8ca2416..0000000 --- a/stable/haproxy/templates/default-backend-role.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{/* -Copyright 2019 HAProxy Technologies LLC - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} - helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} -rules: -- apiGroups: - - "policy" - resources: - - podsecuritypolicies - verbs: - - use - resourceNames: - - {{ template "kubernetes-ingress.defaultBackend.fullname" . }} -{{- end -}} diff --git a/stable/haproxy/templates/default-backend-rolebinding.yaml b/stable/haproxy/templates/default-backend-rolebinding.yaml deleted file mode 100644 index a27f804..0000000 --- a/stable/haproxy/templates/default-backend-rolebinding.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{/* -Copyright 2019 HAProxy Technologies LLC - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} - helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} -subjects: -- kind: ServiceAccount - name: {{ template "kubernetes-ingress.defaultBackend.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end -}} diff --git a/stable/haproxy/templates/default-backend-service.yaml b/stable/haproxy/templates/default-backend-service.yaml deleted file mode 100644 index b3108ad..0000000 --- a/stable/haproxy/templates/default-backend-service.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{/* -Copyright 2019 HAProxy Technologies LLC - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} - helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} -spec: - type: ClusterIP - clusterIP: None - ports: - - name: http - port: {{ .Values.defaultBackend.service.port }} - protocol: TCP - targetPort: http - selector: - app.kubernetes.io/name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} - app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/stable/haproxy/templates/default-backend-serviceaccount.yaml b/stable/haproxy/templates/default-backend-serviceaccount.yaml deleted file mode 100644 index 9a5e816..0000000 --- a/stable/haproxy/templates/default-backend-serviceaccount.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -Copyright 2019 HAProxy Technologies LLC - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if and .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "kubernetes-ingress.defaultBackend.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} - helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} -{{- end -}} diff --git a/stable/haproxy/values-ironbank.yaml b/stable/haproxy/values-ironbank.yaml deleted file mode 100644 index 1663757..0000000 --- a/stable/haproxy/values-ironbank.yaml +++ /dev/null @@ -1,352 +0,0 @@ -# Copyright 2019 HAProxy Technologies LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller -## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation - -podSecurityPolicy: - annotations: {} - ## Specify pod annotations - ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor - ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp - ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl - ## - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default - # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default - enabled: false - -## Enable RBAC Authorization -## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ -rbac: - create: true - - -## Configure Service Account -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ -serviceAccount: - create: true - name: - - -## Controller default values -controller: - name: controller - image: - repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images - tag: "{{ .Chart.AppVersion }}" - pullPolicy: IfNotPresent - - ## Deployment or DaemonSet pod mode - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ - kind: Deployment # can be 'Deployment' or 'DaemonSet' - replicaCount: 2 # used only for Deployment mode. Unset if also using an HPA - - ## Init Containers - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ - initContainers: [] - # - name: sysctl - # image: "busybox:1.31.1-musl" - # command: - # - /bin/sh - # - -xc - # - |- - # sysctl -w net.core.somaxconn=65536 - # securityContext: - # privileged: true - - ## Private Registry configuration - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - imageCredentials: - registry: null - username: null - password: null - - ## Controller Container listener port configuration - ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ - containerPort: - http: 80 - https: 443 - stat: 1024 - - ## Controller Container liveness/readiness probe configuration - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ - livenessProbe: - failureThreshold: 3 - initialDelaySeconds: 0 - path: /healthz - periodSeconds: 10 - port: 1042 - scheme: HTTP - successThreshold: 1 - timeoutSeconds: 1 - - readinessProbe: - failureThreshold: 3 - initialDelaySeconds: 0 - path: /healthz - periodSeconds: 10 - port: 1042 - scheme: HTTP - successThreshold: 1 - timeoutSeconds: 1 - - ## Ingress Class used for ingress.class annotation in multi-ingress environments - ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers - ingressClass: null # typically "haproxy" or null to receive all events - - ## Additional labels to add to the pod container metadata - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - podLabels: {} - # key: value - - ## Additional annotations to add to the pod container metadata - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - podAnnotations: {} - # key: value - - ## Ingress TLS secret, if enabled is true and secret is null then controller will use auto-generated secret otherwise provided secret is used - ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls - defaultTLSSecret: - enabled: true - secret: null - - ## Compute Resources for controller container - ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - resources: - # limits: - # cpu: 100m - # memory: 64Mi - requests: - cpu: 100m - memory: 64Mi - - ## Pod Node assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - nodeSelector: {} - - ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling - ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - - ## Node Affinity for pod-node scheduling constraints - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - affinity: {} - - ## Additional command line arguments to pass to Controller - ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md - extraArgs: [] - # - --namespace-whitelist=default - # - --namespace-whitelist=namespace1 - # - --namespace-blacklist=namespace2 - - ## Custom configuration for Controller - ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation - config: {} - # timeout-connect: "250ms" - # servers-increment: "10" - # servers-increment-max-disabled: "10" - # rate-limit: "ON" - # rate-limit-expire: "1m" - # rate-limit-interval: "10s" - # rate-limit-size: "100k" - - ## Controller Logging configuration - logging: - ## Controller logging level - ## This only relevant to Controller logs - level: info - - ## HAProxy traffic logs - ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging - traffic: {} - # address: "stdout" - # format: "raw" - # facility: "daemon" - - ## Mirrors the address of the service's endpoints to the - ## load-balancer status of all Ingress objects it satisfies. - publishService: - enabled: false - ## - ## Override of the publish service - ## Must be / - pathOverride: "" - - ## Controller Service configuration - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ - service: - type: NodePort # can be 'NodePort' or 'LoadBalancer' - - ## Service annotations - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - annotations: {} - - ## Service labels - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - labels: {} - - ## Health check node port - ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - healthCheckNodePort: 0 - - ## Service nodePorts to use for http, https and stat - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ - ## If empty, random ports will be used - nodePorts: {} - # http: 31080 - # https: 31443 - # stat: 31024 - - ## Service ports to use for http, https and stat - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ - ports: - http: 80 - https: 443 - stat: 1024 - - ## The controller service ports for http, https and stat can be disabled by - ## setting below to false - this could be useful when only deploying haproxy - ## as a TCP loadbalancer - ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled - enablePorts: - http: true - https: true - stat: true - - ## Target port mappings for http, https and stat - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ - targetPorts: - http: http - https: https - stat: stat - - ## Additional tcp ports to expose - ## This is especially useful for TCP services: - ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md - tcpPorts: [] - # - name: http-alt - # port: 8080 - # targetPort: http-alt - # nodePort: 32080 - - ## Set external traffic policy - ## Default is "Cluster", setting it to "Local" preserves source IP - ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer - # externalTrafficPolicy: "Local" - - ## Expose service via external IPs that route to one or more cluster nodes - externalIPs: [] - - ## LoadBalancer IP - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer - loadBalancerIP: "" - - ## Source IP ranges permitted to access Network Load Balancer - # ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ - loadBalancerSourceRanges: [] - - ## Service ClusterIP - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ - # clusterIP: "" - - ## Service session affinity - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ - # sessionAffinity: "" - - ## Controller DaemonSet configuration - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ - daemonset: - useHostNetwork: false - useHostPort: false - hostPorts: - http: 80 - https: 443 - stat: 1024 - - ## Controller deployment strategy definition - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy - strategy: {} - # rollingUpdate: - # maxSurge: 25% - # maxUnavailable: 25% - # type: RollingUpdate - - -## Default 404 backend -defaultBackend: - name: default-backend - replicaCount: 2 # unset if also using an HPA - - image: - repository: k8s.gcr.io/defaultbackend-amd64 - tag: 1.5 - pullPolicy: IfNotPresent - runAsUser: 65534 - - ## Compute Resources - ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - resources: - # limits: - # cpu: 10m - # memory: 16Mi - requests: - cpu: 10m - memory: 16Mi - - ## Listener port configuration - ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ - containerPort: 8080 - - ## Pod Node assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - nodeSelector: {} - - ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling - ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - - ## Node Affinity for pod-node scheduling constraints - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - affinity: {} - - ## Additional labels to add to the pod container metadata - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - podLabels: {} - # key: value - - ## Additional annotations to add to the pod container metadata - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - podAnnotations: {} - # key: value - - service: - ## Service ports - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ - port: 8080 - - ## Configure Service Account - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ - serviceAccount: - create: true diff --git a/stable/haproxy/values.yaml b/stable/haproxy/values.yaml deleted file mode 100644 index 1663757..0000000 --- a/stable/haproxy/values.yaml +++ /dev/null @@ -1,352 +0,0 @@ -# Copyright 2019 HAProxy Technologies LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller -## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation - -podSecurityPolicy: - annotations: {} - ## Specify pod annotations - ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor - ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp - ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl - ## - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default - # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default - enabled: false - -## Enable RBAC Authorization -## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ -rbac: - create: true - - -## Configure Service Account -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ -serviceAccount: - create: true - name: - - -## Controller default values -controller: - name: controller - image: - repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images - tag: "{{ .Chart.AppVersion }}" - pullPolicy: IfNotPresent - - ## Deployment or DaemonSet pod mode - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ - kind: Deployment # can be 'Deployment' or 'DaemonSet' - replicaCount: 2 # used only for Deployment mode. Unset if also using an HPA - - ## Init Containers - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ - initContainers: [] - # - name: sysctl - # image: "busybox:1.31.1-musl" - # command: - # - /bin/sh - # - -xc - # - |- - # sysctl -w net.core.somaxconn=65536 - # securityContext: - # privileged: true - - ## Private Registry configuration - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - imageCredentials: - registry: null - username: null - password: null - - ## Controller Container listener port configuration - ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ - containerPort: - http: 80 - https: 443 - stat: 1024 - - ## Controller Container liveness/readiness probe configuration - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ - livenessProbe: - failureThreshold: 3 - initialDelaySeconds: 0 - path: /healthz - periodSeconds: 10 - port: 1042 - scheme: HTTP - successThreshold: 1 - timeoutSeconds: 1 - - readinessProbe: - failureThreshold: 3 - initialDelaySeconds: 0 - path: /healthz - periodSeconds: 10 - port: 1042 - scheme: HTTP - successThreshold: 1 - timeoutSeconds: 1 - - ## Ingress Class used for ingress.class annotation in multi-ingress environments - ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers - ingressClass: null # typically "haproxy" or null to receive all events - - ## Additional labels to add to the pod container metadata - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - podLabels: {} - # key: value - - ## Additional annotations to add to the pod container metadata - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - podAnnotations: {} - # key: value - - ## Ingress TLS secret, if enabled is true and secret is null then controller will use auto-generated secret otherwise provided secret is used - ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls - defaultTLSSecret: - enabled: true - secret: null - - ## Compute Resources for controller container - ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - resources: - # limits: - # cpu: 100m - # memory: 64Mi - requests: - cpu: 100m - memory: 64Mi - - ## Pod Node assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - nodeSelector: {} - - ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling - ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - - ## Node Affinity for pod-node scheduling constraints - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - affinity: {} - - ## Additional command line arguments to pass to Controller - ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md - extraArgs: [] - # - --namespace-whitelist=default - # - --namespace-whitelist=namespace1 - # - --namespace-blacklist=namespace2 - - ## Custom configuration for Controller - ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation - config: {} - # timeout-connect: "250ms" - # servers-increment: "10" - # servers-increment-max-disabled: "10" - # rate-limit: "ON" - # rate-limit-expire: "1m" - # rate-limit-interval: "10s" - # rate-limit-size: "100k" - - ## Controller Logging configuration - logging: - ## Controller logging level - ## This only relevant to Controller logs - level: info - - ## HAProxy traffic logs - ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging - traffic: {} - # address: "stdout" - # format: "raw" - # facility: "daemon" - - ## Mirrors the address of the service's endpoints to the - ## load-balancer status of all Ingress objects it satisfies. - publishService: - enabled: false - ## - ## Override of the publish service - ## Must be / - pathOverride: "" - - ## Controller Service configuration - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ - service: - type: NodePort # can be 'NodePort' or 'LoadBalancer' - - ## Service annotations - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - annotations: {} - - ## Service labels - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - labels: {} - - ## Health check node port - ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - healthCheckNodePort: 0 - - ## Service nodePorts to use for http, https and stat - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ - ## If empty, random ports will be used - nodePorts: {} - # http: 31080 - # https: 31443 - # stat: 31024 - - ## Service ports to use for http, https and stat - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ - ports: - http: 80 - https: 443 - stat: 1024 - - ## The controller service ports for http, https and stat can be disabled by - ## setting below to false - this could be useful when only deploying haproxy - ## as a TCP loadbalancer - ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled - enablePorts: - http: true - https: true - stat: true - - ## Target port mappings for http, https and stat - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ - targetPorts: - http: http - https: https - stat: stat - - ## Additional tcp ports to expose - ## This is especially useful for TCP services: - ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md - tcpPorts: [] - # - name: http-alt - # port: 8080 - # targetPort: http-alt - # nodePort: 32080 - - ## Set external traffic policy - ## Default is "Cluster", setting it to "Local" preserves source IP - ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer - # externalTrafficPolicy: "Local" - - ## Expose service via external IPs that route to one or more cluster nodes - externalIPs: [] - - ## LoadBalancer IP - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer - loadBalancerIP: "" - - ## Source IP ranges permitted to access Network Load Balancer - # ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ - loadBalancerSourceRanges: [] - - ## Service ClusterIP - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ - # clusterIP: "" - - ## Service session affinity - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ - # sessionAffinity: "" - - ## Controller DaemonSet configuration - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ - daemonset: - useHostNetwork: false - useHostPort: false - hostPorts: - http: 80 - https: 443 - stat: 1024 - - ## Controller deployment strategy definition - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy - strategy: {} - # rollingUpdate: - # maxSurge: 25% - # maxUnavailable: 25% - # type: RollingUpdate - - -## Default 404 backend -defaultBackend: - name: default-backend - replicaCount: 2 # unset if also using an HPA - - image: - repository: k8s.gcr.io/defaultbackend-amd64 - tag: 1.5 - pullPolicy: IfNotPresent - runAsUser: 65534 - - ## Compute Resources - ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - resources: - # limits: - # cpu: 10m - # memory: 16Mi - requests: - cpu: 10m - memory: 16Mi - - ## Listener port configuration - ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ - containerPort: 8080 - - ## Pod Node assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - nodeSelector: {} - - ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling - ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - - ## Node Affinity for pod-node scheduling constraints - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - affinity: {} - - ## Additional labels to add to the pod container metadata - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - podLabels: {} - # key: value - - ## Additional annotations to add to the pod container metadata - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - podAnnotations: {} - # key: value - - service: - ## Service ports - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ - port: 8080 - - ## Configure Service Account - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ - serviceAccount: - create: true -- GitLab From 7a41e24ad8d242972adf4c2503a4279e2e960249 Mon Sep 17 00:00:00 2001 From: Michael Simmons Date: Wed, 12 Aug 2020 08:59:28 -0600 Subject: [PATCH 6/7] Merged values --- stable/cert-manager/README.md | 9 ++++++--- stable/cert-manager/values-ironbank.yaml | 4 ++++ stable/cert-manager/values.yaml | 2 +- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/stable/cert-manager/README.md b/stable/cert-manager/README.md index d3735e6..063f301 100644 --- a/stable/cert-manager/README.md +++ b/stable/cert-manager/README.md @@ -34,7 +34,8 @@ helm install ./ --generate-name --namespace cert-manager -f values-ironbank.yaml | cainjector.enabled | bool | `true` | | | cainjector.extraArgs | list | `[]` | | | cainjector.image.pullPolicy | string | `"IfNotPresent"` | | -| cainjector.image.repository | string | `"quay.io/jetstack/cert-manager-cainjector"` | | +| cainjector.image.repository | string | `"registry1.dsop.io/jetstack/cert-manager-cainjector"` | | +| cainjector.image.tag | string | `"v0.11.0"` | | | cainjector.nodeSelector | object | `{}` | | | cainjector.replicaCount | int | `1` | | | cainjector.resources | object | `{}` | | @@ -55,7 +56,8 @@ helm install ./ --generate-name --namespace cert-manager -f values-ironbank.yaml | global.priorityClassName | string | `""` | | | global.rbac.create | bool | `true` | | | image.pullPolicy | string | `"IfNotPresent"` | | -| image.repository | string | `"quay.io/jetstack/cert-manager-controller"` | | +| image.repository | string | `"registry1.dsop.io/jetstack/cert-manager-controller"` | | +| image.tag | string | `"v0.11.0"` | | | ingressShim | object | `{}` | | | installCRDs | bool | `false` | | | nodeSelector | object | `{}` | | @@ -81,7 +83,8 @@ helm install ./ --generate-name --namespace cert-manager -f values-ironbank.yaml | webhook.extraArgs | list | `[]` | | | webhook.hostNetwork | bool | `false` | | | webhook.image.pullPolicy | string | `"IfNotPresent"` | | -| webhook.image.repository | string | `"quay.io/jetstack/cert-manager-webhook"` | | +| webhook.image.repository | string | `"registry1.dsop.io/jetstack/cert-manager-webhook"` | | +| webhook.image.tag | string | `"v0.11.0"` | | | webhook.nodeSelector | object | `{}` | | | webhook.replicaCount | int | `1` | | | webhook.resources | object | `{}` | | diff --git a/stable/cert-manager/values-ironbank.yaml b/stable/cert-manager/values-ironbank.yaml index 34cd158..2487875 100644 --- a/stable/cert-manager/values-ironbank.yaml +++ b/stable/cert-manager/values-ironbank.yaml @@ -1,3 +1,7 @@ +global: + podSecurityPolicy: + enabled: true + useAppArmor: true image: repository: registry1.dsop.io/jetstack/cert-manager-controller diff --git a/stable/cert-manager/values.yaml b/stable/cert-manager/values.yaml index b06d2ae..7992570 100644 --- a/stable/cert-manager/values.yaml +++ b/stable/cert-manager/values.yaml @@ -14,7 +14,7 @@ global: create: true podSecurityPolicy: - enabled: false + enabled: true useAppArmor: true # Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose. -- GitLab From ece3a9b08ad5370faacddc9c439b85a0917a19ea Mon Sep 17 00:00:00 2001 From: Michael Simmons Date: Wed, 12 Aug 2020 09:00:43 -0600 Subject: [PATCH 7/7] Removed .DS_Store --- .DS_Store | Bin 6148 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 .DS_Store diff --git a/.DS_Store b/.DS_Store deleted file mode 100644 index 321c8077a7aafc3ffb26f6258cdb4b5a438b9893..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeHKO>Wab6n@i&)Cr2n0#TOUAhD>TL{xNvDw#B0bb*90f(4+~gDqm@dMewgRnj1D zI0L-`C*cSjgag1gKdEX5b_h{4Pn!AO%)D>L?~7(8Lqu#m3r9qKB63h9wz{Z(VRBrS z6Yd~j;ndqH=$^716wrPsE466ys>ap~w5!<0>v`>#|LQjALoGW32@uk7& zVde;5CFm5Z6z~W1o^rI)22-weaV4WRq6%<0GK%W4Y_qXSEtZ%02~SkMU-?NA=f!aN zjjgS>ZnQTXr|Wck-8cSJlztHuvwR$6uVm|KP)xb;p9_&(`T>6tN9AGv_MS+KAWox9 zk>fBz$m^GJ8j5l(W@(tKd3-(KI31^R*uOKM54YUy?a^Y(o$u^O|G~q>qT_7d8|@w( z9iM%epD#XsMmjKt<67A*gG;!8Q%mvG&(cJs@6f;GEMqNRa|O%~>fF5MdDzdl3RngH zyaMuka8V?B1}lx~=s=~O0KgWymBE*93CVE{dIl?v7=bZO1!^iYPYkB%=yy$=XRy+! z>BP+AgPE0?d7&`1I_7s(I5AJ7t*ru9fw}_gy4jca|Niga|8D|CIu)HSs57 zq-5^amE`1I>!KW?NRx4uMnyqou4CoMtN1R8GK{&>0eS{2jp%{dKLSbyTUiDEsscX& D)zqQL -- GitLab